Sunday, August 18, 2019

Lauded Nigerian Entrepreneur may be a BEC Yahoo Boy


Obinwanne Okeke: The Entrepreneur

Obinwanne Okeke, 31 year old CEO and Founder of Invictus Group, is frequently lauded as a success story.  At age 28, Forbes Africa featured him in their June 2016 issue under the title "Africa's Most Promising Entrepreneurs: Forbes Africa's 30 Under 30 for 2016".

Although the 30 are "in no particular order", Obinwanne was one of the two selected to appear on the cover of that month's Forbes Africa:

The Forbes profile described Okeke like this:
Okeke could not fail his mother. A promise meant hard work and dreaming big.  He was raised in Ukpor village, 790 kilometers from Nigeria’s capital, Abuja, as the 17th child of a polygamous father. He went to boarding school aged 10, lost his father at 16 and moved from one relative to another. He named his company Invictus after one of Nelson Mandela’s favorite a poems, by William Ernest Henley, about the undefeated and unconquerable soul of a hard worker, from an impoverished background, who will not give up.
Invictus is in construction, agriculture, oil and gas, telecoms and real estate. He has 28 permanent and 100 part-time employees across nine companies.
He was also selected to speak at the Lagos TEDx Yaba conference, where his topic was "DNA of the Nigerian Entrepreneur ... The Resilience Needed" (photo from his company website - invictus.com.ng): 

Invictus.com.ng

Obinwanne also was featured on Forbes' "YoungMoney" ... and the BBC's "Rising Star" ...

Full interview at BBC Africa's Facebook page
The BBC interview gave some of Obi's background.  He says that he started an IT company at age 16 while still in the village, printing business cards and making websites.  With this money he bought the finest bicycle in the village. Later, he was accepted to study at Monash University, where he studied International Business and Counter-Terrorism.  He says that he was fascinated with Criminology, which is interesting in hindsight.

Obinwanne Okeke: The BEC Criminal / Yahoo Boy


According to court records available on PACER, Okeke was arrested in Dulles, Virginia on August 6, 2019.  Let's just walk through the Criminal Complaint that was used to justify the arrest warrant:

Okeke was charged with Conspiracy to Commit Computer Fraud and Wire Fraud. (18 USC section 1030 and 1349.)  

In June 2018, Unatrac Holding Limited, the export sales office for Caterpillar heavy industrial and farm equipment, headquartered in the UK, contacted the FBI, reporting that Unatrac ad been scammed out of $11 Million USD.  Unatrac's Chief Financial Officer fell for a phishing email that contained a login link to a fake Microsoft Office365 website.  When the CFO entered his userid and password, it was sent to the criminals.  Between April 6 and April 20, 2018, the CFO's account was logged into from IP addresses mostly in Nigeria on 464 different occasions.

One key behavior of recent BEC scams was also present in this one.  On seven different occasions, someone modified Outlook Office365 rules to intercept legitimate emails to and from employees on the financial teams, mark them as "read" and move them to another folder outside the in box.  The complaint says "These rules appeared to have been created in an attempt to hide from the CFO any responses from the individuals to whom the intruder was sending fabricated emails."

With full access to the CFO's accounts, the intruders stole invoices, invoice templates, and logos, and used them to create fraudulent invoices, sent from external addresses to the CFO, and then forwarded "by the CFO" to the financial team for payment.  One such example email was received on April 19, 2018 from pakfei.trade@gmail.com.  The email was forwarded two minutes later to the finance team with instructions to pay.

From April 11 through April 19th, they paid 15 fraudulent payments, included three invoices for "Pak Fei Trade Limited" in the amounts of $278,270.66, $898,461.17, and $1,957,100.00.  Altogether, $11 million USD was sent out of the company.

Documents related to the CFO's travel schedule and the companies tax filings were also stolen, forwarded to the email address "iconoclast1960@gmail.com."  WHOIS queries run by the FBI indicated that the email address was used to create fraudulent "clones" of real companies websites.  One example they give is of "emmarlndustries.com" -- where the "I" in Industries is actually a lowercase "L".  The real company is a domain owned by ASM International Trading in Dubai.  Other domains, not mentioned in the affidavit, but also registered by this address, include "hmlsho-group.com" and "western-chem.net" and ".com".

Search warrants for the email addresses of iconoclast1960 revealed additional frauds, including a $108,470.55 payment received by the Red Wing Shoe Company in Minnesota.  They were victimized in a very similar way.  More than 600 additional phished userids and passwords were recovered in the gmail, along with photos of passports and driver's licenses.  

Chats between iconoclast1960 and others dating from December 2017 to November 2018 reveal the scammer interacting with people who are making his phishing sites for him, including a Docusign phishing site.  The iconoclast1960 email account also sent and received emails containing phishing kits, such as one called "microsoft.zip" where the file "verify.php" contained code to email stolen credentials to a redacted email address.

The iconoclast1960 gmail account used a recovery email address of "alibabaobi@gmail.com".  This address shared a login session cookie with several additional accounts, including "obinwannem@gmail.com".  This means that the person who logged in to Gmail as "alibabaobi" had also logged in to Gmail, from the same computer, using the Gmail account "obinwannem".  

The Obinwannem gmail account also belongs to the Nairaland.com user "InvictusObi" and to the Twitter user "@invictusobi."  The Twitter page provides repeated links to an Instagram account for InvictusObi as well.  Both the Twitter and Instagram page provide many proofs that these accounts belong to Obinwanne Okeke, the CEO of Invictus Group.

Gmail, Twitter, and Instagram all log the IP addresses from which users access their accounts.  When Okeke posted on Instagram that he was visiting Seychelles, Google's logs showed that iconoclast1960@gmail was logging in from 197.157.125.89, in Seychelles.  When Okeke was posting on Instagram that he was visiting London on April 20, 2018, the iconoclast1960@gmail account was logging in from 167.98.28.227.  When Okeke said he was visiting the United States, specifically Washington, DC, the iconoclast1960@gmail account was logging in from 68.33.78.173, a ComCast IP address in Washington, DC.

For further evidence, Okeke posted information that he had been hospitalized following a recovery from surgery.  The FBI agents searched the Google chat logs for Iconoclast1960 and found that he was mentioning in the chats "ive been in hospital. im back in nigeria but still resting.


The FBI agent also found multiple instances where the iconoclast1960 gmail account forwarded emails with attachments to the invictusobi@icloud.com account.  Search warrants were also conducted for that account, as well as obinwannem@gmail and alibabaobi@gmail.

Searches through older FBI case files show additional previous frauds conducted in the same manner using the same email addresses, dating all the way back to 2015.  

The FBI agent ended his affidavit by showing that Obinwanne Okeke has a Nigerian Passport A50254005 and uses a Visa for entry to the United States "once or twice a year."  He was currently in the country, scheduled to depart on August 6, 2019.  

Presumably that is how they knew where to find him at Dulles Airport in Virginia to arrest him as he attempted to leave the country.  That must have been a nice collar for the FBI agent who had spent all that time investigating to be able to pick him up in person!




Tuesday, July 23, 2019

FinCEN: BEC far worse than previously believed

Last week FinCEN, the Financial Crimes Enforcement Network, put out a new advisory with information about Business Email Compromise and it is far worse than has been previously disclosed.
FinCEN Advisory: FIN-2019-A005

The FBI's Internet Crimes Complaint Center (IC3.gov) has previously called BEC a $12 Billion Scam.  As we shared in April in our post IC3.gov: BEC Compromises and Romance Fraud 2018, IC3.gov documented that during calendar 2018 $1.2 Billion was stolen from 19,140 companies just in the United States.  That averages out to $3.3 Million being stolen each day with 52 U.S.-based businesses falling victim each day.  But the IC3.gov reports are based on actual reports received from victims who fill out a Complaint Form on the IC3.gov website. We strongly encourage victims to report at IC3.gov, as it offers the ability to provide many additional investigative details.

Victims are STRONGLY encouraged to report at IC3.gov! 
The FinCEN approach was able to use a different intelligence source to gather their numbers and what they found was far worse than what the FBI has reported.  From October 2013 until May 2018, the FBI's IC3.gov gathered reports of $12 Billion in fraud, from all sources, both domestically and internationally.   FinCEN's previous BEC advisory shared that from 2013 to 2016, FinCEN had identified 22,000 cases of Business E-mail Compromise and E-mail Account Compromise with $3.1 billion in losses, or roughly $1 Billion per year.  The September 6, 2016 advisory was "Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes [FIN-2016-A003]".  FinCEN's current advisory states that the new information is complementary to the 2016 advisory, and that the 2016 advisory contains many important details that will still be helpful to consumers and business account holders alike.

United States Businesses and Consumers have suffered $9 Billion in BEC Fraud Attempts since September 2016!
By comparison, FinCEN reports that  JUST SINCE September 2016 they have been able to document 32,000 cases of attempted theft via BEC fraud schemes totaling $9 Billion in theft attempts.  The rate of loss has increased by three-fold!  $9 Billion since September 2016 is approximately $8.7 MILLION DOLLARS PER DAY!!!

Some of the current top trends include:

Top Sectors Targeted in BEC:

1. Manufacturing and construction (25% of all cases)
2. Commercial services (18% of all cases)
3. Real Estate (16% of all cases)

The impersonation of top executives is still a major method of social engineering in these email attacks.  50% of attacks use an email claiming to be a CEO or President of the company.

Other Top Targets by Value in BEC: 
1. Governments - many governments have been targeted, especially small municipal government offices.  Targets often include pension funds, payroll accounts, and contracted services (which may be matters of public record.)  Vendor impersonation in the latter case is especially prevalent.

2. Educational Institutions - Just in 2016 - 160 incidents attempted to steal $50 million from educational institutions, and while in 2017, only 2% of attacks were against schools, the dollar value was far higher than average.  Tuition payments, endowments, grants, and renovation and construction costs are all high value transactions often conducted online.  Again, watch for vendor impersonation! Large-scale construction and renovation projects are often publicly announced, attracting scammers to the same projects.

3. Financial Institutions - while not a high percentage by sector, the attempted theft against FIs themselves often includes very high dollar values.  These often come in the form of SWIFT payment requests (used in international wire transfers.)

The First Hop is Domestic
While previous advisories mentioned that money is often sent overseas, it is important to understand that the INITIAL transfer of funds will likely stay domestic.  A person recruited as a money mule will often have opened the intermediary account in their own name or the name of a fraudulent business they have created for the purpose.  AFTER the first hop, the money still is likely to quickly move to China, Hong Kong, the United Kingdom, Mexico, or Turkey.  Often these money mules are recruited through Romance Scams, however others join willingly knowing they are going to earn a commission helping to launder money for criminals.  This quick "wire in - wire out" is referred to in the criminal world as "wire-wire jobs" and is the inspiration of the FBI and USSS's "Operation: Wire Wire" that we blogged about in a series of articles in June of 2018:
One other blog post of ours that "walks through" a case, end-to-end, including the mule's role:
Vulnerable Business Processes Compromised
FinCEN states that "BEC perpetrators identify processes vulnerable to compromise, whether through openly available information about their targets or through cyber-enabled reconnaissance efforts (enabled through methods such as spear phishing or malware), and then insert themselves into communications by impersonating a critical player in a business relationship or transaction."

These scams are enabled by "weaknesses in the victim's authorization and authentication protocols." 

The most common type of scam simply involves a request to change the payment destination of an already approved transaction.  If your business would allow someone to change where a six- or seven-figure payment is being sent on the strength of a single email, you are far more likely to be chosen as a victim than someone who requires rigorous vetting of such a change.

Opportunities for Information Sharing Related to BEC Fraud
The USA PATRIOT Act provides the ability for financial institutions to share information with one another to stop money laundering.  These requests are known as 314(b) requests and are specifically protected forms of information sharing.  (Fun fact: Did you know USA PATRIOT is an acronym?  "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.")  Click the image below to download the FinCEN 314(b) Fact Sheet.

https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf

WHAT SHOULD WE SHARE?

If you are asked to wire funds or change a payment destination or otherwise gain information about a BEC Scam, FinCEN shares particular information about what details would be most helpful to law enforcement: 

Transaction details: 
1) Dates and amounts of suspicious transactions; 
2) Sender’s identifying information, account number, and financial institution; 
3) Beneficiary’s identifying information, account number, and financial institution; and 
4) Correspondent and intermediary financial institutions’ information, if applicable. 

Scheme details: 
1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps; 
2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and 
3) Description of related cyber-events and use (or compromise) of particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud: 
  • a) Email auto-forwarding 
  • b) Inbox sweep rules or sorting rules set up in victim email accounts 
  • c) A malware attack 
  • d) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)
For those who have the ability to file a SAR (a Suspicious Activity Report), FinCEN also requests that you choose SAR Field 42 (Cyber Event) for all of these scams, but then mark the scam with the key terms either "BEC FRAUD" or "EAC FRAUD" to differentiate between business victims and personal account victims.  Here is their guidance on both terms:

Email Compromise Fraud: Schemes in which 1) criminals compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or other business associates in order to misappropriate funds or value; or in which 2) criminals compromise the email accounts of victims to effect fraudulent transmission of data that can be used to conduct financial fraud. The main types of email compromise, the definitions of which have been modified to reflect the expansion of victims being targeted, include: 

Business Email Compromise (BEC): Targets accounts of financial institutions or customers of financial institutions that are operational entities, including commercial, non-profit, nongovernmental, or government entities. 

Email Account Compromise (EAC): Targets personal email accounts belonging to an individual.


Saturday, June 29, 2019

TrickBot: New Injects, New Host


What’s in the Name: Call it IcedID or TrickBot? Tell that to a security researcher (Arsh Arora in this case) and watch them RANT

(Gar-note: today's blog post is a guest blog from malware analyst, Arsh Arora...) 

Today’s post starts with an interesting link from Dawid Golak's Medium post: “IcedID aka# Bokbot Analysis with Ghidra” which mentions that IcedID is dropping TrickBot. Although the article is about IcedID, it gets confusing quickly, because the researcher focused on finding artifacts for IcedID instead finds TrickBot artifacts. A big question for the security industry still remain is to how to classify the malware from the originator or the binary that is being dropped. We followed up on the sample he mentioned and saw the same thing.  This is definitely Trickbot.

First Stage – Sample Collection from Virus Total Intelligence

In the "AnyRun Analysis" linked to by Dawid, the TrickBot binary was downloaded from “54.36.218[.]96 (slash) tin[.]exe



Fig 1: TrickBot Sample

Second Stage – Sample Execution

After the execution in a virtual environment, I was able to see TrickBot behavior similar to what we have documented in the past in our post "Trickbot's New Magic Trick: Sending Spam":

A large number of config files and dlls were loaded into the Roaming/netcache/Data, a  unique behavior of the TrickBot binary.

Fig 2: Configs and Dlls Loaded

Third Stage – Open Firefox and visit different Bank website

It is often the case that to get any banking trojan to co-operate with the researcher, some initiation from the researcher side is needed. Due to past experience, I have learned that one needs to open up a browser and visit different bank websites to activate the banking trojan. The trojan resists until instigated by visits to these pages. I visited close to 20 different bank websites and was able to obtain injects from 7 of those bank websites. The injects and admin login panels of the websites are as follows.

Name of  Bank
Admin Login Panel
IP
Location
Bank of
America
https://aefaldnessliverhearted[.]com/load/
185.242.6.245
AS9009, Prague
Chase
https://aefaldnessliverhearted[.]com/load/
185.242.6.245
AS9009, Prague
Citi
https://remirollerros[.]com/legr/
109.234.37.246
AS48282, RU
Usaa
https://onlylocaltrade[.]com/lob.php
185.87.187.198
AS48635,NL
WellsFargo
https://wellsfargostrade.com/2wells2
185.36.189.143
AS50673, NL
PNC
https://wellsfargostrade[.]com/pncadmin/index.php
185.36.189.143
AS50673, NL
53 Bank
https://wellsfargostrade[.]com/53repadmin2
185.36.189.143
AS50673, NL

When infected, viewing the source code while visiting one of the banks is all that is needed to identify the data exfiltration destination.  Some examples follow from this infection run:

BankofAmerica

Fig 3: BoA Web Inject

Chase

Fig 4: Chase Web Inject

Fig 5: BoA and Chase Admin Panel

Citi

Fig 6: Citi Web Inject

Fig 7: Citi Login Panel

USAA


Fig 8: USAA Web Inject

WellsFargo

Fig 9: WellsFargo Web Inject

Fig 10: WellsFargo Admin Panel

PNC

Fig 11: PNC Web Inject

Fig 12: PNC Admin Panel

53 Bank

Fig 13: 53 Bank Web Inject

Fig 14: 53 Bank Admin Panel


For more details please contact Arsh Arora (ararora at uab.edu) or Gary Warner (gar at uab.edu) at UAB. Please note:  Arsh is defending his PhD this summer and looking for new opportunities.