Operation WireWire – ACH Fraud Takedown

Posted by rp on June 12, 2018 in News

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)

Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad.  Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro)

I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent, or really wouldn’t have an impact given the breadth of fraud associated with Business E-mail Compromise, or BEC. I’d imagine those people are looking at aggregate totals from the mile high, not the full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. I can’t say I agree or support the position that it’s just another arrest to glaze like picking off a few credit card skimmers.

The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise are of no direct comparison, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. It’s typically the commercial accounts that vulnerable to this kind of wire transfer fraud anyways, unlike consumer credit cards with the built-in fraud protection of randomly generated numbers, and a Visa or Mastercard logo. In these cases, the wires are facilitated directly from account number being compromised.

Criminals obviously have a lot more to gain from raiding the digital coffers of businesses handling millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000, in comparison robbing a bank rakes in you an average $3,800. The losses for traditional credit card fraud reported per incidence are much lower, for example in 2014 the median loss was $300. The average reported loss was $1,343. If you ask somebody crushed by these low numbers with high volume fraud occurrence, I can see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that’s impossible with those who live in a world of old-fashioned CC fraud. This isn’t like that time somebody bought a $100 pair of sneakers using my debit card.

Not sure if this is a problem yet? Just ask Google, and Facebook, who were both victims in part of a 100+ million dollar scam perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who have stolen almost 4 million in a short time. If you really want to know, ask Leoni AG who lost 44 million in a single scam just a few years back. Are these extreme examples of BEC? No, as many go over a million in losses in just a single incident, but almost always hundreds of thousands. The collateral damage from ripping off employees social security numbers could take a long time to remediate. I don’t need to know the exact figures on the median, or average losses to make the connection that attackers with minimal sophistication are pulling it off for huge piles of cash. BEC scammers have operated mostly with impunity before this crackdown effort by the DOJ. If they haven’t, how could the losses possibly add up the 3 billion dollars? They’ve been able to lock up a few here and there, but nothing like the 71 people from this sweep.

Any Law Enforcement action is welcomed as it’s still protecting companies from scams, and sending a clear message to the criminals abroad, if your activity trends upwards so will the effort to capture you. Not to mention the hands of justice are orienting themselves with how to efficiently take down these networks, opening the door for streamlined enforcement for this type of crime. The DOJ is doing a good job, and I don’t see it as a dog and pony show to drag these scammers out in front of the world. It’s about justice, and showing people in other countries that the internet may be like free plane tickets to communicate overseas, but you can still get arrested where that connection lands just like you could in an airport. You’ve got to get started sometime and today works well for tomorrow’s potential victims. I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated not shrugged off as a waste of time. I’d never say that, who in my industry would?

The same this ‘doesn’t make a difference’ logic applied to the distribution of illegal narcotics seems unlikely to be popular: If the DEA were to arrest 50 heroin dealers in Massachusetts, are those actions futile because others will simply step in and take over? Is it not worthwhile because they didn’t make any arrests in Mexico? No. We have the worst drug problem in the entire country. It’s saving lives today and sending a message to bosses, and the mules who might consider becoming involved in future criminal activity. Let’s not turn the war on fraud into the war on drugs. Great work out there folks!


Recent News:

Washinton Post – It’s time to stop laughing at Nigerian scammers — because they’re stealing billions of dollars

Boston Herald – Phishing theft of $93G at clean energy agency went unreported for months

Telstra – A silent cybercrime blitzkrieg as Aussie businesses robbed of millions

IC3 – 2017 Internet Crime Report featuring Business E-mail Compromise

Tags: , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Copyright © 2018 INFOSTRUCTION All rights reserved.

7 visitors online now
3 guests, 4 bots, 0 members
Max visitors today: 10 at 07:37 am UTC
This month: 17 at 06-08-2018 10:23 am UTC
This year: 139 at 05-31-2018 10:11 am UTC
All time: 139 at 05-31-2018 10:11 am UTC