Jun 20, 2019

Email scammers use corporate consultant sites to find victims

Illustration: Aïda Amer/Axios

Email scammers are just like any other small business: They need leads, and commercial lead-generation services — the same kind many salespeople use — are providing them.

The big picture: Email scams targeting businesses, usually referred to as business email compromise scams, can seem unsophisticated. They typically take the form of fake invoices or emails from executives asking for money transfers. But like any other kind of enterprise, they care a lot about finding new clients — or, in their case, victims.

Background: In the past, we've covered how criminal groups operate like corporations, from their help wanted ads to their customer support hotlines. This is just the latest example.

  • Email fraudsters became known as "Nigerian scammers" in the early days of the web, when people around the world started to receive messages from bogus Nigerian princes seeking cash assistance. But the name is apt — the major groups actually do operate out of West Africa, and particularly Nigeria.

Details: "Of the West African groups we've profiled, nearly all of them use lead-generation sites," said Crane Hassold, senior director of threat research at Agari, a firm that tracks how email scam groups operate.

  • The criminal groups Agari has observed all used different lead-generation firms.
  • The sites offer users customizable searches for targets. For example, you could look up chief financial officers for tech companies of a certain size and revenue in California.
  • The groups Agari has tracked would sign up for free trials under a series of email accounts using the "Gmail dot" trick, though one group, nicknamed London Blue, outright purchased a $1,500 yearly subscription to a service last year. London Blue went on to download 50,000 leads in 6 months.

The groups could craft and refine a single spear-phishing email that would work against a wide variety of similar executives just by substituting different company names and small details.

  • It's more efficient than the older method of target acquisition — scraping lists of names from websites — but it still takes time to work. It took 18 days after a scammer downloaded the name of an Agari executive, said Hassold, before a phishing email arrived.
  • Targeting Agari isn't a particularly bright move, all things considered, but once the scammers get a name from a lead-generation service, they don't do further research. If they cast a wide enough net to find someone who takes the bait, they don't need to.

What they're saying: Axios reached out to six lead-generation firms that criminal groups used in the past, as identified by a security source that asked to remain anonymous to protect its information-gathering operation. None of the firms responded.

  • A quick look around the industry shows these services don't use upfront screening policies that would thwart scammers. And even a firm that did have screening policies in place appeared unaware of the scammer problem and was screening mostly to prevent spam.

The bottom line: Business email compromises reported to the FBI cost firms more than $1.2 billion in the United States alone in 2018, double the proceeds of 2017.

Go deeper: A look inside a Nigerian email scam group active since 2008

Go deeper