Online scammers may be perceived as devious masterminds that fool the unwary out of their money – but a former FBI analyst whose job is to play business email compromise (BEC) actors at their own game has found they can be surprisingly gullible themselves.
Crane Hassold spent more than a decade working as a behavioral analyst for the federal government in the US, during which he helped to pioneer the psychological model he uses to catch out BEC crooks in his role as director of threat intelligence at Abnormal Security.
When it comes to turning the tables on these cybercriminals – who specialize in using email messages to conjure up elaborate hoaxes that dupe workers into sending them large sums of company money – he essentially uses much the same tactics as his adversaries do.
“For BEC to be successful, they have to socially engineer someone, to persuade them to change their direct deposit account, send a wire transfer, buy gift cards, or what have you,” Hassold explains. “My team has built a tool set that takes the attacks we observe trying to impact our customers and builds an environment.”
This environment, as he puts it, consists of about 250 fake online personas that Hassold and his team coupled with the threat actor’s email address and original message to begin a dialog with the BEC actors trying to steal money from client companies.
About three-quarters of the ensuing communications can be automated and therefore mass-produced, the aim being to build up a vast portfolio of data on digital conmen – including details of the bank accounts and shell companies they use, email addresses, and even in some cases telephone numbers and real names.
This is then passed to law enforcement bodies, banks, and any other interested parties who might benefit from knowing more about where the next BEC attack is coming from. This year so far, Hassold and his team have run more than 28,000 “defense engagements” with BEC threat actors, collecting 11,000 mule accounts used by scammers to funnel money from their fraud schemes.
He also says it is fascinatingly easy to keep them dancing to their own tune. “Our success rate for this is about 60% to 65% – remarkable given the fact that they never emailed us to begin with,” he says. “We're not actually responding to an email, we're sending them something that looks like a response [to the initial phishing attack deployed by a scammer].”
Set a thief to catch a thief
One recent example Hassold shows me consists of an engagement that played out over a fortnight, during which more than 100 emails were exchanged, and details of 22 mule accounts captured. Even more remarkably, threat actors handed over what are thought to be the real names of mules associated with shell companies used to launder fraudulent money. No money was acquired by the conmen during this series of exchanges.
“One of the challenging things, as these engagements go on, is that you have to keep coming up with unique excuses about why the payments aren't working,” says Hassold. “We have a pretty good cache of initial responses – but doing this for two weeks, in this case, I came up with fake hold numbers, legal statutes, and error messages. At one point I told him that there was a ‘title-four hold’ on the account, which doesn't exist. And he came back, which was hilarious, and said: ‘Oh yeah, title-four hold, that must mean that the account is having tax issues.’ He just made that up because I made it up!”
"One of the challenging things, as these engagements go on, is that you have to keep coming up with unique excuses about why the payments aren't working."Crane Hassold, director of threat intelligence at Abnormal Security
This sounds like a classic case of setting a thief to catch a thief, using the scammers’ own duplicitous tactics against them, an assessment Hassold agrees with.
“What's interesting is essentially the same principles that scammers use to con their victims are the exact same principles that we're using to collect this intelligence from them,” he confirms. “Because scammers are human too, and they are susceptible to the same psychological exploitations that they use on their victims.”
So just as a greedy potential investor can be caught out by a too-good-to-be-true cryptocurrency ‘opportunity,’ the crooks themselves can be manipulated by their desire to profit and fear of missing out. “The reason why this works is because of the weight of the financial motivation behind these attacks,” Hassold says. “That essentially overrides any red flags that may come up during this process.”
This psychological hook keeps the BEC actors coming back, divulging more information about themselves. Faked PDF documents of outgoing payment notifications are also used by the Abnormal Security team to make their lure more convincing, and sometimes second bogus personas are introduced to maintain the illusion of a legitimate company ‘escalating’ the situation.
The information Hassold has gleaned about cybercriminals over the years is no less fascinating than the means by which he acquires it. Many of the threat actors have been compromised themselves – not by a hacking attack, but by the circumstances of their birth.
One case Hassold investigated last year began as the standard series of email exchanges but progressed to a conversation on Telegram, with a BEC actor sidelining as a ransomware operator looking to hire underlings to conduct cyberattacks. Posing as an interested potential ‘employee,’ Hassold was able to find out much more about the man behind the mask.
“We spun up a Telegram persona, and learned not only what he was looking for, we got him to send me his LinkedIn profile,” he recalls. “He was Nigerian, and we published a blog post about it, and it got picked up in a couple of other places, and I guess he read it.”
"One of the things I've noticed is that religion is a big part of victim profiles. The templates that a lot of these romance scammers use have a lot of religious innuendo in them."Crane Hassold
What comes next is surprising. Rather than avoiding Hassold and his team like the cyber-plague, the Nigerian scammer-turned-ransomware operator reached back out to him on Telegram and agreed to grant him an audio interview.
“From there, it gets you that conversation, more about understanding his motivation and background,” says Hassold. “And you get the same thing I've heard from a couple of dozen of these guys that I've talked to in Nigeria: he's doing it to provide for himself and his family, and there's really no other way to make money, which is something that you hear all the time. There are people that run scams that have Master’s degrees or PhDs – but there are no employment opportunities, and this type of scamming is seen as an acceptable way of making a living.”
Explained but not excused
It isn’t the first time I’ve heard this either. Earlier this year, I interviewed two white-hat hackers or pen-testers, and both confirmed that for many people living outside the West with some computing or hacking ability, cybercrime is probably the most viable way to make a living. Given that to be the case, does Hassold feel conflicted about what he does?
“It is conflicting,” he admits. “Just from a purely human perspective, I understand that line of thinking – if I was in their shoes, I might be doing the same thing. Because if you can't get a job anywhere else… we're now in the second generation of people who have run scams, starting out with the Nigerian prince scams in the ‘90s that are still around today. I can certainly see their viewpoint.”
“But on the other hand, looking at the overall financial impact, especially when you get to individually targeted scams like romance scams – once you understand what happens to those victims, my pity on many of these guys goes away. The psychological damage that is done is irreversible in some cases. It's massively damaging.”
With the mention of romance scams, the story takes another unexpected twist – most if not all such cons have a non-denomination-specific but clearly religious aspect to them, Hassold says.
“One of the things that I've noticed is religion is a big part of the victim profiles there,” he explains. “The templates that a lot of these romance scammers use have a lot of religious innuendo in them.”
Does he think this is because the victims themselves are more likely to be religious, or do the scammers pretend to have strong faith to allay suspicion? “Both,” he says. “When you think of things like romance scams and the messaging that they send out to potential targets, they'll always say that they're a God-fearing person, that their faith is extremely important, things like that. You would assume that the people they are reaching out to feel something very similar.”
Why exactly this is, Hassold doesn’t know – and he isn’t aware of any in-depth research that has been done on it. “I also don't know if religion does end up being an actual pillar of victim demographics,” he adds. “And it certainly doesn't look like it is any one religion over another, it is just the common trait of being religious.”
Different countries, different playbooks
Another observable trend is that different regions tend to give rise to different types of cybercrime – with ransomware gangs more likely to originate in Russia or East Europe, and West Africa and Nigeria in particular generating more BEC threat actors. And while ransomware gangs might rely on a certain amount of technical know-how and infiltration to break down a target company, BEC fraudsters tend to use psychology-based social engineering techniques to accomplish their objectives.
"Ransomware is highly centralized. BEC scamming is on the complete opposite side - there really is no head of the snake, in many circumstances it's just individuals sharing information and running their own scams."Crane Hassold
The operational structure also differs, with cybergangs engaged in ransomware-as-a-service likely to operate a more rigid group structure, as opposed to the looser, more sporadic, collectives favored by BEC cybercriminals.
“Ransomware is highly centralized, where you have a relatively small population of actors responsible for a majority of activity and a pretty strict hierarchy,” he explains. “BEC scamming is on the complete opposite side, where it's very decentralized – there really is no head of the snake, in many circumstances it's just individuals sharing information and running their own scams. They may collaborate at some point, but they go their own ways. They're not groups in the sense that they are a collection of people working together over an extended period of time.”
This does not mean BEC cybercriminals are disorganized: every job is highly specialized, with each actor playing a specific part in an operation. “There are different roles that these guys have,” says Hassold. “You have the spammers who are sending out emails, the loaders who are running romance-scam victims as mules to receive fraudulent funds, and then you have another that sends the money overseas. You have people whose job it is to identify leads or potential targets: they go on to legitimate commercial services – that sales and marketing teams all over the world use – to identify potential BEC targets.”
Just a drop in the ocean?
I put it to Hassold that while his former employer, the FBI, might be making more efforts to extradite cybercriminals so they can face trial on US soil, given the sheer number of threat actors out there, it is surely a losing battle.
“I think that law enforcement, both in the US and internationally, are probably doing as good a job as they can when it comes to BEC,” he says, but agrees: “It's not a problem we're going to be able to arrest our way out of – you could arrest hundreds if not thousands and you're barely going to make a dent in the scamming landscape. There are just so many of them involved.”
"It's not a problem we're going to arrest our way out of - you could arrest hundreds if not thousands and you're barely going to make a dent in the scamming landscape."Crane Hassold
On the other hand, if the authorities were to target mule-account operators, this might effectively constitute cutting off that elusive snake’s head. “The problem is all about volume,” he says. “Mule accounts are so important – if we can minimize the effective lifespan of those, that essentially allows us to create a choke point in the BEC financial supply chain. Because again, these are so heavily financially motivated, if we can cut that off, then you might be able to impact this at a much greater scale.”
Once again, it all boils down to the underlying motivation behind BEC attacks – unlike their cyber-partisan equivalents in, say, Russia, scammers from poorer countries are driven purely by need or greed.
“There are certainly a lot that are doing this for a ton of money, a flash lifestyle,” Hassold says. “But the vast majority aren't that. They may be making $10,000 [per attack], which is a massive amount of money for these guys – when you see the average salary in places like Nigeria is $500 a month, it's an absolute goldmine.”
More from Cybernews:
Subscribe to our newsletter