Beware the Black Axe Gang: Business Email Compromise Campaigns Observed in 2017

Over the past 12 months, CrowdStrike, the leader in cloud-delivered endpoint protection, has typically observed two different types of Business Email Compromise (BEC) scams: Wire transfer attempts and compromises that have led to follow-on spam campaigns. Regarding fraudulent wire transfers, the criminals typically get caught on the initial attempt, or they get caught on the second attempt, which usually involves a much larger amount than the first attempt.

The wire transfer scams that have been observed follow similar patterns in some cases, even though the companies and personnel targeted have varied.

In many BEC cases, CrowdStrike has observed Office 365 (or Google suites) being compromised because 2FA was not enabled. When this happens, the attackers can take over the entire approval chain for Office 365, and then add rules in order to monitor email traffic and intercept messages of employees who may be trying to report suspicious activity.

The tactics of the scammers

In general, the majority of these attacks are coming from Nigerian IP addresses, the mailboxes are going to Nigerian IPs, and they are just now starting to use proxies. Although there is not one set of standard tactics for BEC, CrowdStrike, in 2017, has observed numerous BEC campaigns that use tactics mirroring these:

1. A spear-phishing email, often containing a PDF attachment or a link, is sent to a pre-determined individual in the target company. Emails sent to victims seem to be relatively targeted, but generally very simple. They usually contain links to fake DocuSign or One Drive login pages, sometimes hidden behind URL shortening services.
2. Once the PDF is opened in the browser, the link contained in the PDF is visited by the browser. Otherwise, links contained in the emails lead to a phishing site often containing the email address of the targeted account. The email address form field can then be pre-populated with this value.
3. In certain cases, after the initial link is visited, a redirect occurs that lands on DocuSign pages with the option to log into legitimate mail providers such as Office 365. Phishing pages are hosted on what appear to be hacked web servers. They contain login forms for victims to enter their email and password.
4. Browsers are then redirected to legitimate web pages for logging into email services, where user credentials are then stolen. The backend code that collects entered credentials is written in PHP. It forwards the entered data per email to an attacker-controlled email account.
5. The stolen credentials are then used by criminals to access the victim’s mailbox from a remote IP address, in some cases the same IP address used in the initial spear phish.
6. The compromised account is then used to gain access to additional mailboxes including accounts typically in the finance and accounting departments. Search queries are then completed for terms such as wire transfer, invoice, payment, CEO, or bank.
7. An email sent from one of the compromised email addresses is then sent to the company’s financial institution requesting a wire transfer, in some cases as high as $1M USD.
8. Additional emails from hacked accounts are also sent to the financial institution approving the transaction.
9. Once the payment details are intercepted by the criminals, the account number (or IBAN), name of bank, and SWIFT/BIC codes are changed to a criminally controlled account, typically in Hong Kong or China.

The Scammers

Nigerian confraternities, most notably Black Axe, have developed into formidable criminal organizations that include cyber components.  The Black Axe confraternity maintains a pyramidal command structure at the national level, and also operates Black Axe “Zones” that conduct wire fraud in foreign locations.  In mid-2015, police in Toronto, Canada arrested three Nigerian criminals on fraud charges for stealing more than $600,000 USD from a Canadian widow through a romance scam. Police also charged one with the crime “money laundering for criminal organization” because they identified him as the bookkeeper for Black Axe’s Canada zone.

Although the perpetration of Nigerian 419 scams is not as advanced technically as the activity conducted by Russian actors who develop and manage sophistication banking Trojans, Nigerian BEC scams are just as advanced given their global scale, the amount of money involved, and the advanced money laundering techniques that include the use of banks in China.

Business email compromise (BEC) has become a massive eCrime challenge; it is essentially a global problem that affects all geographical regions and involves actors conducting fraud on multiple continents. The FBI has estimated that this fraud has resulted in billions of dollars stolen from large and small businesses alike, and CrowdStrike has observed cases were singe BEC cases have resulted in losses in the seven figures.

Not simple

Many descriptions and advisories or press releases on BEC describe it in relatively simple terms, and the basic construct is simple in nature, which makes the success of the scam more impressive. However, the different variations of BEC that have been crafted show that in its different forms, it is actually a complex series of movements and events that require a multifunctional criminal team. When BEC scams are combined or conducted in conjunction with romance scams, money mule recruitments, and complex money-laundering operations, they present an enormous challenge to law enforcement, businesses, cyber security firms, and even individuals.