24 June 2019 – Email scammers are just like any other small businesses: they need leads, and commercial lead-generation services – the same kind many salespeople use – are providing them. Email scams targeting businesses, usually referred to as business email compromise scams, can seem unsophisticated. They typically take the form of fake invoices or emails from executives asking for money transfers. But like any other kind of enterprise, they care a lot about finding new clients — or, in their case, victims.
Background: I have written extensively on how criminal groups operate like corporations, from their help wanted ads to their customer support hotlines. Email fraudsters became known as “Nigerian scammers” in the early days of the web, when people around the world started to receive messages from bogus Nigerian princes seeking cash assistance. But the name is apt — the major groups actually do operate out of West Africa, and particularly Nigeria.
And they have become more sophisticated. Crowdstrike, one of my cyber security partners, has profiled almost every West African group involved in email scams and every one uses lead-generation sites. I have a rather detailed report but in summary:
- There are close to 1,000 different lead-generation firms these group access.
- The sites offer users customizable searches for targets. For example, you could look up chief financial officers for tech companies of a certain size and revenue in California, get the name of their assistants and in many cases a complete organizational chart of a company.
- The groups that Crowdstrike has tracked sign up for free trials under a series of email accounts using the well-known “Gmail dot” trick (you’ll find a nice summary of how that works by clicking here) although many groups just outright purchase a $1,500 yearly subscription to these services last year. One notorious group, called “London Blue”, had several subscriptions and were able to download 70,000 leads within 6 months. My Chief Technology Officer and I set up a penetration testing company a few years ago and we access these services all the time to show clients how vulnerable they are.
- NOTE: penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. It is an enormous business.
By using these networks, and by using automated software, these groups can craft and refine a single spear-phishing email that would work against a wide variety of similar executives just by substituting different company names and small details. It’s more efficient than the older method of target acquisition – scraping lists of names from websites – but it still takes time to work. I worked with Crowdstrike as we tracked one group and it took 21 days after a scammer downloaded the name of a Crowdstrike client (a high-level marketing executive) before a phishing email arrived, directed to his assistant.
And in most cases once the scammers get a name from a lead-generation service, they don’t seem to do much further research on the individuals or companies. If they cast a wide enough net to find someone who takes the bait, they don’t need to.
And if you are asking “Well, how about the lead generation companies? Do they know what is going on?” I am not going to say too much because I need to keep my security sources anonymous to protect my information-gathering operation. But suffice it to say a quick look around the industry shows these services don’t use upfront screening policies that would thwart scammers. And even a firm that did have screening policies in place appeared unaware of the scammer problem and was screening mostly to prevent spam.
The bottom line: according to the latest FBI report (issued in May), business email compromises reported to the FBI cost firms more than $1.2 billion in the United States alone in 2018, double the proceeds of 2017. Most of them are fake invoices that are then routed through company accounting departments … and are paid.
