Threat Management, Malware

Don’t be like ‘Mike’: Authorities arrest mastermind of $60M online scam operation

A 40-year-old Nigerian national and alleged online scam artist, accused of bilking his victims out of more than $60 million, was arrested in Port Harcourt, Nigeria in a joint operation involving Interpol and the Nigerian Economic and Financial Crime Commission (EFCC).

Referred to simply as “Mike,” the alleged cybercriminal faces charges in Nigeria that include hacking, conspiracy and obtaining money under false pretenses. An unnamed 38-year-old accomplice was also taken into custody under the same charges, according to an official press release today.

Multiple sources have reported that Mike, aka Chinaka Onyeali or Beasley Martyn, is specifically accused of masterminding a series of online fraud operations that include business email compromise (BEC) scams, 419 advanced fee fraud scams, Alibaba scams and romance scams.

The scams targeted small and medium businesses in the U.S., Australia, Canada, Malaysia, Romania, South Africa and Thailand, and in one case fleeced a target out of $15.4 million. Mike's operations were allegedly supported by at least 40 individuals in Nigeria, Malaysia and South Africa, as well as a money laundering network that stretched from China to Europe to the U.S.

Two cybersecurity firms, Trend Micro and Fortinet, provided INTERPOL with critical, actionable intelligence that helped advance the investigation against Mike, who was arrested in June.

Trend Micro in late 2014 provided investigators with a report detailing the command-and-control architecture of two keylogging spyware programs – Predator Pain and Limitless – that the criminal outfit allegedly used to gather intelligence on its victims. In the case of BEC scams, such intel is typically leveraged to craft highly targeted emails, designed to socially engineer business employees into wiring funds to fraudulent accounts. Typically, these emails contain the spoofed email addresses of suppliers or C-level executives, making them appear legitimate.

“The public, and especially businesses, need to be alert to this type of cyber-enabled fraud,” said Noboru Nakatani, executive director of Interpol's Global Complex for Innovation (IGCI) in Singapore, in the press release. “Basic security protocols such as two-factor authentication and verification by other means before making a money transfer are essential to reduce the risk of falling victim to these scams.”

In a statement emailed to SCMagazine.com and attributed to its researchers, Trend Micro explained that "We were able to track Mike through his own tools and techniques – we collected information about the malware he uses and its corresponding C&C infrastructure. We also relied on open-source intelligence (OSINT) to confirm connections between the information we were able to gather."

The statement continued: "Two years ago, BEC and CEO fraud [were] not well-known terms in the security industry.  Even more, a lot of people [were] thinking the guys behind BEC, 419 scams and romance scams [were] operating separately. Trend Micro's report to Interpol, however, debunked this notion by detailing how these actors conducted their business.

Fortinet further aided the investigation by assisting authorities with attack attribution efforts. “Attribution is the holy grail of cyber threat intelligence,” said Derek Manky, global security strategist at Fortinet, in an email interview with SCMagazine.com. “This cannot be attained in an automated way; rather, this was the concerted effort of big-data analysis combined with multiple senior-level researchers combing through the data, connecting the dots and performing additional research work to further follow the trail.”

The cybercriminals behind this operation regularly practiced “behavior blending,” added Manky, who defined the term as “a technique used by cybercriminals that allows them to blend in on a compromised network. For example, on a corporate network, the attacker may take on the behavior of an employee to avoid detection. Given this evasion technique has a lot of potential for thwarting detection, Fortinet expects to see more of it as it is refined and new tools are developed to better mimic the behavior of a credentialed target.”

Abdul Chukkol, Head of the EFCC's Cybercrime Section, praised the cooperative work of all parties in the press release. “For a long time we have said in order to be effective, the fight against cybercrime must rely on public-private partnerships and international cooperation,” said Chukkol.

“The success of this operation is the result of close cooperation between INTERPOL and the EFCC, whose understanding of the Nigerian environment made it possible to disrupt the criminal organization's network traversing many countries, targeting individuals and companies.”

UPDATE 8/2/16: This story was updated to include a statement from Trend Micro.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.