Cops' Killer Bee stings credential-stealing scammer

Fraudster and two alleged accomplices nabbed in joint op


An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

Interpol linked the suspects to a syndicate of Nigerian fraudsters using a RAT known as Agent Tesla to access business computers and divert monetary transactions to their own accounts.

While the cops didn't disclose how much money the crooks allegedly stole, we're told the corporations targeted included oil and gas companies in Southeast Asia, the Middle East, and North Africa. One of the scammers, Hendrix Omorume, was charged and convicted of three counts of serious financial fraud, and now faces 12 months behind bars, according to Interpol. The two other men are still on trial.

"Through its global police network and constant monitoring of cyberspace, Interpol had the globally sourced intelligence needed to alert Nigeria to a serious security threat where millions could have been lost without swift police action," the police organization's director of cybercrime Craig Jones said in a statement.

Just last week Interpol and cops in Africa arrested another Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

That year-long initiative, code-named Operation Delilah, also involved international law enforcement and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

Agent Tesla RAT

We're told the Killer Bee operation was also based on intelligence received from Trend Micro about the emergence and usage of Agent Tesla malware.  

The security shop's researchers discovered the spyware being delivered via phishing email to log keystrokes as well as steal credentials from various Windows applications in late 2019. 

The RAT, which first appeared in 2014, uses multiple techniques to evade detection, according to Qualys threat researchers. Once Agent Tesla is deployed, it can perform all sorts of nefarious acts including keylogging, screen capture, form-grabbing, and credential stealing.

"It will also exfiltrate credentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook — making its potential impact truly catastrophic," Qualys Principal Research Engineer Ghanshyam More wrote in a technical analysis earlier this year. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022