The Nigerian Police Force, in partnership with Interpol and Group-IB, has arrested three men suspected of being part of a cybercriminal gang that specialized in business-email-compromise scams.
Interpol tracked the activities of the TMT gang as part of Operation Falcon, a year-long investigation. Group-IB became involved in the operation as part of Project Gateway, an Interpol initiative which allows private partners to cooperate with Interpol and directly share threat data. Interpol's Cybercrime and Financial Crime units assisted the Nigerian Police Force, who made the actual arrests.
TMT is believed to have compromised at least 500,000 government and private sector companies in more than 150 countries, according to Group-IB.
TMT deploys mass phishing campaigns and relies on a range—26 or so—of public available spyware and remote access trojans to carry out its attacks. Malware in its arsenal include AgentTesla, Loki, AzoRult, Pony, NetWire, Spartan, NanoCore, and Remcos RATs, Interpol said.
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” Interpol said.
The TMT group specializes in business email compromise (BEC) scams, where attackers pose as someone the victim knows to trick them into initiating money transfers or otherwise revealing confidential information. The suspects sent out fraudulent purchase orders and product inquiries as part of mass emailing campaigns designed to distribute popular malware variants. The gang also impersonated legitimate companies offering COVID-19 aid, Group-IB investigators said.
Group-IB researchers said the gang used well-known email marketing software such as Gammadyne Mailer and Turbo-Mailer to send out the phishing emails and used marketing platform MailChimp to track whether the recipient opened the message.
Some 50,000 victims have been identified so far around the world, including the United States, the United Kingdom, Singapore, Japan, and Nigeria. The gang is split in subgroups, and a number of the gang members are still at large.
“This group was running a well-established criminal business model,” said Craig Jones, Interpol’s cybercrime director. “From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits.”
BEC scams typically involve a fair amount of reconnaissance work beforehand, as attackers identify executives to impersonate and study their communication patterns. Attackers also investigate third-party relationships in order to understand the vendors the organization typically works with. The attackers are interested in everything, from vendor names to how the organization handles the billing system, in order to mount a convincing attack.
BEC scams are quite lucrative. The Anti-Phishing Working Group estimated the average wire-transfer loss from BEC attacks in the second quarter of 2020 was about $80,000. Nigeria and West Africa remain the top hotspots for BEC gangs, but a large Russian BEC gang called Cosmic Lynx has been responsible for more than 200 BEC campaigns against victims in 46 countries.
The FBI’s Internet Crime Complaint Center recorded 24,000 complaints, totalling $1.7 billion in losses, from BEC scams in 2019, and the true number of incidents is likely much higher since the IC3 figure reflects only on complaints received.