A criminal splinter faction from a pirate symbology-obsessed Nigerian 'confraternity' has been running business email compromise scams for hundreds of thousands of dollars targeting the global maritime industry, according to security researchers who have been tracing the 'GOLD GALLEON' group and trying to derail its scams in real time.
Researchers from SecureWorks' Counter Threat Unit (CTU) explained to Computerworld UK how they raced to prevent a legitimate client of a small South Korean shipping company from signing off on a fraudulent claim for $325,585, and had successfully mitigated $800,000 of the $3.9 million in attempted fraud by the group.
A business email compromise (BEC) scam is a highly targeted attack designed to convince finance departments or C-suite executives to sign off on fraudulent invoices.
The attackers typically insert themselves in the middle of a legitimate business exchange using compromised email accounts, adding credibility to the attack, with the group in question even procuring a copy of a company's official invoice letterhead – by impersonating a client and asking for it.
The FBI recently estimated that by the end of December 2016, as many as 24,000 businesses fell victim to a BEC scam, costing a phenomenal $2 billion overall.
"What really stuck out about this group was that while most BEC groups tend to shift industry or change targets every few months, this group was specifically focused on the maritime shipping industry, and we couldn't figure out why until we started doing some recon," explains James Bettke of the SecureWorks CTU.
"And it turns out they've got an affiliation with this fraternity in Nigeria that sort of celebrates pirate symbology.
"We were joking that these guys are like pirates and only going after maritime – but after we did some reconnaissance, they would say certain phrases that when you started googling them, it turns out they were connected to this group called The Buccaneers."
Although a confraternity typically refers to a voluntary Christian organisation of lay people focused on charity, in Nigeria they bear more of a similarity to fraternities - or frat houses - in American universities.
But their origin in Nigeria is more political. The most famous group was the Pyrate Confraternity, also known as the National Association of Seadogs, formed by the future Nobel Prize in Literature winning author Wole Soyinka, along with six other friends and students – operating as a fraternity that was against class privilege and the elitist colonial-aristocratic establishment at the time in Nigeria.
The confraternity movement was eventually embroiled in violence during extremely tumultuous political periods in the country, and some of these were armed by military leaders in the 1980s as a check against student activist groups that were in opposition to military rule.
As the Economist notes, many student fraternities ultimately evolved into powerful, armed gangs – some of which corrupt politicians had been known to curry favour with even now. Perhaps most notoriously in 1999, the 'Black Axe confraternity' organised a death squad to massacre student leaders at the Obafemi Awolowo University tragedy.
A splinter group from the original Pyrates confraternity was the Buccaneers, who claim on their website to be concerned with social causes and distance themselves from the 'cult' terminology that has been used to describe some confraternities. The Buccaneers say they support charities such as the Red Cross Society, Diabetes UK, Cooks Children Hospital, and Sight Savers, while a blog post denies reports in a 2015 newspaper that someone was kidnapped and forced to join them.
A post from The Buccaneers' Facebook page
Now, GOLD GALLEON is, according to SecureWorks' CTU, likely an offshoot of the Buccaneers. Computerworld UK has emailed the Buccaneers Confraternity for comment but there has been no reply at the time of publication.
The GOLD GALLEON group uses similar tools, tactics and procedures (TTPs) to other BEC groups out there, typically using publicly available malware like inexpensive remote access trojans (RATs), crypters and email lures.
During the CTU's recon, it found that the group targets maritime shipping organisations, including smaller ones that provide ship management services, port services, and 'cash to master' services – a form of outsourcing where a 'cash to master' company meets a ship's crew when it comes into port, typically accompanied by armed guards, to pay them their wages in exchange for a service fee.
GOLD GALLEON appeared to identify target emails from looking at publicly available websites, and it also appeared to be using commercially available marketing tools to scrape email addresses – such as Email Extractor and BoxxerMail – as well as purchasing email address lists.
Once they gained access to a target's inbox, they also extracted all of that target's contacts – plus every email address that the target ever had an exchange with, using a free tool called EmailPicky.
After this initial recon, members targeted high-worth individuals with spearphishing campaigns, usually with a topic related to shipping. Attachments would deploy a RAT with keylogging capabilities. They used Predator Pain, PonyStealer, Agent Tesla, and Hawkeye – all available to buy online, with a basic version of Agent Tesla running for as little as $12.
Once they compromised an email, they would monitor inboxes for business transactions. They then inserted themselves into legitimate exchanges, submitting fraudulent invoices that would request payment to a mule account.
A GOLD GALLEON member putting an email together
They'd also buy domains that resembled the legitimate buyer or seller company name – lookalikes that would help them impersonate either party.
As reported in our sister title Techworld, the maritime shipping industry is roughly 10 to 15 years behind the IT world in terms of security, and there are some factors common in the industry that further complicate defence against these kinds of attacks.
"There's not a lot of security controls around it," says Bettke. "These small companies don't use two-factor authentication, they're running Windows XP, once their password gets out there, anyone can log in... They don't have adequate logging so they don't notice suspicious logins.
"To add more complexity to it, because it's global maritime shipping, these emails are conducted over different time zones, there are language barriers, there's tight shipping schedules, there's just a whole lot of complications. There are subsidiaries and sometimes they have multiple domains. So if you're a customer or vendor and you're not familiar with the other person's domain, if they were to use a dot-net or a similar-looking one that's pretending to be a subsidiary you wouldn't even know.
"Sometimes these companies don't even have websites, it's simply email addresses, so even tracking down some of these victims for notifications was incredibly difficult."
Secureworks contacted three victims in total. One was a shipping company based in South Korea. GOLD GALLEON was able to steal credentials for eight accounts belonging to the company, including the accountant's. They then targeted all of the shipping company's clients.
The attackers monitored the business transaction of the South Korean company and a cash-to-master service for a ship arriving in America and inserted themselves into the transaction with a fake Outlook email account. They submitted a fraudulent email asking the South Korean company deposit the payment into a "subsidiary bank account" – a mule operated by GOLD GALLEON.
According to SecureWorks: "Seeing that the South Korean company was potentially about to hand over $50,000 to the criminals and not the intended provider of ship services, CTU researchers notified the US company as quickly as possible.
"Separately, the South Korean shipping company had been in touch with the US shipping agent to verify the 'subsidiary account' payment details were correct, so the US shipping agent was already aware of the fraud attempt.
"However, they did not know how it was that the South Korean company had received the altered bank details. CTU researchers were able to complete the picture for them."
A separate attack saw GOLD GALLEON targeting another of this South Korean company's clients for $325,585, a large Japanese company that provides marine transportation of petroleum and chemicals with clients all over the world. The Japanese company, ultimately, had flagged the transaction as suspicious.
A third attempt against a separate multinational Japanese conglomerate for $243,838 was also derailed, with SecureWorks able to notify both parties and South Korean CERT – the incident response team in the country.
The researchers discovered that GOLD GALLEON appears to have a loose organisational structure, with the activities coordinated by a few senior individuals, who occasionally coached the junior members in what appeared to be mentoring roles, as well as liaising with other external criminal partners like suppliers of mule bank accounts.
They used proxy services to cloak their origin, but CTU said they had discovered evidence that many of their systems were regularly connecting to the internet via infrastructure based in Nigeria.
A typical conversation. Source: SecureWorks
Crew members also used Skype and other IM services, talking in Nigerian Pidgin English and repeatedly using phrases that could be linked to the Buccaneer Confraternity – including keywords such as 'alora', 'awumen', 'sealords', and '1972buccaneer'. One of the attackers used a Buccaneers logo in one of their online accounts, the researchers say.
"It's not a top-down hierarchy – you've got some people that are sort of like father figures or leaders, simply because people look to them for advice," says Bettke. "So this leader here is the brains of the operation, where people go to him and say, does this sound right? Or: 'should I send the bank account now?' And he would tell them to hold off and wait for a more opportune time.
"They are more of a service/sharing community, almost where they'll go to friends and say: 'hey, please crypt this malware', or 'hey, do you have a bank account in the UK'?"
But they appear to have one particular leader who is extremely religious.
"They'll say: 'Please god, help us' – and screenshots from their desktop reveal religious biblical quotes and things like that. I believe they are located in Southern Nigeria," Bettke says.
Race against the attackers
SecureWorks' Bettke says the team does its best to alert victims when they encounter them but there were complications here too – for example, if it was by email, because the attackers had already compromised accounts, they would frequently delete the warnings as they came in.
"If the email does get to the victim they'll just say, sorry, my account was hacked, ignore that," says Bettke. "They'll try to continuously derail my conversation until a payment is made. I'd try to call them via phone but with the different time zone and the language barrier it was very challenging.
"There was an amazing incident where I used our Japanese office to try and send someone – I wanted to call them on the phone because they were a native speaker – and after that didn't work we sent someone to their office to warn them in person."
Sometimes the companies that are being warned are suspicious of the researchers themselves. Of course, none of these businesses are clients of the company, but it says they try to warn them where it can.
"Any time I can stop these guys from getting money is a good day," says Bettke. "If I see a bank account, I will report it. But I'm sitting here watching email threads unfold where this person says 'yes, we'll send you the money by such and such data', and I say to myself: 'Uh oh, I have to try and stop this now'. So I will escalate it where I try and call the party, or I'll do everything I can to try and stop it or report it.
"But I don't know how many days it's going to take for someone to take action on that, so I try to do everything I can to stop that payment.
"I'm sure if you're on a ship you're more concerned with real pirates," Bettke says. "But because their emails are out there, they're just targeting everywhere.... so there's probably a higher chance of them getting hit by a BEC email than boarded by actual pirates."