A Nigerian man living in the United Kingdom has been sentenced to 10 years for his role in a phishing scam that snatched more than $20 million from over 400 would-be home buyers in the US, including some savers who lost their entire nest eggs.
Late last week, the US Department of Justice confirmed that 33-year-old Babatunde Francis Ayeni pled guilty to conspiracy to commit wire fraud through “a sophisticated business email compromise scheme targeting real estate transactions” in the US.
To seize large down payments on homes, Ayeni and co-conspirators sent phishing emails to US title companies, real estate agents, and real estate attorneys. When unsuspecting employees clicked malicious attachments and links, a prompt appeared asking for login information that was then shared with the hackers.
Once the hackers were in, they could monitor their emails “for transactions where a buyer was scheduled to make a payment as part of a real estate transaction,” then swoop in to send wiring instructions to transfer funds to compromised accounts instead, the DOJ said. To help cover their tracks, co-conspirators then converted the money into Bitcoin on Coinbase.
The scam was seemingly uncovered after co-conspirators targeted a real estate title company in Gulf Shores, Alabama. More than half of the victims were unable to reverse the wire transactions. According to The Record, two victims who shared impact statements in court lost more than $114,000, including a man who “tried to buy his elderly father a home following a Parkinson’s diagnosis.”
An international coalition of police agencies has taken a major whack at criminals accused of running a host of online scams, including phishing, the stealing of account credentials and other sensitive data, and the spreading of ransomware, Interpol said recently.
The operation, which ran from the beginning of April through the end of August, resulted in the arrest of 41 people and the takedown of 1,037 servers and other infrastructure running on 22,000 IP addresses. Synergia II, as the operation was named, was the work of multiple law enforcement agencies across the world, as well as three cybersecurity organizations.
A global response
“The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II,” Neal Jetton, director of the Cybercrime Directorate at INTERPOL, said. “Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime. INTERPOL is proud to bring together a diverse team of member countries to fight this ever-evolving threat and make our world a safer place.”
Among the highlights of Operation Synergia II were:
Hong Kong (China): Police supported the operation by taking offline more than 1,037 servers linked to malicious services.
Mongolia: Investigations included 21 house searches, the seizure of a server and the identification of 93 individuals with links to illegal cyber activities.
Macau (China): Police took 291 servers offline.
Madagascar: Authorities identified 11 individuals with links to malicious servers and seized 11 electronic devices for further investigation.
Estonia: Police seized more than 80GB of server data, and authorities are now working with INTERPOL to conduct further analysis of data linked to phishing and banking malware.
The three private cybersecurity organizations that were part of Operation Synergia II were Group-IB, Kaspersky, and Team Cymru. All three used the telemetry intelligence in their possession to identify malicious servers and made it available to participating law enforcement agencies. The law enforcement agencies conducted investigations that resulted in house searches, the disruption of malicious cyber activities, the lawful seizures of servers and other electronic devices, and arrests.
Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft’s Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.
The DCU is fueled, of course, by Microsoft’s massive scale and the visibility across the Internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.
In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.
The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.
The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.
“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”
The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.
Still, the DCU’s particular progression was the result of Microsoft’s unique dominance during the rise of the consumer Internet. As the group’s mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU’s unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.
“There’s simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”
Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.
“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.
“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”
