Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.

Although the FBI's Internet Crime Complaint Center (IC3) developed a Recovery Asset Team has made a difference in reducing losses caused by BEC scams, now there are more fraudsters than ever.

Since its establishment in early 2018, IC3's asset recovery team has recorded a success rate of 75% for the incidents it investigated, retrieving over $192 million in funds misdirected in BEC scams.

More BEC scammers, high-tech sector most targeted

BEC is a global threat, but there is one place where making money through this type of fraud is the norm. This type of activity is rife in Nigeria, home of the infamous 419 email scam (the prince is still looking for someone to help move his wealth out of the country).

Palo Alto Networks' Unit 42 has been monitoring the Nigerian cybercrime since 2014 and documented its evolution into using malware for reaching the financial goal.

In 2017 there were around 300 unique actors or groups engaged in BEC fraud, and the next year the number grew to over 400. The researchers track them under the code name SilverTerrier.

With swelling their numbers, activity from SilverTerrier also surged last year, by 54% compared to 2017. This translates into a monthly average of 28,227 attacks Unit 42 saw aimed at its customers.

High-tech was the most targeted industry, with over 120,000 attacks recorded last year, up from 46,000. Moving behind at a rapid speed is the wholesale sector, which faced four times more attacks, around 80,000.

Coming in third on the list of BEC targets is the manufacturing industry, where the gain was to 57,000 attacks from 32,000 in 2017.

Use of info stealers still strong

SilverTerrier launched about 1.1 million attacks in the past four years and the number of malware samples attributed to these actors passed the 51,000 mark.

Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks but a shift towards remote access trojans (RATs) is now visible.

Unit 42 identified ten strains of info-stealers popular with SilverTerrier: AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain, and Zeus.

All of them are easy to configure and hold capabilities that align with the fraudsters' purposes. To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.

"Across the ten tools, Nigerian actors produced an average of 1000 unique samples of malware per month in 2018," the researchers say in their report, highlighting that this is actually 26% less than observed in the previous year.

The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month). For these, the actor created a monthly average of 446, 330, and 95 unique samples.

RATs more often seen in BEC scams

The use of RATs is not as common with these fraudsters. On average, there were 533 unique samples per month but this figure represents a 36% bump over 2017.

This detail "suggests that Nigerian actors are moving away from legacy information stealers in favor of remote administration tools which provide greater capabilities to achieve their goals," the researchers say.

The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.

With an average of 125 unique samples per month, NanoCore was the most frequently seen RAT employed by SilverTerrier actors in 2018 (fun fact: developer behind NanoCore was arrested in 2017, but cracked versions are in use).

DarkCommet and Netwire were also a common sight for the researchers, averaging 86 and 85 unique strains per month. A new occurrence was Hworm, which was first seen in SilverTerrier attacks in 2018 despite being available since 2013.

Malware-assisted BEC scams have a better chance of success. The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account. They can also sell the data to interested parties.

In 2017, security researcher MalwareHunter estimated that Nigerian cybercriminals had access to volumes of data measured in petabytes, and included everything from personally identifiable information to business contracts, Excel spreadsheets, CAD design files, and proprietary information (software included).

It's all about the lucky breaks

In a report this week, Verizon argues that the efforts of IC3's Recovery Asset Team make BEC scams less profitable than they used to be a couple of years back. Through their intervention, half of all U.S.-based businesses that fell victim to this type of fraud had 99% of the money recovered or frozen.

IC3's money recovery division achieved this by working with the destination banks. The team failed to recover the money in 9% of the cases. IC3 received a total of 351,936 BEC complaints last year and the losses exceeded $2.7 Billion.

Verizon's data also shows that the median value of the financial loss to BEC events was $24,439 - calculated from 18,606 incidents.

That success rate is not a deterrent for BEC scammers, as they know that one lucky break, no matter how rare, comes with a high return on investment. And Unit 42's research shows that the threat actor simply chose to increase their activity.

To help with the fight, Unit 42 makes available a list with over 18,000 malware domains associated with business email compromise fraud.