Suspected phishing email crime boss cuffed in Nigeria
Interpol, cops swoop with intel from cybersecurity bods
Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.
His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.
The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.
According to the organizations involved, Op Delilah, which began in May 2021, is another success story coming out of Interpol's Cyber Fusion Center, a public-private initiative between law enforcement and industry analysts based in Singapore.
However, the arrest also follows a stark warning from the FBI earlier this month about BEC, which the bureau said remains the most costly threat facing organizations globally. Organizations and individuals spent at least $43.3 billion between June 2016 and December 2022 because of email scams.
BEC "continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions," the FBI warned, adding that between July 2019 and December 2021, it tracked a 65 percent increase in identified global exposed losses, with victims in 177 countries.
In this particular case, the suspected fraudster fled Nigeria in 2021 when law enforcement initially tried to apprehend him. In March 2022, he attempted to return to Nigeria, where he was identified and detained due to the intelligence-gathering partnership.
Interpol's African Joint Operation against Cybercrime (AFJOC) referred the intelligence to Nigerian police, who were supported by law enforcement in Australia, Canada, and the US. Ultimately Nigerian cops arrested the suspect at Murtala Mohammed International Airport in Lagos.
"The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and Interpol's private sector partners in combating cybercrime," Garba Baba Umar, assistant inspector general of the Nigeria Police Force, said in a statement this week.
The security companies involved in the operation tracked the alleged Nigerian BEC crew under the name SilverTerrier, or TMT, and Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of these suspected gang members.
- Interpol: We can't arrest our way out of cybercrime
- FBI: Cyber-scams cost victims $6.9b-plus worldwide in 2021
- It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
- Twitter's top security staff out after incoming CEO shakes things up
Delilah was preceded by Interpol-led Falcon I and Falcon II, carried out in 2020 and 2021, which resulted in the arrest of 14 members of the crime syndicate. Unit 42 and Group-IB, among other security analysts, supported the earlier operations as well as the most recent one.
Group-IB has been tracking TMT since 2019. By 2020, the miscreants were thought to have compromised more than 500,000 companies in over 150 countries, we're told.
According to Interpol, one of the suspects arrested during Falcon II in Nigeria was in possession of more than 50,000 potential victim domain credentials on his laptop. Unit 42 researchers, meanwhile, claimed the 37-year-old Nigerian who was arrested as part of Delilah has been an active criminal since 2015.
"We have identified over 240 domains that were registered using this actor's aliases," the security analysts at Palo Alto Networks wrote in a blog. "Of that number, over 50 were used to provide command and control for malware. Most notably, this actor falsely provided a street address in New York city associated with a major financial institution when registering his malicious domains."
He has a claimed preference for ISRStealer, Pony, and LokiBot malware, they noted. And, judging from a social-media photo of the alleged perp on the Unit 42 blog, he also favors big gold, blingy jewelry.
The suspect is well-connected with other BEC criminals, it is claimed, and also apparently shares social media connections with a trio arrested in 2021 as part of Falcon II, according to the security researchers. ®