Thursday, August 11, 2022

Three UK-based Nigerian BEC Scammers Used Construction Intelligence Service to Target Victims

 On 10AUG2022 three Nigerians were extradited from the UK to the US to face charges related to their roles in conducting Business Email Compromise (BEC) attacks against a number of US-based businesses.

43-year old Oludayo Kolawole John Adeagbo, 40-year old Donald Ikenna Echeazu, and 42-year old Olabanji Egbinola were brought to North Carolina to face their charges, although some of their crimes were also charged in Texas and their victims are across the United States and the world. 

The three were linked together by exchanging data related to construction companies who were involved in multi-million dollar building projects, and whose emails they were able to acquire through phishing attacks against targets they had purchased from a commercial intelligence service intended to be used by potential sub-contractors. 

BEC's through Look-alike Domains

Victim A notified the FBI that someone was spoofing Victim B, by sending emails from the address "accounts@lucasconstruct.com." (The real company, Lucas Construction, in League City, Texas, uses the domain "lucasconst.com".)  In one email, a victim received an appropriate form that their company used for updating banking information.  The email sender was clearly familiar with their processes, as the email said: 

Please find attached our completed ACH form and a copy of a voided check as requested. Kindly let us know once updated. 

After processing the change of banking information, Victim A sent the next construction payment of $525,282.39 to a SunTrust bank account rather than to Lucas Construction!

Victim C, a community college in the Houston, Texas area, had a similar experience, resulting in sending $1,995,168.64 to a PNC Bank account controlled by criminals after receiving a similar request to update their records from "accounts@tellepsengroup.com."  The real domain (Victim D) should have been tellepsen.com, a four generation family owned construction and concrete company in Houston.  

Victim E, a county government in Texas, sent $888,009.40 to a JPMorgan Chase account after being asked to update the banking records via an email from "accounts@dwcontractorsgroup.com." 

All three of those domains were registered by NameCheap by "Daniel Roberts" who used three different email addresses for the domains.  danielroberts604@mail.com, danielroberts605@mail.com, and danielroberts606@mail.com.  Additional domains, including TellepsenGroup.com, D1construct.com, and SouthWoodBuilding.com were also created by the criminal -- close imitations of the real domains, tellepsen.com, d1construction.com, and southwoodbuilders.com. These domains were used to target additional victims with BEC attempts via bank record "update" requests.

The Texas FBI investigators learned that danielroberts604 was also linked to an investigation being led by FBI Charlotte, North Carolina, where he had used the domain rodgersbuildersinc.com to do a similar scam, as well as another Texas scam using the domain leelewisusa.com to steal funds from a school system in Dallas, Texas. 

North Carolina was able to add another victim to the case - Appalachian State University, from which ADEAGBO and ECHEAZU were able to steal $1,959,925.02 using a similar methodology.  The two recruited a money mule in Los Angeles, California, Ho Shin Lee, who agreed to register a company "Royce Hub Trading" and open a JPMorgan Chase bank account in the same name. Funds stolen by imitating North Carolina based "Rodgers Builders" were stolen after sending emails from "accounts@rodgersbuildersinc.com" to change the banking information.  (The real company uses the domain rodgersbuilders.com.) 

Construction Market Data

The scammers had subscribed to a service operated by Construction Market Data (CMD), which provided contact information related to "hundreds of thousands" of commercial and civil construction projects. 

CMDGroup.com 

CMD allows a contractor to request a list of new projects being built in their area and provides contact details for decision makers who may want to hire various specialty sub-contractors and who have recently been awarded large contracts.  Although it is not specified in the court documents, it is likely that the scammers sent phishing emails to construction companies listed as being involved in multi-million dollar projects and then created look-alike domains for those targets where they were able to begin monitoring the victim's email messages for opportunities to introduce themselves into a mail stream from one of their "look-alike domains."  This may be accomplished by planting malware, but is often accomplished through adding "email forwarding rules" to the victim's account which sends financially relevant emails back to the criminal.

CMD provided data to the FBI, indicating that the relevant records had been requested by one John Edwards who listed both a US and UK address: 

  • 1270 Hasen Hurst Drive, Apt 12, West Hollywood, CA 90046
  • 14 College Gardens, London, GB e47ALG

and who used the email JohnEdwards79@yahoo.co.uk.  The associated telephone number +44 797.335.9482 belonged to ADEAGBO.  JohnEdwards79 was actually an alias to the email account OludayoAdeagbo@yahoo.co.uk. 

Adeagbo was found to possess three passports, a Nigerian and British passport in his true name, listing the birthday 06APR1979, and a second UK passport in the name "John Edwards" b. Nigeria on 06APR1979. 

Prior to his involvement in BEC, the BBC reported that ADEAGBO was part of a car-theft ring that used stolen identities to allow them to drive off in Jaguars, Mercedes, BMW's and Porsches. Calling themselves "the iPod Crew" Adeagbo's car theft ring stole 70 luxury automobiles worth $1.8 million over a ten month period in 2001.  Adeagbo told the BBC in 2004 that he served a 2.5 year prison sentence during which he "found God" and that he was "trading crime for Christianity." 

JohnEdwards and DanielRoberts were both found to have used the same IP addresses to access a variety of online accounts which all provided IP history to the FBI, including Apple, Yahoo, LocalBitcoins.com, and Namecheap. OludayoAdeagbo@yahoo.co.uk also had bank statements in true name for his Santander bank accounts. 

The CoinBase account for JohnEdwards79, was actually confirmed to a different person!  Donald Echeazu, who used the email diecheazu@yahoo.co.uk and phone 7837887959.  Although Coinbase had two photos on file for JohnEdwards which were consistent with Adeagbo, the third photo matched the UK Passport of ECHEAZU. 

Homeland Security Investigations (HSI) and Customs and Border Patrol (CBP) learned more when they searched the phone of another co-conspirator as he entered the country.  In that phone, he chatted with ADEAGBO's known UK telephone number, labeled "John Dayo" in his contacts, about bank accounts which he was providing. ADEAGBO instructed him to open up a JPMorgan Chase account in order to receive funds.  They discussed a bank transfer where they had expected to received 12 Million (currency unspecified) but were only able to take 8 million.   

Photos that were shared in the account, showing ADEAGBO in a Porsche, were found to match a car that he was driving when he was ticketed in London (a black Porsche.) 

Another chat in the phone showed a Bank of America account (#32508061285) in the name "Oludayo Kolawole John Adeagdo" using the address 1270 Havenhurst dr Apt 12, West Hollywood, CA 90046. 

The Bank of America account had been used to pay $4,510 in several payments in order to receive business information for individuals in North American construction companies from the aforementioned CMD. 

Olabanji Egbinola

The final party in the group of extradited scammers, Olabanji Oladotun Egbinola, was tripped up in exactly the same way.  Having likely received construction data from the same source (CMD), Olabanji used the email address "accounts@kjellstromleegroup.com" to imitate the real Richmond, Virginia-based company Kjellstrom and Lee.  Using the name "Rachel Moore" Olabanji interacted with the University's Treasury department acting as if a payment was missed and then providing new bank details to fix the problem.  As a result they wired the next construction payment of $469,819.49 to the new bank account at the Bank of Hope. 

The bogus domain was registered at NameCheap by "bridgetclark" who also registered more than 50 other domains with namecheap, each "deceptively similar to the Internet domain names associated with legitimate construction companies." Because "bridgetclark" was using a TOR-based cryptocurrency wallet to obscure his true location, the FBI pursued a Rule 41(b)(6)(A) search warrant.  Rule 41(b) allows a search warrant to be issued from any US jurisdiction if the location of the target has been obscured using technology and to use technology to seize data from such a targeted computer.   In the FBI's case, this is referred to as a NIT, or a Network Investigative Technique. After receiving the court's authority, the FBI sent a NIT-laden email message to accounts@kjellstromleegroup.com, which was used to determine the account was being operate from a computer at the IP address 86.191.189.88, a British Telecom IP in the UK. BT was then able to provide UK law enforcement with the subscriber identification of that IP address and it was found that subscriber Samiat Egbinola in Essex shared the residence with OLABANJI OLADOTUN EGBINOLA. 

Egbinola had been previously arrested in 2008 for money laundering in the UK and had previously traveled to Los Angeles, California, when he used the email address aegbinola@gmail.com for his point of contact going through customs. A review of the email account, which had been active since 2008, showed that he was in regular communications with the scammers listed above on their yahoo.co.uk addresses. 



Monday, August 01, 2022

Please stop calling all Crypto Scams "Pig Butchering!"

 Lately there has been a media-driven craze in the fraud community to call every crypto-investment scam "Pig Butchering."  I hope you will join me in canceling that term after you read this article.

The term "Pig Butchering" comes from the Chinese term 杀猪盘 (Shā zhū pán or "butchering plate.") While the term has been used in Chinese media since at least 2018, it really became famous after the courageous actions of a human trafficking victim who was caught up in the game.

Hao Zhendong (郝振东) was recently divorced and had lost custody of his daughter as he was facing personal financial challenges and could not care for her.  During his time of desperation, he received a message from his uncle.  The uncle told him that he should come to Myanmar and join him at his work.  He claimed that Zhendong would be able to easily earn 60,000 to 70,000 yuan per month. 

Image from "Talking to Strangers" interview 

Late in 2020, Zhendong traveled to the Yunnan province of China where he paid smugglers to help him cross in to Myanmar.  After traveling with them for several days, he was forced to march through the jungle and up a steep hill for six hours.  When he arrived, he found he was in a work camp.  In his words, he says he realized he had "fallen into a wolf pit." The work camp was an industrial park where various call center employees worked scams. 

The northern region of Myanmar has four special zones, including "Wa State." So many Chinese people have moved to Wa State that Chinese is actually one of the official languages.  The corrupt local government, having no natural resources, opened their arms wide and welcomed criminal enterprises, which they call "foreign investors" to set up call centers. Under local law in Wa State, Myanmar, telecommunications fraud is not a crime. So many scammers have moved to the region that the government has even "rented" entire schools to be used as scam call centers.  The Myanmar government estimates that there are 140,000 Chinese living in the region, and that most of them are engaged in telecommunications fraud.  Similar to other forms of human trafficking, the men are only allowed to leave if they pay back the "investment" that their controllers have made in them.  The fee to leave ranges from 50,000 to 120,000 depending on how long you have worked. If you can't pay the fee after three months, you have six months added to your stay, with armed guards preventing you from leaving the work camp.  Many do go back to China, and enough go back with money for houses, cars, and a wife, that others are tempted into following in their footsteps.

Zhendong says that he often considered attempting to flee, but northern Myanmar is an "extrajudicial land" and Chinese people are regularly kidnapped and killed there with no consequence to their attackers.  One man who attempted to flee was forcibly returned to the camp, with the fingers on one hand amputated. 

In the work camp where Zhendong was enslaved, there were three buildings.  Two were dormitories and the call center was housed in the "Science and Technology Building." Each team was assigned to different topics.  Some worked lottery scams, others foreign currency exchange scams, naked chat / extortion scams, pornography scams, etc.  But Zhengdong was assigned to a "pig-killing gang." 

He was provided a manual which described his role.  His job was to target victims on the Internet and use emotions to convince them to invest their entire net worth in illegal online gambling.  His job as a "recruiter" for these scams was referred to in the manual as a "dog pusher" (“狗推” Gǒu tuī.)

He was provided three mobile phones and three "love story" script books.  His job was to find wealthy single or divorced women on social networks, and add at least two to his chat each day and build a romantic relationship with them online.  Once they were suitably "hooked" into his romance, he was supposed to turn them over to his team leader, who had 30-40 "dog pushers" under him to "kill." If the victim provided more than a million dollars, there was a celebration and the dog pusher was rewarded extravagantly. 

While he was learning the role, "the company" became very excited about a successful scam that one of the other dog pushers had accomplished.  He had convinced a young woman in Shanghai to invest her entire life savings - 2.92 million yuan - and when she realized she had been scammed, she committed suicide by jumping off a roof.  Another woman was convinced to sell her car and her house in order to invest more.  While the company thought these were great examples to emulate, Zhendong's spirit died.  He realized that he had to try to do something about this. 

On one point, his uncle had been telling the truth.  The company used cash bonuses as incentives, and each month they would spread millions of yuan on the table and pay out bonuses.  Some made the equivalent of hundreds of thousands of dollars in bonuses.  But Zhendong couldn't do it. 

He began sneaking up on the roof, using a stolen phone, and messaging his victims - explaining to them that he was enslaved and being forced to scam them.  Because he was failing to earn, his controllers were becoming very angry with him and his life was actually in danger. 

A potential victim, Yang Yu, changed things for him.  When he called Yang Yu to warn him, Yang Yu asked him "How can I help you get home?" In order to protect Zhendong, Yang Yu passed him money that he could give to his controllers as proof that he was working. Then Zhendong stole a list of victims from the company and urged Yang Yu to take it to the police. 

In February 2021, she took a list of 18 victims to the Anti-Fraud Center of Nanchang Public Security Bureau. 

Tao Jiangjiang, the leader of an Electronic Fraud task force who helped Zhendong get home

Tao Jiangjiang began to communicate with Zhendong and a rescue mission was arranged through the Yunnan police, working with an informant in Myanmar.  Despite being advised not to take any risks by Tao Jiangjiang, Zhendong felt that he could not leave empty-handed.  He worked to observe the password his Pig Killer boss used to log in to the company server and late one night logged in and wrote down as many names as he could.  When he arrived back in China, he had a list of 105 additional victims with him who were contacted and assisted by the Chinese police. 

There was a dramatic event at the China-Myanmar Nansha Port when Zhendong recognized a man from the company chasing after him.  When armed Chinese police took custody of Zhendong, the company man backed off. After this, Zhendong did many media interviews, some alongside the Electronic Fraud police, which helped to popularize the term "Pig Butchering." 

While there are definitely "Dog Pushers" and "Pig Killers" who are targeting the Chinese ex-patriat community, unless your scammer is speaking Chinese from a call center in Myanmar, you may be a fraud victim, but you are not a victim of "Pig Butchering." 



The main sources for this story were the Chinese versions of Zhendong's misadventure, especially these two: 

荐见 | 反水、救赎、卧底:逃出缅北“杀猪盘”

(Rebellion, redemption, and undercover work: escape from the "pig killing" center in northern Myanmar - an article by “荐见美学” ) 

and

误入杀猪盘团伙后,他偷出了105名受害者名单丨和陌生人说话

("After accidentally entering the pig killing gang, he stole a list of 105 victims" in the TenCent column, "Talking to Strangers" - if you speak Chinese there is a great interview here!)