BEC scammer infects own device, giving researchers a front-row seat to operations
In some media portrayals, criminal and state-backed hackers are invariably depicted as cunning and sophisticated, gliding inexorably toward their latest data heist.
Reality is murkier. These digital operatives are, of course, human and prone to mistakes that expose their activity. A North Korean man accused of hacking Sony Pictures Entertainment in 2014, for example, mixed his real identity with his alias in registering online accounts, making it easier for U.S. investigators to track him.
The most recent example of bumbling digital behavior occurred when a scammer infected their own device, offering researchers a front-row seat to the attacker’s scheme and lessons in how to defend against it.
“This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation,” said Luke Leal, a researcher at web security firm Sucuri, which made the discovery.
The attacker was trying to carry out a business email compromise (BEC), a scheme that uses spoofed emails to trick people into sending crooks money. BEC scams are so prevalent they accounted for $1.7 billion in losses reported to the FBI in 2019 — or half of all cybercrime losses reported to the bureau.
To carry out the scam, the scammer needed more details on equipment used at an unnamed oil company to make malicious emails to the company’s employees more believable, Leal wrote in a blog post. That meant planting malicious code on devices used at the company to monitor communications.
At the same time, however, the attacker apparently forgot to remove the malicious code they placed on their own device, perhaps for testing purposes, giving Leal’s team a window into the attacker’s machinations and frustrations. Because it was infected by the malware, the device was sending screenshots back to the control panel the hacker was using in the scam.
The researchers saw emails the attacker sent to targeted employees and how they spread out payment requests over multiple invoices to make the scam more believable. And in one online chat with another attacker seen by the researchers, the BEC scammer laments losing access to the control panel.
The scammer was ultimately able to regain access to the panel because the website in question hadn’t changed its password. It’s unclear how successful the BEC scam was (Leal said he didn’t know). But the episode is a reminder of the many opportunities that the potential targets of hacking schemes have to learn from the perpetrators’ mistakes.