Nigerian ‘Entrepreneur’ Washed $11m from Unatrack Holdings:
And it all started with a Click: See also 4 ways G Suite Security Could Have handled
Disclaimer: This post contains links/hyperlinks to external web pages. I know this is very much how this hack was started so mouse over and follow those links at your own discretion and risk. Do not click before you see/agree where the link points to)
The news of the arrest of Obinwanne Okeke, a Forbes Africa Top 30 under 30 Nigeria Millionaire made news and set the trend across social media. Pictures of ridicule and disbelief were shared of the “Yahoo Boy”, a term used to describe internet frauds, particularly from Nigeria. A Google search of “Okeke FBI” would give you enough news, updates, and images to feed your appetite. I am no expert in Microsoft Office 365 but I am in G Suite and I immediately thought of how this could have played differently. But before we get there, let me give you a summary of how the Fraud went:
“ Okeke, a Yahoo Boy, sent an email to the CFO of Unatrac on 1 April 2018 (no fooling here) with a link to a URL/website that mimicked the Microsoft Office 365 Logon Page and just like that, the CFO gave out the email and account username and password. While inside CFO’s email account, the Yahoo boy moved with speed, creating filters that made sure the CFO would “miss out on email correspondence” from colleagues. He created invoices and acting as the CFO, sent the invoices to the internal financial team, who obliged and made payment into Bank Accounts to entities controlled by the Yahoo boy. 15 Payments were made between 10 April and 19 April 2018! And just like that $11 million dollars was gone. A simple and classical definition of a Fraud called Business Email Compromise. The FBI Affidavit makes for an interesting read”
Away from the frenzy, two things caught my eye from reading the FBI Affidavit for Okeke’s arrest.
The first thing that caught my eye was how “Yahoo Boys” antics have evolved from enticing “small-time” wanna get rich quick internet folks with riches and wealth upon smaller upfront payments to daring to go after businesses and most importantly, people in businesses who control money and payments! They are now more sophisticated than that. They are polished and mingle with the wealthy and mighty in society and around the world. Okeke, a Forensics Criminology and International Counter-Terrorism Graduate, no less from Monash University, has/had an investment company, Invictus Group, with operations in three African countries: Nigeria, South Africa, and Zambia. He was named a Forbes top 30 under 30 . He was covered by News outlets such as BBC; Focus on Africa and even had a TED Talk. Let that sink in! I Kid you not.
The second and most important point is the ease at which the CFO’s O365 Account was breached, accessed and instructions made to wire money. I know there is both a Corporate and process issue here but I will choose to focus on the technological part and how this could perhaps not have happened with a Google/G Suite Account. And I will highlight 3 instances and what and how Google/G Suite security could have “reacted”;
- Send of Phishing links/URLs that mimic; If Gmail would not have sent this to a SPAM folder, then it’s security systems would have flagged such a suspect email by virtue of it having a fraudulent URL to the login page. The maliciously sent email would have a huge and colourful RED banner that is hard to miss, notifying you of a potentially fraudulent message See: https://cloud.google.com/blog/products/g-suite/new-security-and-intelligent-features-new-gmail-means-business
- Login from Different IP/Country; The Yahoo boy accessed the CFO’s email/account from a Nigeria IP, a different IP that is normally used by the CFO. This would trigger a “Google Login Challenge”. Away from the corporate network, each time a user accesses their account from a place/IP that is not “usual” of the user, Google Security sends/Activates a Login Challenge. This forces/compels users to enter some form of a unique attribute, such as employee ID or known mobile number where an SMS is sent.
- “Suspicious Account Login” Alert to the Company Super Admin or/and an had the account suspended. The Admin can use Google’s Alert Center to evaluate, isolate and study potentially suspicious emails and act accordingly
- Account Password Security and Password; Perhaps the last line of defense was applying and enforcing
- Password policy Frequent Password Changes; That allows for a user to change passwords after a given duration.
- And Enforcing 2 Step/Multi-factor authentication; After entering a password, users must provide a second authentication factor to verify their identity: https://www.google.com/landing/2step/
Bonus Links to Keep you Safe
- There is actually a Yahoo Yahoo Training School in Lagos, whose curricula and lectures are all about “Internet Fraud Activities”: https://www.msn.com/en-xl/africa/nigeria/fbi-arrests-forbes-under-30-nigerian-obinwanne-okeke-for-dollar12m-fraud-nigerians-react/ar-AAFVMc6
- This Business Email Compromise is called “Whaling”: See more from this TED Talk: https://www.youtube.com/watch?v=BpdcVfq2dB8&feature=youtu.be&t=11m55s
- G Suite Admins can enhance Spam and Phishing protection with G Suite Advanced phishing and malware protection that allows for scanning incoming email messages that contain attachments and URLs and choose to display warnings to users or quarantine such emails; https://support.google.com/a/answer/9157861?hl=en&visit_id=637017978806068606-961034891&rd=1
- Aggressively applying SPF, DKIM, and DMARC while blocking IPs, domains, and even email addresses keep another Yahoo boy at bay. Here s how to do it: :https://medium.com/pawa-it/how-to-control-spam-within-g-suite-email-with-spf-and-dkim-84119bb56cc2
- See a report from the FBI on BEC Attacks: https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
- Here is an Email Thread of an Actual CEO Fraud Attack: https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/here-is-an-email-thread-of-an-actual-ceo-fraud-attack/
