Three members of a cybergang who are part of a larger organized group involved in business email compromise (BEC) attacks were arrested in Lagos, Nigeria.
Cybersecurity company Group-IB was tracking the gang since 2019 and assisted the Interpol who had been investigating for almost a year with the code name Operation Falcon.
The Nigerian Police Force arrested the three suspects after their cybercrime unit analyzed electronic devices belonging to the three suspects determined their involvement in cybercriminal activity and identified data stolen from at least 50,000 victims.
It was reported that the TMT gang targeted around 500,000 organizations from the private and government sector in more than 150 countries.
The Interpol said that the three suspects are alleged to have developed phishing links, domains, and mass mailing campaigns in which they impersonated representatives of organizations.
This helped them to distribute to victims at least 26 different malicious programs. It includes malware designed to steal information (AgentTesla, Azorult, Loki, Pony) and remote access tools like NanoCore, Remcos, and NetWire.
These tools are used by Nigerian threat actors specialized in BEC scams and are either freely available or widely accessible on cybercriminal forums for low prices.
The FBI’s Internet Crime Complaint Center received around 24,000 complaints about this attack last year which is estimated to have caused losses of $1.7 billion.
BEC scammers use malware to collect sensitive information and these details are used to conduct the fraud. It includes tricking companies to make payment to bank accounts controlled by the attackers.
Sometimes, the attackers also change the payment details so the victim company transfers the money to their account. While some BEC scammers turn to social engineering and trick the organization into making a payment for a fake order.
According to Group-IB, TMT would impersonate legitimate companies in phishing emails pretending to be purchasing orders, product inquiries, and inquiries, and messages related to Covid-19.
The scammers created their messages in several languages such as in English, Russian, and Spanish.
They automated the email sending process using Gammadyne and Turbo mass mailers advertised as email marketing tools. They checked if the recipients opened the message using MailChimp automation platform.
TMT also used previously compromised inboxes to send out a new set of phishing emails.
TMT is a well-organized gang having multiple sub-groups performing various tasks.
Image Credits : Journalist101