Business Email Compromise (BEC) , Email Security & Protection , Email Threat Protection

In Australia, Email Compromise Scams Hit Real Estate

Property Industry Has Been Caught Off Guard, Expert Says
In Australia, Email Compromise Scams Hit Real Estate
Alex Tilley, senior security researcher with SecureWorks, speaks at the AusCERT security conference on May 31.

Late last year in Australia, cybercriminals began targeting a fertile yet relatively poorly protected business sector for so-called business email compromise scams: the real estate industry.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The bounties are home deposits, bonds and settlements, says Alex Tilley, senior security researcher with Dell's SecureWorks Counter Threat Unit. Tilley gave a rundown of the complex criminal networks behind the scams at the AusCERT security conference in Gold Coast on Thursday.

"That's literally how you steal someone's life savings," Tilley says. "It's brutal."

According to a report released in May by the Australian Competition and Consumer Commission, or ACCC, losses from email compromise scams reached $22.1 million (US$16.5) million in 2017. The FBI estimates that since it first started tracking email compromises five years ago, worldwide losses are in the billions.

The scams, often initiated in Nigeria, use a network of money handlers and local bogus bank accounts to siphon and launder money in ways that can be difficult to track and recover.

A tale from the ACCC's report on scams in 2017.

The real estate industry has proven to be an attractive target for a few reasons, Tilley says. The home buying process relies on scheduled transfers between parties and legal firms involved in conveyances. Much of the communication occurs over email.

"The problem is it's a very target rich environment and not a lot of understanding yet," Tilley says. "They're not ready for this."

Credential Theft

The problems begin when the scammers either capture or guess login credentials for Outlook Web Access. Once inside an account, the scammers send a single test email and then pull out of the system for 30 days. Tilly says that is the default logging setting for OWA. After that period, the log for the initial intrusion is gone, and the scammer goes back in and pokes around an account.

Of particular interest to scammers are calendar entries that indicate when payments are scheduled to take place. Scammers also tend to set email rules to manipulate accounts, forward messages or obscure others.

If a house settlement is due to take place, the scammer sits in between the two parties, emailing each. When the time is right, the attacker substitutes their own bank account details for the legitimate ones.

The amounts transferred to a fraudulent bank account are high enough that the operators don't rely on random money handlers - called money mules -recruited from the internet. The amount of money stolen could be hundreds of thousands of dollars, which makes using random money mules too risky. Instead, the operator sends someone who is trusted, which Tilly calls a "near mule."

That mule actually travels to Australia to coordinate the cashout. When the money hits the account, Tilley says what follows is a complicated mixing routine to make the fraud hard to follow before eventually moving the money overseas.

With the bounty in one account, the mule then transfers portions of the money to other mules. They then exchange the money for U.S. dollars, euros and British pounds.

The currencies are then converted back to Australian dollars and consolidated into a single account before it's moved overseas, Tilly says. The order is usually shuffled every time to make it confusing for investigators.

Watches, Bags and...Legos?

Another option to avoid going through the money laundering routine is to buy goods. Watches and expensive bags are favored, as well as the staple child toy, Lego.

Why Lego? Tilly says that Lego is small, very light and quite valuable. It's also very popular in Eastern Europe. "Lego was the currency du jour," he says.

Tilley showed photos where analysts were able trace an individual scammer, who'd published photos indicating the spoils of ill-obtained wealth. Another scammer changed his BMW vehicle monthly for a new one, Tilley says.

"We all laugh at how basic this BEC [business email compromise] stuff is, but it is serious cash," Tilley says.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.