FBI: 2021 Business Email Compromise Losses Hit $4.3 BillionAlso: Privacy Updates; Improving Industry Collaboration
The latest edition of the ISMG Security Report discusses how the leader of a "transnational cybercrime syndicate" has been arrested in Nigeria, according to Interpol. It also shares updates on U.S. privacy laws and how we can improve collaboration as an industry.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss how police in Nigeria this week announced the arrest of a man who's been charged with running a criminal syndicate tied to massive business email compromise and phishing campaigns;
- Attorney Lisa Sotto share updates on changes to U.S. privacy laws;
- Former federal CISO Grant Schneider detail how we as an industry can improve collaboration and information sharing.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the May 12 and May 20 editions, which respectively discuss lessons for cybersecurity leaders from the Russia-Ukraine war and the big changes to the ransomware ecosystem since Colonial Pipeline.
Anna Delaney: The leader of transnational cybercrime syndicate arrested in Nigeria, and how can we improve our collaboration as an industry? These stories and more on this week's ISMG Security Report.
Hi, I'm Anna Delaney. Police this week announced the arrest of a man who's suspected of having run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromised schemes targeting companies and individual victims. Joining me to discuss is Matthew Schwartz, executive editor for DataBreachToday and Europe. Matt, will this arrest take a bite out of cybercrime?
Matthew Schwartz: It's always great to see suspected ringleaders not leave behind business email compromised scams get arrested. But that is a pertinent question, given the sheer volume of these attacks. I know that we often talk about ransomware. I am a big proponent of looking at how attackers continue to innovate. And ransomware is very interesting when it comes to how criminals have managed to increase their profits on a quarterly basis for the past few years. But in terms of sheer illicit profit making potential, the kudos does go to business email compromise schemes. In 2021, notably, the FBI says that reported losses domestically and internationally for business email compromised schemes were $2.4 billion. Compare that with ransomware, where the reported losses were only $49 million dollars. Now, there's a lot of caveats there with ransomware. A lot of it doesn't get reported. All of the costs associated with that also oftentimes don't get reported. But there is a huge disparity there. And I think it's important to highlight that business email compromise and, as you mentioned in your introduction, this gang, which has been tied to phishing schemes is a massive money making enterprise and unfortunately, this is just one person. I don't think this is going to have much of an impact.
Delaney: But surely the arrest of any suspected member or ringleader of a gang, the wheels of BCE, phishing or malware should be celebrated.
Schwartz: Absolutely. There have been a long running series of operations targeting this particular criminal syndicate. I think that highlights in part the difficulty of tracking some of these operations and then attempting to bring the perpetrators to justice. Interpol's coordinated three operations. We had Falcon I in 2020, Falcon II in 2021, and now Operation Delilah, which was a year-long endeavor that has just wrapped up. Interpol says Operation Delilah was launched after it got threat intelligence from three private sector partners - Group-IB, Unit, 42 of Palo Alto Networks, and Trend Micro. It said it used this to coordinate what was going on and to begin tracing not just technically, but also the movement of the suspect who's just been arrested. Now, this builds on previous efforts, as I mentioned, the Falcon operation that brought to justice 14 suspected members of this operation. The most recent persons who have been arrested was a 37-year-old, busted by Nigerian authorities. Don't know his nationality, but he may be Nigerian, and he is the suspected ringleader. All this is good. But this is a group that's been operating since 2015. And the length of time it's been in operation, and the scale of its operations, shows how difficult it can be to identify the suspects, bring them to justice. Hopefully by doing so here, though, we'll see more follow on operations that make use of the kinds of intelligence and the ability to discern the tactics that are being used by these kinds of criminals.
Delaney: And so, Matt, where to from here?
Schwartz: Great question! We've seen efforts to combat business email compromise intensifying. In 2018, the FBI launched its recovery assets team, which is designed to receive reports from victims and to more quickly work with banks to freeze the funds. Since it's been launched, of $444 million in lost funds that were moved to domestic bank accounts, the FBI says it was able to successfully freeze 75% of those funds. That's great! For 2018, this wasn't happening. Since 2018, there's been a lot of success. Unfortunately, that's led attackers to alter their tactics, and especially during the COVID 19 pandemic. The FBI says that instead of emailing victims to try to trick them into making wire transfers, or using malware and phishing attacks disguised as phishing invoices or WT forms, what attackers have increasingly done is they've stolen access credentials for video conferencing software for CEOs and other senior executives. They'll initiate a meeting then pretending to be, for example, the CEO. And they won't enable video. They will either have a static picture or they will say they are having video or audio problems. They will use the chat function or in some cases, apparently, they do deep fakes with the audio trying to pretend to be the CEO. They attempt to trick someone inside the organization who has the ability to wire funds into wiring the funds. So it's your same old business email compromised scam, attempting to get lots of funds moved to a bank account controlled by attackers. Increasingly, as well, the FBI says they will move this money straightaway into cryptocurrency to help launder the funds, make them more difficult to track or to freeze, and then they will cash them out. And IC3, which is the Internet Crime Complaint Center — the FBI's organ — if you will — for receiving these sorts of fraud reports, says, banks in Thailand and Hong Kong were the primary destinations of these fraudulent funds, followed by China, Mexico, and Singapore. Unfortunately, we're still seeing billions of dollars getting stolen every year. We have better mechanisms for freezing some of the funds and some of the perpetrators are being brought to justice. Hopefully though, we will see many more of these kinds of arrests if we were to take a bite out of this kind of cybercrime.
Delaney: Yes, absolutely. Matt, appreciate this overview. Thanks for your insight.
Schwartz: Thank you, Anna.
(Transition ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: It's been a busy time in the US data protection and privacy space. Recently, I asked attorney Lisa Sotto at Hunton Andrews Kurth LLP, about recent changes to US privacy laws, and the updates we need to know about.
Lisa Sotto: It has been a busy year. It's important to remember that until 2020, we had what was known as a sectoral regime, meaning that we regulated privacy by industry sector. And the best examples of this are the Gramm–Leach–Bliley Act in the financial sector, HIPAA in the healthcare sector. In 2018, everything changed, and I won't say we're getting more into line with the rest of the world, we're not there yet. We will be when we have a federal law. I hope it's a will and not maybe because of what's happening. And I'll go through that a little bit. California started this trend in 2018. The law there became effective January 1, 2020. It was the first state out-of-the-box to enact a comprehensive privacy law. That did lead to very dramatic changes on the privacy front in the US. But not to be outdone, other states followed suit. So we then saw in the last couple of years, Virginia, Colorado, Utah, and now Connecticut. I dare say we're going to see a number of other states coming to the fore as well. And nobody's going to want to be left out of this party. So I would advocate strongly for a federal preemptive law, it's the only way that we're going to be able to manage this extremely complex web, because we can't just comply with the highest common denominator law. They're all different. So there isn't such a thing as highest common denominator.
Delaney: And finally, we all know that serious industry collaboration is needed to strengthen collective resilience and reactions to potential threats, but significant gaps and challenges exist when it comes to getting collaboration and information sharing right. I asked former federal CISO, Grant Schneider, who is currently senior director for cybersecurity services of Venable LLP, about how we can improve on this front.
Grant Schneider: I think, with collaboration and with information sharing to be successful, think what do you want to collaborate about and on, and what are the outcomes that you're trying to achieve. I think the more specific you can get, the better ability you have to create the right partnership with the right partners and be able to build that trust because both with information sharing and with collaboration, it is successful when you can create a safe space that you can toss out ideas that maybe seem a little silly or don't seem quite right, but let's spark other people's imagination to help whether it's an investigator to help a forensics person to help figure out what's happening. So I think getting specific about what you want to collaborate about, who you want to collaborate with, and then how do you create that safe environment that everyone can completely bring their complete capabilities to the engagement.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time!