Businesses targeted in email scams don’t always have to play the victim. They can actually fight back.
Researchers at Dell SecureWorks have documented how they identified a suspected email scammer from Nigeria by essentially playing along with the scheme to fool the attacker into revealing his true whereabouts.
Anyone can use these tips, said Joe Stewart, director of malware research at SecureWorks. “We’re letting [the scammers] give us all the information about themselves,” he said.
The email scheme involved a fraudster impersonating a CEO in what’s called a business email spoofing attack. The goal is often to trick a victim into wiring funds to the scammer’s bank account.
Although a business can train its employees to learn how to spot these suspicious emails, that won’t necessarily stop the attack, especially since it’s easy for anyone to continually bombard a victim with emails, SecureWork said.
Instead, a business’ IT security staff can fight back and disrupt the scammer’s operations. They can do this, by first replying to an email scam and pretending to act like a gullible victim.
This was how SecureWorks managed to eventually identify an email scammer from Nigeria that targeted a U.S. technology company in November. SecureWorks was brought in to investigate and decided to fool the fraudster into thinking his scheme had worked.
The scammer had tried to trick the technology firm into wiring funds to a bank account by impersonating its CEO. SecureWorks pretended to comply, which caused the scammer to turn greedy.
“He started asking for $18,000,” said James Bettke, a SecureWorks researcher. “And then after that, he said, ‘Oh that’s a typo. It’s a $118,000.’”
To try and identify the scammer, SecureWorks decided to email back a PDF-based receipt, indicating the wire transfer had been complete. In reality, the receipt was a decoy that when clicked on, sent off the recipient’s IP address and other web browser information.
The researchers found that their scammer was using an internet service provider in Lagos, Nigeria, and was viewing the receipt on an iPhone.
SecureWorks continued to play a gullible victim, by claiming the wire transfer had failed. That forced the scammer to hand over details to other bank accounts. The researchers then took that information and notified the responsible bank that these accounts were being used for fraud, shutting them down.
To find out more about the scammer, the researchers sent another decoy receipt of a wire transfer that forced the recipient to enter a legitimate mobile phone number to view the form.
The scammer fell for the ruse. Using Facebook, the researchers found that the entered phone number was tied to a user named “Seun,” which the researchers believe is a real account.
“We know who he is,” Stewart said. “We could report him to the EFCC (The Economic and Financial Crimes Commission in Nigeria). But he didn’t get away with any money.”
So instead, SecureWorks is publicizing information about the fraudster’s scams, including the email addresses he used.