Victorians lost $31,904,837 to business email compromise (BEC) in 2021, but some VPN operators are helping Victoria Police unmask fraudsters, Detective Sergeant Tas Gagatsakis from the Cybercrime Squad told iTnews.
Gagatsakis said there were US- and Australia-based VPNs that handed over customers’ IP addresses when asked for them but would not name them. He did not comment on VPNs that operate in other jurisdictions.
“There are VPN services that are operating in a jurisdiction like ours and services that operate in the US … they are obliged to assist law enforcement when given the correct paperwork or search warrant, or whatever the case may be.”
Gagatsakis said he was not aware of Victoria Police or any other Australian government agencies running Tor relay nodes to deanonymize users.
Gagatsakis said the $31.9 million does not take into account when the funds were recovered but “the majority of times, we don’t get the money back, unfortunately.”
Of the 670 reported attacks, 436 included the victim making a payment in 2021. In 2022, 233 BEC attacks have been reported so far, and 152 victims have paid, totaling $9,003,970.
Gagatsakis said BEC is a fraud technique that redirects businesses’ legitimate fund transfers to the individual offender or syndicate’s accounts.
Victoria Police Cybercrime initially relied mostly on tracing money transfers to identify the hackers, but techniques that expose criminals’ IP addresses are becoming more central to its investigations.
“We use our international partners and financial institutions to recall the funds, once we’ve identified that it’s been stolen funds. Often the bank has already identified that the account has suspicious activity because they haven’t provided the correct credentials or something like that. And then those funds will generally be stopped.”
Metadata requests are used “not so much…at this stage.” Gagatsakis said the CLOUD Act, which gives US and Australian law enforcement agencies streamlined access to data in each other’s jurisdictions, will be useful.
Victoria Police Cybercrime has also worked with telcos, and recently engaged Telstra to block a wave of phishing scams sent through computer-generated SMSs.
Gagatsakis said BEC is normally committed through compromising a vendor’s email account and altering invoices, impersonating a high-ranking member of a company like a CFO and sending false invoices to raise funds, or registering a domain with a similar name to a legitimate company and sending false invoices to its customers and trading partners.
“Sometimes the actors will be in people’s system for weeks or months waiting for that right invoice to come through,” Gagatsakis said.
“They’ll go through the system and get an idea of what the business does and what’s coming up and instead of doing a few $1000 here and there they wait till it’s a large amount of money that they can get in one swoop.”
Initial access to the user account is normally gained through phishing, keyloggers, email spoofing, email resemblance (registering a domain that looks similar to a legitimate organisation), computer system compromise or using an employee’s password released on a database leak.
“So they [the hackers] register domains where they then use the email address and that. So we can go back to the domain registrar, for instance, and get information from this, how it was created, who created IP addresses,” Gagatsakis said.
Gagatsakis said Victoria Police Cybercrime was currently investigating a Nigerian national who is part of a syndicate that stole $7 million through BECs on large and small businesses nationally between 2019 to 2021.
The hacker has transferred proceeds to other syndicate members, recruited mules, purchased luxury goods and converted it into cryptocurrency.
Gagatsakis said Nigeria was an example of one of several countries that BEC hackers were notoriously hard to track because “you have an IP address that’s not assigned to a person or a specific address…You don’t have the subscriber system like Telstra and Optus where it’s linked to an ID.”
The Australian Federal Police said in July 2021 that 3,300 reported BEC incidents cost Australians $79 million, and only $8.5 million had been able to be clawed back over the 2020-21 financial year.
In January 2020, Operation Dolos was set up to address rising BEC attacks.
The AFP-led task force includes state law enforcement, the Australian Criminal Intelligence Commission, the Australian Cyber Security Centre, a division of the Australian Signals Directorate, and the Australian Transaction Reports and Analysis Centre.
Operation Dolos collaborated with Operation Eagle Sweep, an FBI-led campaign between 1 September and 1 December 2021 that arrested 65 people internationally and 18 money mules in Australia.