News: 1717680609

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Uncle Sam seeks to claw back $5M+ stolen from trade union through spoofed email

(2024/06/06)


The US Justice Department is seeking permission to recover more than $5 million worth of funds stolen from a trade union by business email compromise (BEC) scammers.

An unnamed group of cyber scumbags defrauded an unidentified union in Dorchester, Massachusetts, out of $6.4 million – $5.3 million of which has been traced to seven bank accounts in China, Singapore, Hong Kong, and Nigeria.

The money held in six JPMorgan Chase accounts and one Texas Bank and Trust account is currently seized and the civil forfeiture action filed on Wednesday aims to provide the legal power to recover the stolen funds.

[1]

At the heart of the scam is the trade union, its investment manager who worked for an investment consulting firm in the state, and an unknown perpetrator, according to the [2]complaint [PDF].

[3]

[4]

The union and its investment manager regularly exchanged email communications, with the latter also regularly making wire transfers on behalf of the union.

On or around January 27, 2023, the BEC scam was launched. The crims behind it spoofed the investment manager's email address – the domain was almost identical to their genuine address but for a single character.

[5]

Discussing a legitimate, previously arranged payment of $6.4 million, the spoofed email was convincing enough for the union to transfer funds to a bank account specified in the email. That bank account was found to be under the control of the scammers, not the investment manager.

The brains of the scam, be it an individual or group, recruited money mules to help them carry out the fraud and launder the proceeds through various offshore accounts.

It's not known if these mules were aware of the full context behind the scam, but we do know they received a string of messages via Google Chat and WhatsApp in or around September 2022 promising a "gift" for them being held in a European bank account.

[6]

These messages were seemingly enough to convince the mules that complying with the BEC scammer's instructions would genuinely yield a handsome payout.

They were tasked with taking out seven US bank accounts between which various sums were transferred. Prosecutors say many of these transactions appeared to have no purpose and bore the hallmarks of attempts to conceal the source of funds, before they were transferred to offshore accounts.

"This money movement displays the hallmarks of intent to conceal or disguise the source of funds: the account holder did not know the source of the funds, was being directed by the unknown perpetrator, and moved the funds rapidly between multiple accounts, with no discernible purpose," the complaint reads.

[7]Best Buy and Geek Squad were most impersonated orgs by scammers in 2023

[8]Europol op shutters 12 scam call centers and cuffs 21 suspected fraudsters

[9]US charges 16 over 'depraved' grandparent scams

[10]Fraudsters abused Apple Stores' third-party pickup policy to phish for profits

"For instance, on January 30, 2023, in a single day, $5 million moved from [account number one] to [account number two]; then back to [account number one]; and then back to [account number two]. And then later that day, $1 million moved from [account number two] to [account number one], and the next day, $3.9 million moved from [account number two] to [account number one].

"These rapid movements did not appear to have any legitimate business purpose, and reflect an intent to conceal the nature, location, source, ownership, and control of the fraud proceeds."

One of the mules, who opened the first two accounts that were initially used to receive the full $6.4 million payment, was told to keep $100,000 after completing the transfers requested by the scammers.

While it was still a hefty sum, it was a far cry from the $17 million they were promised before the scam unraveled.

The Justice Department said [11]BEC scams are rife across the country and estimated daily losses to this brand of cybercrime alone at $8 million.

Recent [12]figures from the FBI peg the yearly losses Stateside at $2.9 billion, with criminals often moving stolen funds to cryptocurrency exchanges before foul play is detected, increasing their chances of making off with the full amount.

Fortunately, in the case of the trade union, the activity was spotted quickly enough to seize the majority of the stolen funds even after they were transferred to offshore accounts. Some were moved into crypto, however. ®

Get our [13]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZmHdIZ2gE7zTFWOywMkd3wAAAEs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://www.justice.gov/opa/media/1354461/dl?inline

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZmHdIZ2gE7zTFWOywMkd3wAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZmHdIZ2gE7zTFWOywMkd3wAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZmHdIZ2gE7zTFWOywMkd3wAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZmHdIZ2gE7zTFWOywMkd3wAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/05/24/ftc_scam_report/

[8] https://www.theregister.com/2024/05/03/operation_pandora_europol/

[9] https://www.theregister.com/2024/05/01/us_charges_16_grandparent_scammers/

[10] https://www.theregister.com/2024/04/18/blackhat_apple_korea/

[11] https://www.theregister.com/2024/05/22/health_care_and_romance_frauds/

[12] https://www.theregister.com/2024/03/19/crypto_scams_cost/

[13] https://whitepapers.theregister.com/



Email differed by one character

DS999

This is a problem that could be easily fixed in email clients. If you get an email from a 'new' address, make sure that fact is highlighted. That way you can't be fooled by someone trying to spoof via a similar address, even unicode based attacks where another version of an 'a' that looks identical couldn't pass that by.

So if the person responsible for wire transfers an email that was highlighted in yellow so they knew it was from a new address, they would have immediately known it was a scam. Failing to accept that email address would result in subsequent emails being highlighted in red (substitute your own colors or method of making sure the fact the email address is not already known to the client)

There are obviously ways to fully spoof email addresses, though thankfully that has been getting more and more difficult to accomplish due to various measures taken in mail servers over the past decade or two (SPF, DMARC, etc.) Now clients need to start addressing gaps on their end.

Even the average person could benefit from this, if they see one of those spam emails telling you that your Amazon Prime renewal could not be processed and you need to update your payment methods they would have the potential to consider the possibility of it being a scam since it would show up as a new email address rather than being from one of the Amazon addresses you'd already approved.

Email address can be spoofed :o

t245t

> The crims behind it spoofed the investment manager's email address – the domain was almost identical to their genuine address but for a single character.

If only there was a way of digitally signing email addresses, that came as default in the email transport system.

Just for some context...

Marty McFly

In 2022-2023 the federal government spent $6.134 Trillion. This $5 million 'claw back' represents 26 seconds of federal government spending.

So other than a news article to detract us from the real issues, this recovered money is the total sum of nothing in the big picture.

Hors d'oeuvres -- a ham sandwich cut into forty pieces.
-- Jack Benny