Menu
Researchers trick 'CEO' email scammer into giving up identity

Researchers trick 'CEO' email scammer into giving up identity

Dell SecureWorks is encouraging businesses to use these tips to fight back

Businesses targeted in email scams don’t always have to play the victim. They can actually fight back.

Researchers at Dell SecureWorks have documented how they identified a suspected email scammer from Nigeria, by essentially playing along with the scheme to fool the attacker into revealing his true whereabouts.

Anyone can use these tips, said Joe Stewart, director of malware research at SecureWorks. “We’re letting them (the scammers) give us all the information about themselves,” he said.

The email scheme SecureWorks dealt with involved a fraudster impersonating a CEO in what’s called a business email spoofing attack. The goal is often to trick a victim into wiring funds to the scammer’s bank account.

Although a business can train its employees to learn how to spot these suspicious emails, that won’t necessarily stop the attack, especially since it’s easy for anyone to continually bombard a victim with emails, SecureWork said.

Instead, a business’ IT security staff can actually fight back and disrupt the scammer’s operations. They can do this, by first replying to an email scam and pretending to act like a gullible victim. 

This was how SecureWorks managed to eventually identify an email scammer from Nigeria that targeted a U.S. technology company back in November. SecureWorks was brought in to investigate and decided to fool the fraudster into thinking his scheme had worked.  

The scammer had tried to trick the U.S. technology firm into wiring funds to a bank account by impersonating its CEO. SecureWorks pretended to comply, which caused the scammer to turn greedy.

“He started asking for $18,000,” said James Bettke, a SecureWorks researcher. “And then after that, he said, ‘Oh that’s a typo. It’s a $118,000.’”

screen shot 2017 02 14 at 10.23.39 pm SecureWorks

One of the emails sent by the scammer.

To try and identify the scammer, SecureWorks decided to email back a PDF-based receipt, indicating the wire transfer had been complete. In reality, the receipt was a decoy that when clicked on, sent off the recipient’s IP address and other web browser information.

The researchers found that their scammer was using an internet service provider in Lagos, Nigeria and was viewing the receipt on an iPhone.

SecureWorks continued to play a gullible victim, by claiming the wire transfer had failed. That forced the scammer to hand over details to other bank accounts. The researchers then took that information and notified the responsible bank that these accounts were being used for fraud, shutting them down.

To find out more about the scammer, the researchers sent another decoy receipt of a wire transfer that forced the recipient to enter a legitimate mobile phone number to view the form.

The scammer fell for the ruse. Using Facebook, the researchers found that the entered phone number was tied to a user named “Seun,” which the researchers believe is a real account.   

“We know who he is,” Stewart said. “We could report him to the EFCC (The Economic and Financial Crimes Commission in Nigeria). But he didn’t get away with any money.”

So instead, SecureWorks is publicizing information about the fraudster’s scams, including the email addresses he used.

screen shot 2017 02 14 at 10.22.04 pm Dell SecureWorks

“If anybody has actually lost money to him, then they can approach law enforcement,” Stewart said. “That would be our best case scenario.”


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Show Comments