Advertisement

BEC scammer infects own device, giving researchers a front-row seat to operations

Not every attacker is a wizard.
fraud, scam, phishing, business email compromise (BEC), malware, cybercrime
(Getty Images)

In some media portrayals, criminal and state-backed hackers are invariably depicted as cunning and sophisticated, gliding inexorably toward their latest data heist.

Reality is murkier. These digital operatives are, of course, human and prone to mistakes that expose their activity. A North Korean man accused of hacking Sony Pictures Entertainment in 2014, for example, mixed his real identity with his alias in registering online accounts, making it easier for U.S. investigators to track him.

The most recent example of bumbling digital behavior occurred when a scammer infected their own device, offering researchers a front-row seat to the attacker’s scheme and lessons  in how to defend against it.

“This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation,” said Luke Leal, a researcher at web security firm Sucuri, which made the discovery.

Advertisement

The attacker was trying to carry out a business email compromise (BEC), a scheme that uses spoofed emails to trick people into sending crooks money.  BEC scams are so prevalent they accounted for $1.7 billion in losses reported to the FBI in 2019 — or half of all cybercrime losses reported to the bureau.

To carry out the scam, the scammer needed more details on equipment used at an unnamed oil company to make malicious emails to the company’s employees more believable, Leal wrote in a blog post. That meant planting malicious code on devices used at the company to monitor communications.

At the same time, however, the attacker apparently forgot to remove the malicious code they placed on their own device, perhaps for testing purposes, giving Leal’s team a window into the attacker’s machinations and frustrations. Because it was infected by the malware, the device was sending screenshots back to the control panel the hacker was using in the scam.

The researchers saw emails the attacker sent to targeted employees and how they spread out payment requests over multiple invoices to make the scam more believable. And in one online chat with another attacker seen by the researchers, the BEC scammer laments losing access to the control panel.

The scammer was ultimately able to regain access to the panel because the website in question hadn’t changed its password. It’s unclear how successful the BEC scam was (Leal said he didn’t know). But the episode is a reminder of the many opportunities that the potential targets of hacking schemes have to learn from the perpetrators’ mistakes.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts