Federal prosecutors in Virginia are charging four individuals for a wide-ranging scheme to defraud businesses, first by hacking into their email or networks and then impersonating trusted third-party vendors in order to collect on unpaid bills.
According to court documents, prosecutors are seeking to charge Anthony Ayeah, Onyewuchi Ibeh, Mouaaz Elkhebri and Jason Joyner with conspiracy to commit wire fraud, alleging the individuals worked together over three years to target businesses “small and large in various industries” both in the United States and other countries in a business email compromise scheme.
In an affidavit filed in August, U.S. Secret Service special agent Ethan Papish said the Secret Service and U.S. Postal Service opened an investigation into the group’s activities in 2019, while the charges capture fraudulent schemes impacting multiple businesses between Jan. 1 2018 and March 31, 2021. The group is accused of using phishing and social engineering schemes to gain access to the network and email services of victim businesses, where they would then conduct reconnaissance and target individuals at the company who worked in finance or were responsible for paying third party vendors.
The group then identified outstanding payments or invoices the victim company had with other entities and created typosquatted email domains to impersonate the vendor or business. Before asking to settle the bill, they would pass along “updated” banking information that would reroute the money to special bank accounts they had created.
“The conspirators targeted employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to legitimate business partners, when in fact, the money was fraudulently misdirected and deposited into accounts controlled by the conspirators,” Papish wrote to the court.
It’s not clear just how much money the group may have been able to steal over the last three years, but each victim business listed in the court documents reported individually losing hundreds of thousands of dollars in the exchange.
Papish’s affidavit details at least $854,835 stolen from four separate victim companies, while an indictment filed against Ibeh in September lists five victim companies and at least $1,031,596 in fraudulent payments. In addition to conspiracy to commit wire fraud, Ibeh is also being charged with ten separate counts of unlawful monetary transactions.
Ibeh is thus far the only one to be formally indicted. Court records indicate that the judge granted a request from prosecutors (with the consent of defendants) to extend the deadline for indicting Ayeah, Elkhebri and Joyner to Oct. 11 due to “the complexity and nature of the case, including the need to facilitate and review discovery with multiple defendants and defense counsels.”
Ibeh and his lawyers declined to join the motion. He was indicted Sept. 9 and arraigned in a hearing Sept. 24. His attorney, Robert Lee Jenkins Jr., told SC Media in a phone call that his client submitted a not guilty plea to the charges and demanded a jury trial that was set For Jan. 31, 2022.
He also said his client did not waive his rights to a speedy trial or join the motion to extend the deadline because he saw “no tangible benefit" in the move.
“I find it to be of no value to my client to agree to give the government additional time to have an indictment returned against him and compliance with the speedy trial parameters,” said Jenkins Jr. in a phone call. “In this case, I did not identify any tangible benefit to Mr. Ibeh by waiving his rights to have an indictment returned within thirty days."
Such schemes, referred to as “business email compromise,” often don’t get nearly the amount of attention or public awareness as ransomware and other forms of cybercrime, but the cumulative losses to businesses and individuals every year often dwarf what is seen in almost all other areas of digital crime.
According to the latest annual internet crime report from the FBI, they helped fuel a record account of complaints reported to authorities by the American public in 2020, with 19,369 complaints and adjusted losses of $1.8 billion attributed to BEC schemes alone.
The tactic of targeting finance employees and impersonating vendors or suppliers to collect on unpaid bills highlights the specific danger that many businesses face when dealing with or paying their third-party suppliers.
Robert Holmes, vice president and general manager of email fraud defense at Proofpoint, told SC Media that while still very effective, exploiting a victim’s trusted suppliers has become far more commonplace in email-related fraud in recent years, particularly when they can be paired with credential phishing attacks that allow for stealthy observation of companies for weeks or months leading up to an operation.
“Over the past few years, BEC has become way, way, way more sophisticated in terms of how targeted it is, and the reason for that is because [criminals are] putting to good use compromised accounts,” Holmes said. “I can conduct unfettered research. In terms of the kill chain and reconnaissance phase, I can get really deep insights into who you communicate with, who you do business with, who you make payments to…and more than that, I can leverage that compromised identity to drill down even further.”
It’s not just businesses that are in the crosshairs for these kinds of tactics: a flash alert issued by the FBI earlier this year warned that since 2018, BEC actors have been increasingly targeting state, local, tribal and territorial governments with “spoofed emails, phishing attacks, vendor email compromise, and credential harvesting techniques to manipulate payment or direct deposit information.” Unlike many private companies, transparency requirements for many state and local governments often require publicly available records on leadership and hierarchy, vendor relationships, associated contractors and other public records that can be used to conduct reconnaissance and carry out targeted attacks without needing network or email access.
Despite the scale of the operation and total losses, the alleged perpetrators made several mistakes that appears to have led law enforcement straight to their doors.
The group diverted the money to different sources, sometimes through accounts opened in their own names at local branches of major banks, other times through shell companies. According to prosecutors, an unnamed, uncharged co-conspirator set up and incorporated a Maryland company in October 2018 that absorbed hundreds of thousands of dollars in payments that sometimes matched -- down to the dollar -- the amount defrauded from certain victim businesses. Some of the transfers even included descriptions with the victim’s name. Prosecutors list at least five unchanged co-conspirators who helped open or manage accounts related to the scheme.
Subpoenas to Wells Fargo and Bank of America turned up IP addresses for numerous bank accounts that were created using the defendant’s own names or companies they had started specifically to receive the stolen money. Internet service provider records tied four IP addresses used to access the accounts to an unnamed individual, one of which traced back to a residence where the individual and Ibeh live together and three that tied back to a former residence of Individual 1.
While these slip ups likely demonstrate the amateur nature of the group's operations, Holmes said it also underscores how trivial it can be for even unsophisticated cybercriminals to successfully defraud businesses using a phishing kit, low-grade malware, research and patience.
The fact that all the companies involved didn’t have additional controls in place for large expenditures or independently verify the change with their business partners, despite being told they needed to send hundreds of thousands of dollars to a different account, speaks to the ease with which criminals can exploit the level of implicit trust that often underpins many business transactions every day.
That’s especially true when spoofed emails can reference accurate figures or details, like invoice numbers, for specific payments.
“So long as there are people involved, people are eminently hackable, so if your process is not technology based…they can all be duped,” said Holmes, later adding. “I think it really does speak to the fact that this is easy. Anyone can do it.”