Authorities arrest Nigerian mastermind of $US60m online scam operation

A 40-year-old Nigerian national and alleged online scam artist, accused of bilking his victims out of more than $US60 million (£45m), was arrested in Port Harcourt, Nigeria in a joint operation.

The arrests were the result of multi-agency, private sector-police cooperation
The arrests were the result of multi-agency, private sector-police cooperation

A 40-year-old Nigerian national and alleged online scam artist, accused of bilking his victims out of more than $60 million (£45m), was arrested in Port Harcourt, Nigeria in a joint operation involving Interpol and the Nigerian Economic and Financial Crime Commission (EFCC).

Referred to simply as “Mike,” the alleged cyber-criminal faces charges in Nigeria that include hacking, conspiracy and obtaining money under false pretences. An unnamed 38-year-old accomplice was also taken into custody under the same charges, according to an official press release today.

Multiple sources have reported that Mike, aka Chinaka Onyeali or Beasley Martyn, is specifically accused of masterminding a series of online fraud operations that include business email compromise (BEC) scams, 419 advanced fee fraud scams, Alibaba scams and romance scams.

The scams targeted small and medium businesses in the US, Australia, Canada, Malaysia, Romania, South Africa and Thailand, and in one case fleeced a target out of $15.4 million (£11.5m). Mike's operations were allegedly supported by at least 40 individuals in Nigeria, Malaysia and South Africa, as well as a money laundering network that stretched from China to Europe to the US.

Two cyber-security firms, Trend Micro and Fortinet, provided INTERPOL with critical, actionable intelligence that helped advance the investigation against Mike, who was arrested in June.

Trend Micro in late 2014 provided investigators with a report detailing the command-and-control architecture of two keylogging spyware programs – Predator Pain and Limitless – that the criminal outfit allegedly used to gather intelligence on its victims. In the case of BEC scams, such intel is typically leveraged to craft highly targeted emails, designed to socially engineer business employees into wiring funds to fraudulent accounts. Typically, these emails contain the spoofed email addresses of suppliers or C-level executives, making them appear legitimate.

“The public, and especially businesses, need to be alert to this type of cyber-enabled fraud,” said Noboru Nakatani, executive director of Interpol's Global Complex for Innovation (IGCI) in Singapore, in the press release. “Basic security protocols such as two-factor authentication and verification by other means before making a money transfer are essential to reduce the risk of falling victim to these scams.”

In a statement emailed to SCMagazine.com and attributed to its researchers, Trend Micro explained, "We were able to track Mike through his own tools and techniques – we collected information about the malware he uses and its corresponding C&C infrastructure. We also relied on open-source intelligence (OSINT) to confirm connections between the information we were able to gather."

The statement continued: "Two years ago, BEC and CEO fraud [were] not well-known terms in the security industry.  Even more, a lot of people [were] thinking the guys behind BEC, 419 scams and romance scams [were] operating separately. Trend Micro's report to Interpol, however, debunked this notion by detailing how these actors conducted their business."

Fortinet further aided the investigation by assisting authorities with attack attribution efforts. “Attribution is the holy grail of cyber-threat intelligence,” said Derek Manky, global security strategist at Fortinet, in an email interview with SCMagazine.com. “This cannot be attained in an automated way; rather, this was the concerted effort of big-data analysis combined with multiple senior-level researchers combing through the data, connecting the dots and performing additional research work to further follow the trail.”

The cyber-criminals behind this operation regularly practiced “behaviour blending,” added Manky, who defined the term as “a technique used by cyber-criminals that allows them to blend in on a compromised network. For example, on a corporate network, the attacker may take on the behaviour of an employee to avoid detection. Given this evasion technique has a lot of potential for thwarting detection, Fortinet expects to see more of it as it is refined and new tools are developed to better mimic the behaviour of a credentialed target.”

Abdul Chukkol, head of the EFCC's cybercrime section, praised the cooperative work of all parties in the press release. “For a long time we have said in order to be effective, the fight against cybercrime must rely on public-private partnerships and international cooperation,” said Chukkol.

“The success of this operation is the result of close cooperation between INTERPOL and the EFCC, whose understanding of the Nigerian environment made it possible to disrupt the criminal organisation's network traversing many countries, targeting individuals and companies.”