Business Email Compromise (BEC) , Email Security & Protection , Email Threat Protection
FBI Arrests Nigerian Suspect in $11 Million BEC Scheme
Scam Targeted UK Affiliate of US Heavy Equipment Firm Caterpillar, Prosecutors AllegeThe FBI has arrested a Nigerian businessman for allegedly carrying out an $11 million business email compromise scheme that targeted a U.K. affiliate of U.S. heavy equipment manufacturer Caterpillar.
See Also: Protecting Australia’s Vital Energy Grid with Stronger Security Culture
Obinwanne Okeke, a Nigerian entrepreneur who has been profiled in Forbes and the BBC New Africa, was arrested on charges of conspiracy to commit computer and wire fraud, according to an FBI affidavit and other court documents filed with the U.S. District Court for the Eastern District of Virginia.
Okeke, 31, was arrested by the FBI earlier this month and remains in federal custody, according to the court documents that were unsealed within the last week. A defense attorney in the case did not immediately reply to Information Security Media Group’s request for comment.
As part of the investigation, FBI agents traced back to Okeke an email address used in phishing schemes as well as his social media accounts, the court documents show.
The alleged scam, which dates back to April 2018, targeted Unatrac Holding Limited, a export sales office in the U.K. that’s associated with Caterpillar, prosecutors say. By the time the company discovered what had happened and contacted the FBI, nearly $11 million had been transferred overseas. Only a small portion of the money has been recovered, according to the FBI.
CFO Targeted
In its affidavit, FBI agents allege that Okeke, along with other, unnamed associates, targeted the email account of Unatrac's chief financial officer. The CFO received a phishing email that contained a link that supposedly would allow him to log into his Microsoft Office 365 account, according to the documents.
Instead, the malicious link sent the CFO to a spoofed website that looked like an Office 365 log-in page. He then entered his credentials into the page, which were captured by the attackers, according to the FBI affidavit.
Once they had the credentials, the attackers accessed the CFO's emails and company files, logging into his account more than 460 times during a four-week period, the court documents allege. The credentials also allowed the scammers to create fake wire transfers and invoices using the CFO's name, title, company logos and other information to create authentic-looking documents, authorities say.
The attackers also altered the CFO's account to monitor his email traffic, according to the FBI.
"The [email redirect rules] intercepted legitimate emails to and from employees on the financial team, marked them as read, and moved them to another folder outside the inbox,” according to the FBI. “These rules appeared to have been created in an attempt to hide from the CFO any responses from the individuals to whom the intruder was sending fabricated emails."
From there, the company's financial team began receiving invoices and money transfer requests from companies with names such as "Pak Fei Trade Limited" as well as others. These transfers and invoices ranged from $278,000 to over $1.95 million, according to the court documents.
The fraudulent invoices and money transfers led the company to transmit nearly $11 million overseas - and most of it has not been recovered, the documents show.
As the investigation continued, the FBI also found additional victims of this alleged criminal group, including the Red Wing Shoe Company of Red Wing, Minnesota, which told agents that the company had been swindled out of more than $100,000 in early 2018, according to the court papers.
Gmail Address
As part of the alleged scheme against Unatrac, the attackers downloaded tax and other company documents from the CFO's files and, at one point, transferred some of that data to an email address: iconoclastl 960@gmail.com, according to the court documents.
After several months of investigating, and help from a confidential source, the FBI agents learned that the iconoclastl 960@gmail.com had been associated with phishing schemes, according to the documents. This eventually led to the FBI serving a search warrant on Google to gain more information about the account, the court documents show.
The Gmail account contained emails and chat messages among the attackers, including "lists of over 600 email account passwords, as well as copies of passports and driver's licenses that were likely stolen to be used in identity theft schemes," according to the court documents.
The FBI also traced documents sent to and from the iconoclastl 960@gmail.com account to other email addresses that contained code and other details for creating spoofed webpages that resembled legitimate sites, according to the documents.
After several months, the FBI tracked the iconoclastl 960@gmail.com back to its owner, which was listed as obinwannem@gmail.com. This eventually led the FBI to identify the owner as Okeke. Agents also found Twitter and Instagram accounts associated with Okeke and his business - the Invictus Group - that Forbes had described as having interests in construction, agriculture, oil and gas, telecoms and real estate.
In early August, Okeke was arrested while traveling in the U.S., according to the court documents. He has appeared in federal court twice since his arrest and remained in federal custody as of Monday. During an Aug. 12 court hearing, the judge in the case noted that the matter is being sent to a federal grand jury for consideration of a formal indictment.
BEC on the Rise
The allegations against Okeke highlight the growing emphasis that the FBI and other law enforcement agencies are placing on business email compromise schemes, which are also referred to CEO fraud.
BEC schemes often start with attackers stealing the email credentials of a top executive through phishing or other methods. Then they impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to bank accounts. In other cases, the attackers spoof a company's business partner.
A recent report from the U.S. Treasury Department found that business email compromise scams are surging, costing U.S. companies a total of more than $300 million a month (see: BEC Scams Cost U.S. Companies $300 Million Per Month: Study).
In addition, a report released in May from Palo Alto Networks' Unit 42 found that several Nigerian criminal gangs have turned their attention to business email compromise schemes, and many are using off-the-shelf malware to help advance their plans (see: Nigerian BEC Scammers Use Malware to Up the Ante).