Threat Research

Business Email Scam: How Much Does a Million Dollar Cost?

By Roland Dela Paz | January 27, 2016

Earlier this month, the Daily Mail published an article regarding foreign crime gangs stealing millions through hacking email accounts of house buyers and sellers. The con is simple - use malware to steal email credentials, study the content of compromised emails, and then use the collected information to social-engineer your way into siphoning out victims' money.

Business email scam, otherwise referred to as business email compromise (BEC) scam, has been around for a while now in different forms. Historically, we have seen the same tactic used against businesses, e-commerce users and company CEOs, among others. In this blog post, we will explore the cost of running business email scam attacks, from the perspective of fraudsters, in the hopes of understanding why such scams are so widespread today.

Why the heck are there so many of them?

The answer is pretty straightforward—running business email scam is cheap. At the minimum, cybercriminals need the following services to perpetrate such an attack:

  1. Leads – target email addresses subject to malicious spamming.
  2. Mail bombers – a service that cybercriminals use for mass-mailing their leads with malware. It can come in the form of Simple Mail Transfer Protocol (SMTP) bomb, Remote Desktop Protocol (RDP) of compromised servers or PHP mailers.
  3. Malware – keyloggers or Remote Administration Tools (RAT) that will be used to steal email credentials.
  4. Crypters – a service or tool used for obfuscating malware binaries to avoid anti-virus detection.
  5. Web Hosting – a service that cybercriminals use to set up command and control servers for receiving data stolen by malware.
  6. Virtual Private Network (VPN) – a service that enables cybercriminals to fake their IP address in order to appear from the same location as their victim. This allows them to successfully log in to a compromised email account without being flagged or asked with security questions.
  7. Money laundering contacts – people who assists the fraudsters in setting up phony bank accounts for receiving and laundering stolen money.

With these services in place, the rest is labour for the crooks to discretely monitor compromised accounts and make sure on-going payments are diverted to their purse. But how much do these services cost really?

Below you can find an advertisement of leads and mail bombers for sale from an underground forum. It can be seen that 100K used email leads is available for only $20 and a mail bomber is sold for $25:

Figure 1. Leads and mail bomber advertisement from an underground forum

In fact, specific email targets are also available for sale. The following advertisement, for instance, sells email addresses of company executives:

Figure 2. Leads advertisements for specific targets

On the other hand, cheap off-the-shelf malware are commonly used by perpetrators of business email scam. The following image shows the Desktop of a cybercriminal involved in business email scam. He is using an off-the-shelf, cross-platform Java RAT called JSocket to steal email credentials of potential victims:

Figure 3. Screenshot of a fraudster’s desktop using JSocket

The membership fee for using JSocket RAT is relatively cheap:

Figure 4. Pricelist of JSocket packages

JSocket RAT comes with free, built-in obfuscation. However, some RATs do not have this feature by default and therefore require Crypters to be undetected by anti-virus products. Below is a pricelist of a Windows portable executable (PE) file crypter called Abyss Protect:

Figure 5. Pricelist of Abyss Protect crypter

Additionally in Figure 3 above, we can see that the JSocket client provides a Graphical User Interface (GUI) to its users for controlling affected machines and collecting stolen data. Other types of crimeware require cybercriminals to set-up a File Transfer Protocol (FTP) site or email account in order to receive stolen information. In which case, a web hosting service is required.

Below is a screenshot of a shady web hosting service price-list, in Nigerian Naira, that allow cybercriminals to host malicious content without being suspended. For business email scam schemes, a basic web-hosting plan is typically enough for conducting the attack:

Figure 6. Pricelist of a malicious web hosting service

Meanwhile, current top VPN services are averaging $10 per month with prices dropping to as low as $2.08 dollars for yearly subscriptions.

Let’s do the Math!

Based on the prices of the abovementioned services, we can estimate the operational investments for business email scam operators:

Table 1. Computation of business email scam operational cost

As we can see from Table 1, the estimated monthly operational cost of running business email scam is only $120.36 while the annual cost is less than a thousand. That is not much; especially when you put into perspective the hefty amount of money being stolen year after year. In a previous report, the FBI estimates losses from business email scam exceeding $740 million from victims within the United States alone.

But wait! $939.50 is still a lot of money for a fraud campaign that does not guarantee revenue for crooks, I hear you say…

In fact, we have seen seasoned fraudsters employ various workarounds to lower their operational cost. Below are some of them:

  • Collecting email addresses from the Internet instead of buying them.
  • Using compromised email accounts to spam malware.
  • Signing up for Web Hosting free trials using different fake identities.
  • Using cracked or free malware and crypters.
  • Using free VPN services.

While the above techniques provide them less reliable services and thus reduce the effectiveness of their campaigns, it can also potentially reduce their operational cost to $0. Likewise, with the right execution, they can still be successful in swindling money using this setup.

Finally, fraudsters typically use the service of money launderers in order to collect a hi-jacked payment successfully without being traced. In a money-laundering-as-a-service scheme, launderers take a pre-agreed percentage of the hi-jacked money as their payment. As such, money laundering payments are typically not part of fraudsters’ operational investments.

Conclusion

This blog intends to provide additional perspective on why the situation of the business email scam is what it is today and why it will likely stay for a very long time. It’s a lucrative scam for a fairly cheap investment.

Email gateways, intrusion prevention systems and anti-virus products helps prevents email compromise from malware. In addition, the compromise may also originate from the other party you are dealing with. It is therefore important that multiple measures in verifying the identity of other parties involved in a financial transaction be applied by organizations and individuals alike. This may include strict money disposal guidelines, using a secret passphrase between two parties or physical verification.

We hope that this post will help engender extra vigilance to us when doing financial transactions with external parties. In the cybercrime age, a million dollar becomes cheap. For the bad guys, that is.

-=FortiGuard Lion Team=-