Europol and friends bust MiTM malware gang

European law enforcement has cracked down and arrested members of a cyber-fraud gang, which stands accused of using social engineering and malware to steal more than £4 million from several large organisations.

Europol and friends bust MiTM malware gang
Europol and friends bust MiTM malware gang

Various law enforcement agencies worked together in a joint international investigation on Tuesday, which ultimately resulted in the arrest of 49 suspected gang members, the search of 58 properties, and the capture of laptops, hard disks, telephones, tablets, credit cards, cash, SIM cards, memory sticks, forged documents and bank account documents.

The investigation was co-ordinated by Europol's European Cyber-crime Centre (EC3) and Eurojust and was led by the Italian Polizia di Stato (Postal and Communications Police), the Spanish National Police and the Polish Police Central Bureau of Investigation. UK law enforcement bodies also assisted, while Europol says that its J-CAT team played a key role in the investigation.

This collaboration took place at Europol's EC3 co-ordination centre in The Hague in the Netherlands, where law enforcement representatives came together to exchange information and ideas. There were also Europol specialists providing operational support on the ground in Italy and Spain.

The group of cyber-criminals are said to have stolen €6 million (£4.35 million) from several European organisations “within a very short time”, and supposedly had members active across the UK, Spain, Poland, Belgium and Georgia.

The gang is believed to have infected businesses by using a mix of social engineering and Man-in-the-Middle (MiTM) malware attacks. Once they were able to access victim companies' corporate email accounts, the offenders would then monitor internal communications to detect payment requests.

The criminals would then ask the company's customers to send their payments to bank accounts which they controlled. These payments were immediately cashed out through different means, with the suspects – mainly from Nigeria, Cameroon and Spain, transferring the money outside the EU via a “sophisticated network of money laundering transactions.”

Speaking to SCMagazineUK.com earlier today, BH Consulting managing director and Europol advisor Brian Honan, said that the news was “another fine example” of how Europol EC3 continues to act as a hub  for law enforcement to work together on cases which span many different jurisdictions.

“Working together in a coordinated takedowns of criminal gangs will have bigger impacts than individual law enforcement agencies tackling cyber-criminals in their own jurisdiction,” said Honan, who also praises J-CAT's effectiveness in identifying cases, and developing action plans to target identified groups.

On the manner of these attacks, Honan added: “We have seen a number of our clients targeted in similar scams. It is a classic scam where criminals use corporate identity theft as a means to steal money from other companies.

“As with all cases of cyber-crime the blame lies with those that commit the crime and not the victims. Victims can reduce the likelihood of falling victim to these types of attacks by ensuring their anti-virus software is up to date, by having their systems patched with the latest updates, and by ensuring staff are given proper security awareness training. In this particular scenario, companies should have procedures in place to verify with their customers and suppliers when banking details, in particular electronic banking details, are changed.”

Charlie McMurdie, senior cyber-crime advisor at PwC, told SC that the news was not surprising, not least because Europol has been enhancing its own capabilities, via more collaboration, more aggregation of data and more building up cases from the ground-up. “It just makes sense that all these resources are pulled together.”

“There are loads of these types of issues going on across all sectors,” added McMurdie, who cited similar incidents in motoring and construction industries.

“It's fairly simple, it's a bit of social engineering and bit of malware, and the money goes from ABC to DEF instead. It's becoming more targeted, but I wouldn't say it's the most sophisticated of cyber-crimes.”

McMurdie continued that MiTM attacks like these, where tracking the money becomes important, often see law enforcement become involved at an early stage. The same, she says, applies to incidents that may be reported and acted upon by the ICO.

However, McMurdie – former head of the Met Police Central e-crime Unit (PCeU) – said that many firms were falling down on governance, policy and training, although she noted that banks are improving at flagging suspicious dormant accounts, where the money is often transferred in and out of very quickly.

This was the case with the 2013 KVM hack on Barclays on Santander, and she gave an example of how a hacker with  millions in one bank account may seek to draw it out quickly by making big commodity purchases in Knightsbridge, London.

“It's high-volume, fast-time expenditure…they turn it into other commodities or goods but this cash-out can bring opportunities for law enforcement,” she added.

Europol and the the National Crime Agency didn't reply to our request for comment at the time of writing.