The fraudsters behind the often laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, and it calls for concerted efforts to tackle the problem from many different angles. This post examines the work of a large, private group of volunteers dedicated to doing just that.
According to the most recent statistics from the FBI‘s Internet Crime Complaint Center, the most costly form of cybercrime stems from a complex type of fraud known as the “Business Email Compromise” or BEC scam. A typical BEC scam involves phony e-mails in which the attacker spoofs a message from an executive at a company or a real estate escrow firm and tricks someone into wiring funds to the fraudsters.
The FBI says BEC scams netted thieves more than $12 billion between 2013 and 2018. However, BEC scams succeed thanks to help from a variety of seemingly unrelated types of online fraud — most especially dating scams. I recently interviewed Ronnie Tokazowski, a reverse engineer at New York City-based security firm Flashpoint and something of an expert on BEC fraud.
Tokazowski is an expert on the subject thanks to his founding in 2015 of the BEC Mailing List, a private discussion group comprising more than 530 experts from a cross section of security firms, Internet and email providers and law enforcement agents that is dedicated to making life more difficult for scammers who perpetrate these schemes.
Earlier this month, Tokazowski was given the JD Falk award by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) for his efforts in building and growing the BEC List (loyal readers here may recognize the M3AAWG name: KrebsOnSecurity received a different award from M3AAWG in 2014). M3AAWG presents its JD Falk Award annually to recognize “a project that helps protect the internet and embodies a spirit of volunteerism and community building.”
Here are some snippets from our conversation:
Brian Krebs (BK): You were given the award by M3AAWG in part for your role in starting the BEC mailing list, but more importantly for the list’s subsequent growth and impact on the BEC problem as a whole. Talk about why and how that got started and evolved.
Ronnie Tokazowski (RT): The why is that there’s a lot of money being lost to this type of fraud. If you just look at the financial losses across cybercrime — including ransomware, banking trojans and everything else — BEC is number one. Something like 63 percent of fraud losses reported to the FBI are related to it.
When we started the list around Christmas of 2015, it was just myself and one FBI agent. When we had our first conference in May 2016, there were about 20 people attending to try to figure out how to tackle all of the individual pieces of this type of fraud.
Fast forward to today, and the group now has about 530 people, we’ve now held three conferences, and collectively the group has directly or indirectly contributed to over 100 arrests for people involved in BEC scams.
BK: What did you discover as the group began to coalesce?
RT: As we started getting more and more people involved, we realized BEC was much broader than just phishing emails. These guys actually maintain vast networks of money mules, technical and logistical infrastructure, as well as tons of romance scam accounts that they have to maintain over time.
BK: I want to ask you more about the romance scam aspect of BEC fraud in just a moment, because that’s one of the most fascinating cogs in this enormous crime machine. But I’m curious about what short-term goals the group set in identifying the individuals behind these extremely lucrative scams?
RT: We wanted to start a collaboration group to fight BEC, and really a big part of that involved just trying to social engineer the actors and get them to click on links that we could use to find out more about them and where they’re coming from.
BK: And where are they coming from? When I’ve written about BEC scams previously and found most of them trace back to criminals in Nigeria, people often respond that this is just a stereotype, prejudice, or over-generalization. What’s been your experience?
RT: Right. A lot of people think Nigeria is just a scapegoat. However, when we trace back phone numbers, IP addresses and language usage, the vast majority of that is coming out of Nigeria.
BK: Why do you think so much of this type of fraud comes out of Nigeria?
RT: Well, corruption is a big problem there, but also there’s this subculture where doing this type of wire fraud isn’t seen as malicious exactly. There’s not only a lot of poverty there, but also a very strong subculture there to support this type of fraud, and a lot of times these actors justify their actions by seeing it as attacking organizations, and not the people behind those organizations. I think also because they rationalize that individuals who are victimized will ultimately get their money back. But of course in a lot of cases, they don’t.
BK: Is that why so many of these Nigerian prince, romance and BEC scams aren’t exactly worded in proper English and tend to read kind of funny sometimes?
RT: While a lot of the scammers are typically from Nigeria, the people doing the actual spamming side typically come from a mix of other countries in the region, including Algeria, Morocco and Tunisia. And it’s interesting looking at these scams from a language perspective, because you have them writing in English that’s also influenced by [people who speak] French and Arabic. So that explains why the emails often are written in poor English whereas to them it seems normal.
BK: Let’s talk about the romance scams. How does online dating fraud fit into the BEC scam?
RT: [The fraudsters] will impersonate both men and women who are single, divorced or widowed. But their primary target is female widows who are active on social media sites.
BK: And in most of these cases the object of the phony affection is what? To create a relationship so that the other person feels comfortable accepting money or moving money on behalf of their significant other, right?
RT: Yes, they end up being recruited as money mules. Or maybe they’re groomed in order to set up a bank account for their lovers. We’ve dealt with multiple cases where we see a money mule account coming through and then look that person up on social media and quickly able to see they were friends with a clearly fake profile or a profile that we’ve already identified as a BEC scammer. So there is a very strong tie between these BEC scams and romance scams.
BK: Are all of the romance scam victims truly unwitting, do you think?
RT: With the mules who don’t one hundred percent know what they’re doing, they might be [susceptible to the suggestion] hey, could you open this account for me. The second type of mule can be on the payroll [of the scam organization] and getting a cut of the money for assisting in the wiring of money [to the fraudsters’ accounts.]
BK: I saw in one of your tweets you mentioned personally interacting with some of these BEC scammers.
RT: Yeah, a few weeks ago I was running a romance scammer who reached out and added me as a friend on Facebook. The story they were telling was that this person was a single mom with a kid aged 43 looking for companionship. By day 4 [of back and forth conversations] they were asking me to send them iTunes gift cards.
BK: Hah! So what happened then?
RT: I went to my local grocery store, which was all too willing to help. When you’re trying to catch scammers, it doesn’t cost the store a dime to give you non-activated iTunes gift cards.
BK: That sounds like fun. Beyond scamming the scammers to learn more about their operations and who they are, can you talk about what you and other members of the BEC working group have been trying to accomplish to strategically fight this kind of fraud?
RT: What we found was with BEC fraud it’s really hard to find ownership, because there’s no one entity that’s responsible for shutting it down. There are a lot of moving parts to the BEC scam, including lots of romance scam social media accounts, multiple email providers, and bank accounts tied to money mules that get pulled into these scams.
The feds get a lot of flack for not making arrests, the private sector gets criticized for not doing more, and a lot of people are placing the blame on social media for not doing more. But the truth is that in order to address BEC as a whole we all have to work together on that. It’s like the old saying: How do you eat an elephant? One bite at a time.
BK: So the primary goal of the group was to figure out ways to get better and faster at shutting down the resources used by these fraudsters?
RT: Correct. The main [focus] we set when starting this group was the sheer length of time it takes for law enforcement to put together a subpoena, which can take up to 30 days to process and get the requested information back that allows you to see who was logged into what account, when and from where. At the same time, these bad actors can stand up a bunch of new accounts each day. So the question was how do we figure out a good way to start whacking the email accounts and moving much faster than the subpoena process allows.
The overall goal of the BEC group has been to put everyone in the same room, [including] social media and email providers and security companies, so that we can attack this problem from all sides at once.
BK: I see. In other words, making it easier for companies that have a role to play to be proactive in shutting down resources that are used by the BEC scammers.
RT: Exactly. And so far we have helped to close hundreds of accounts, helped contribute directly or indirectly to dozens of arrests, and prevented millions of dollars in fraud.
BK: At the same time, this work must feel like a somewhat Sisyphean task. I mean, it costs the bad guys almost nothing to set up new accounts, and there seem to be no limit to the number of people participating in various aspects of these scams.
RT: That’s true, and even with 530 people from dozens of companies and organizations in this BEC working group now it sometimes doesn’t feel like we’re making enough of an impact. But the way I look at it is for each account we get taken down, that’s someone’s father or mother who’s not being scammed and losing their inheritance to a Nigerian scammer.
The one thing I’m proud of is we’ve now operated for three years and have had very few snafus. It’s been very cool to watch the amount of trust that organizations have put into this group and to be along for the ride there in seeing so many competitors actually working together.
Anyone interested in helping in the fight against BEC fraud and related scams should check out the Web site 419eater.com, which includes a ton of helpful resources for learning more. My favorite section of the site is the Letters Archive, which features often hilarious email threads between the scammers and “scam baiters” — volunteers dedicated to stringing the scammers along and exposing them publicly.
Business Email Compromise: Putting a Wisconsin Case Under the Microscope
Spy Service Exposes Nigerian Yahoo Boys
Yahoo Boys Have 419 Facebook Friends
Deleted Facebook Cybercrime Groups Had 300,000 Members
When I visit this site I get a notice that there is concern about the certificates. Doesn’t give you much confidence when a security web site has certificate issue.
Yeah we replaced the cert the other day and this has popped up since. Working on getting it resolved. Out of curiosity, which browser are you using?
I am using internet explorer and don’t get the certificate warning
“Well, there’s your problem.” *g*
Just another data point: in Chrome, Firefox, Edge, and IE (all latest builds, but no advance/beta releases) on Windows 10 Pro, I see no certificate errors whatsoever.
Chrome, FF and IE 11 give cert errors on Windows 7.
Edge and Chrome are fine on Windows 10.
Safari and Chrome are fine on iOS (12).
Could it be rejecting SHA-1 as an obsolete format, or perhaps TLS 1.0, which is being dropped by Mozilla and perhaps other browsers, depending on whether they have the latest build.
No warnings on Chrome or FF on Win10 for me. But c’mon Brian, Comodo certificate? Seriously! You’re losing credibility here. What’s wrong with Let’s Encrypt? It’s free, and auto-renews without any issues. I’ve been using it for about a year on my site and I LOVE IT! Totally hassle free. And most of all, why feeding Comodo money for something that is free. They totally try to upsell you.
Thanks, Dennis, for not being a jerk about this. I’m guessing my site still has a better SSLLABS score than your bank.
Not mine! (UW Credit Union). Maybe I’m cheating since it’s a credit union and not a bank.
SSL Labs test page shows that you are missing some intermediate certificates from your certificate chain:
That Krebs can have a difficult certificate error is an example of the systematic failure of X.509 to address its promise of mutual authentication. Honestly, remembering this standard I have an opinion about who was receiving all the money for weakening standards in Operation Bullrun. Of course, some people will be relentlessly obstreperous and counter-productive for free.
Shockingly enough, another layer of indirection is not solving the systematic problems underlying x.509! certificate transparency *ugh*
People ask yoursekf, would you rather get stabbed kidnapped or some other violant crime… Or you let fraudsters making money. In usa ghetto criminals income is credit card fraud tax frauds scams… They can make money with those white collar crimes i think they are not going to be so violant.
Violance not good..
I know that in usa ca au is a lot people who make daily living with scams frauds crybercrimes.
Even un educated guys in the hood making alot of money.
Many have started their own business and they are legit by now.
But im asking what is wrong in our society??
Why we dont give jobs with good salary to people??
Why they have to steal??? Why we as other people dont help them before they are point when they got nothing to lose, and until we dont solve the problem that we have people in our society who got no fear and they got nothing to lose.
Poor guy from ghetto… What optionis he have??
Non.. Lets be real he got no options
Like in soviet union… Stalin prison system made criminals more brutal more tough and made way they got nothing to lose.
Old times tje slave owners undestood.. That pressure and difficult life and brutal treatment will make slave more tough more strong.
Those scammers, fraudsters, thifes.. Cybercriminals dont do it all coz they like.. They are just slaves who become brutal and ruthless.
Nowdays the slave owners know that its not best idea to put slaves under too much pressure.
Toomuch pain and pressure on person will make him as monstrum.
Now im asking.. Why we send so many young guys in prison?
They will not become better there, prison making person hate society to hate goverment.
Instead of prison we should offer them second change.
And we should make law that eerybody who is living soul have good life.. Until this we dont have how we even can prossecute anyone??
The world is wrong
Rationalizing bad behavior does not excuse it. It may make you feel better but it doesn’t change anything.
I largely agree with your long rant about inequity and government, but I must point out that prosecution of 419-scammers is fair because they cause harm.
Maintaining and accumulating property and wealth is one of the joys of a free country. Having it taken by deception or fraud is hurtful, resulting in tangible damage.
“Why we dont give jobs with good salary to people??”
Because it takes more than not having a job to be worth someone paying money for your services.
“Why they have to steal???”
They don’t. They *choose* to steal.
“Why we as other people dont help them before they are point when they got nothing to lose”
How much of your income to you give to the jobless? If it’s less than half, get off your soap box. And since it’s almost certainly zero, how about you clear the log out of your own eye before you go for the speck in mine?
“Now im asking.. Why we send so many young guys in prison?”
Gonna go out on a limb here. Because they stole. Fully knowing the penalty. You seem to have a problem with the idea of choosing your actions. If I robbed you of everything you own, are you at fault for not just giving me your possessions? If you say “no” to that, then maybe your should think some things through.
Do you know how it ends up if the victims actually meet with these fraudsters? Kidnapping and even a murder …
As for “poor” people, I guess this might dispel the myth:
This is not an isolated incident. More reports abound. This destroys the livelihoods of legitimate people and their businesses.
The story is about human greed and remorselessness, enabled by technology (internet).
By his comments and disregard for the property of others, methinks Tom appears to have absorbed too much Leninism to live happily in a western, liberal society.
Lenin promised to take the wealth of the rich man and redistribute it to the poor (after the Party’s cut).
He never promised to raise the poor man up to the level of the rich man.
But to be fair to Tom’s general points, the Party did wipe out illiteracy, provided access to advance education, and a certain minimum level of medical care, along with militarized totalitarianism. They never could get any society beyond that.
Whilst I agree societal inequities exist worldwide, Tom never suggests that a sharp drop in the birthrate just might create the means for a more equitable income distribution and use of the world’s remaining available resources.
That would lead to less naked, remorseless, greed.
If you are doing SSL decryption you will see the error.
Try the same machine from a different location,
Thank you to Mr. Tokazowski and the working group for trying to do something about these scams. It can certainly feel like a lost cause when you see it day in and day out.
Is the BEC Mailing List something to which Financial Crimes Investigators and others could be vetted to gain access in order to submit scammer data (names, email addresses, phone numbers, etc.)? A searchable database would also be quite useful.
I would also be interested in a “best practices” tool for using with victims to help convince them they are being victimized. Often even after you have convinced the victim they are being suckered, they go right back to talking with their “fiancé, girlfriend, boyfriend” are trying to send them more money.
For best practices, I like to point to IC3, as they are the aggregators for much of the information. https://www.ic3.gov/media/2018/180712.aspx
For membership, we are keeping it as a closed membership for now, however we are toying with the idea of opening a second / more public list.
Thank you for what you do.
Do you have affiliate research members or internship relationships with universities?
This seems like an excellent match for interdisciplinary students. We have joint data science and computer security degrees that would make a potentially good match. It is difficult to match these students with the jobs that would make a difference in people’s lives.
Good to hear about other heroes in the battle against web crime. A very interesting point that BEC is number one in this type of fraud. This is an excellent story! Thank you KOS!!
These guys are phenomenal 🙂 some of their stories are just hilarious.
As a non-419eater, I’ve come to the conclusion I don’t care to report enormous amounts of fraud on social media. Social media is setup in such a way as to not see IP addresses, make it slow and difficult to report fraud, and enable the hiding of fraudsters. Thus, if social media hides fraudsters, I leave them continue causing fraud. I’ve found it TOO time-consuming to report fraud. At the same time I often avoid social media–huge amounts of fraud there–I know it before I even associate with it.
The likes of Facebook, in which it’s current CEO said security wasn’t much of a thought in it’s continuing operation prior to nearly a decade later–good grief–even during the fraud attempts at influencing national votes. A milion dollare company that didn’t care to figure out security. I often AVOID FB.
Back years ago I reported Yahoo Dating, the entire website, to the FTC as a 99.9% fraud site. Noticed soon later Yahoo discontinued the site. Craiglist discontined it’s 99.9% fraud dating site.
Whenever I’ve received one of those “Nigerian prince” e-mails, while I’m collecting the header information to forward the full thing to US-CERT, APWG and FTC, the image of Eddie Murphy in his film as the golden-child prince always pops into my mind — no offense to Mr. Murphy intended….
People should take step for complain about these kind of fraud. This issue is seriously very bigger.
True. There are legal and community places to complain for many scams and frauds. With community I mean places like https://www.vsfrauds.com/
Many people in Nigeria must be fans of W.C. Fields…
“It’s morally wrong to allow a sucker to keep his money.”
Question for Ronnie T….. In the many 419 scams I’ve seen I notice that most of the time the scammers use a different reply-to email address than the email address used for first contact. Or, they will simply ask you to contact them or someone else at another email address. Rarely are you asked to reply to the email of first contact. Why is that? Any ideas?
If you look at the sending address, you will frequently find they are compromised accounts at legitimate organizations. These are used to get past spam filters, relying on orginzation’s reputation, etc.
Replying to that account would only work as long as they have access to it, so they direct you to one of their accounts, almost always on a free mail service.
You guys should keep deceiving yourself and be masturbating over Nigerians being the largest scammers (hatred is all I see) while you keep living denial and pretend not to know who the real scammers are. Last I check, the biggest and largest folks who spam (cyber attacks) and make all the tools needed for scammers to carry out there nefarious activities still hardcore IT / computer tech savvy people from nations like Russia, India, Mexico and some low nations as Pakistan. Go and find out from the dark nets. They are the ones who make all these spammed and hack tools available.
How many hardcore tech savvy hackers (botnet, ransomeware, etc) guys who have master their crafty with level of proficiency do we have in Africa? But just for the fact that the narrative looks sweet and more convincing when countries like Nigeria or Africa continent is mentioned.
Keep white should keep deceiving yourselves and be attributing the word “scammers” to continent who knows little or nothing about it
You missed China and North Korea. There you get into state sponsored hacking. When the hacking is state sponsored, it’s at a whole different level. Russia is also a sponsoring state for hacking.
Libert appears to have stopped all inquiry into the human condition, after his Racism Course 101.
The reporting here is about greed, and the remorselessness of criminals, using the latest technology and social engineering, regardless of race, color, creed, sexual preference, nationality, location, national origin, or spoofed ISP, for naked fraud.
None of these crooks would defer fraud against a person because of any of those traits. The more victims the merrier, and the richer the crook becomes.
As a frequent visitor to northern & southern Africa, I reject your premise that Africans are not up to the tech capabilities of the rest of the world when it comes to adverse social engineering and internet fraud. Nigeria’s record and inbound currency transfers, amply proves that every day.
Fraudsters in the rest of the world, i.e. all other races, are trying very hard to catch up.
Since you referred to it, I regret that your current lack of a sex partner forces you to just one alternative, which also slips into your written commentary.
Thanks for being so open about your fixation, and I sincerely hope for you that this “temporary drought” ends.
Life is too short for substitutes…
When Registrars will be obliged to close or redirect the domains, that -obviously- are involved in all kind of illegal activities, a great part of those problems would be solved.
Some of them have rules, policies… just for the show, they do nothing or just several days after when it’s useless.
Why so many spam are always using links/domains bought at:
namecheap, ovh, danesconames.com, godaddy?
Registrars only have to answer to ICANN. And ICANN has demonstrated for many years that they are a FOR-PROFIT company disguised as a not-for-profit organization looking out for the greater good of Internet development. But it simply isn’t true! They profit a great deal from Registrars who turn a blind eye to the misuse of their services by the criminal gangs who purchase THOUSANDS of domain name so they can target the world.
The ICANN Mission statement says that they will look out for the safety of those who use the Internet but I have NEVER seen them make any reasonable decision to protect netizens! There is so much that can be done to make Internet use safer and it starts with ICANN! Read my article “How to make the Internet safer for everyone.” http://www.thedailyscam.com/how-to-make-the-internet-safer-for-everyone/
Replace ICANN or some of their head security structures; my thought for many years.
was acting, but now the guy is working at…. ICANN !
As I explained to few friends.
If all people, lists,RBL… who are fighting spam,etc just blacklist all IP of registrars who are not suspending bad accounts, domains… after few weeks, they will react or they will disappear.
That’s a simple as that. Just spread the word.
I’d rather see Knujon be given resources, and that aspect of ICANN security replaced by it.
Excellent article. A comment, ever been lonely? Never had a million followers, or asked to describe your daily life, that’s what you are batting against. The victim has the attention of someone who cares. About them. That part is not hard.
But, hooray, there are people actually working to stop the phishing attacks. That’s great to hear about. And how they are coordinating to respond faster, even better.
About the comments, tools? So the black web should be separated from the normal web, and no crossover apply? Interesting. Only blame others, why, were not we discovered to have an impressive toolkit also? Doing the same things, so who is to blame? Should the tools have been available to everyone, not just those on the dark web. Bet it would have been easier to backtrack earlier if available.
A lot of e-mail scams at least can be forwared to email@example.com and an AI will automatically waste their time.
Though, I just visited the site (rescam.org) and it sounds like it’s currently offline in preparation for phase2, but you can still send e-mails there and they’ll be analyzed and used in the future.
Spamnesty is still online (https://spa.mnesty.com/) for wasting their time, but they aren’t as good as rescam.
“How Do You Fight a $12B Fraud Problem?”
Accept that allowing access to finances over an inherently insecure medium is a bad idea? Anyone? No?
It still says “not secure”. Using Chrome 70 Win 10.
Brian, many thanks for informing about 419eater.com. They are deserving of our support, as are our law enforcement agencies, in this battle. Unfortunately, current inadequacies of international law restrict what police can do outside our borders. 419eater.com adds an extra cross-border element.
“Letters Archive” is hilarious; their outbound emails to these criminals are a marvel of sustained creative writing and social engineering.
To this financial crime victim (police report in hand) there was the additional relish of “schadenfreude” (Google it); seeing by the crook’s own emails, his continuous, self-inflicted, well deserved, mental misery.
And yet they keep coming back for more! Fantastic!
After 25 years of sustained internet, and internet-enabled crime, that’s about as close to some justice as most victims are going to get.
I have performed some loose manual analysis on spam email headers. I am surprised that a great deal of the spam can be identified by simple text matching on particular header fields. A bit more complex yet still relatively easy to implement cross field comparison can get you a 70-90% effective spam filter.
I am hesitant to follow or have another follow links provided or load images from spam emails addressed to my own account. I often see non-language strings in the URLs which cold be unique to the email address the message was sent to. The result would be confirming the email address as active and possibly tied to an individual which may be scammable.
I see a lot of emails which seem to be for the sole purpose of confirming an active email address. I see emails with multiple reply-to or unsubscribe addresses.
The unfortunate thing is that many email client interfaces hide all of this from the user. I would use a pure text email client but for some legitimate email providing no or useless text parts in their html based emails.
Many legitimate emails are hard to distinguish from spam emails, It used to be the other way around. Legitimate emails have been devolving to use elements we used to caution about. Spam emails have been evolving to not use elements we used to caution about.
Email providers could be doing more egress filtering for easily identified spoofed emails. Instead they are focusing on ingress spam filtering which does not seem to be very effective. I see far too much false positives and negatives in ingress filtering.
on another note:
I ran a SSL labs server test on this site from reading the first comment. It has a B grade, very good in my opinion. And, Yes, that is better than many banks and financial institutions. That is extremely good when you consider the available resourses to the entities being compared. Mr. Krebs is one, knowledgeable in the field, and focused on journalism. He needs to be presenting a much better than average security view to maintain his reputation. Priorities straight as far as I see. Banks and financial institutuons have more resources, are an industry historically requiring security, focused on literally making money. They need to be presenting an excellent security view to maintain reputation. Priorities not straight as far as I see.
You left out the US from your list of countries of being very active in having Dating Site fraudsters. I work with a number of agencies to curtail this activity and to detain the criminals and have had many conversations with Bank Security setting up situations where arrests for ‘probable cause’ are possible. Problem is – the banks DO NOT want to help the unfortunate losers whatever they may tell investigators and the Press!! What is $500-$3,000 to them? They just shut the offender’s account and tell the complainants nothing – especially the Police.
The US offenders are not Nigerian they are American
women – one of whom is wanted by Interpol and the FBI in many many countries who is estimated to have stolen many millions of dollars during the past 5 years – perhaps even longer. I have provided this woman’s brother and uncle’s details to the Banks to no avail.