Details of an investigation into an email compromise fraud
By: Dr Tristan Jenkinson
Fall from Grace
A Nigerian entrepreneur, who has previously appeared on the front cover of Forbes Africa, pleaded guilty to wire fraud in the United States District Court for Eastern Virginia earlier this week.
Obinwanne Okeke was the founder of the Invictus Group, who stated on their website (which is not currently online) that they “aim to be a leading African investment company”. Okeke was named by Forbes Africa in their 30 Under 30 list for 2016.
Okeke now faces up to 20 years in jail according to a DoJ press release having altered his plea from not guilty to guilty, in relation to the accusations of wire fraud against Unatrac Holding Limited – the export sales arm of Caterpillar (a UK headquartered firm specialising in heavy industrial equipment).
The affidavit of Marshall Ward, Special Agent of the FBI, which you can read here, provides a great insight into the fraud and its investigation. For those interested in investigating fraud and in particular cyber related fraud, the affidavit is a great example of how an investigation can be carried out and I would recommend reading it in full – though I have pulled together many of the key points to cover below.
The fraud was essentially an email compromise scheme. The CFO of Unatrac was targeted with a phishing email (sometimes referred to as a whaling email – see for example the discussion here). The attack led the CFO to a spoofed site which appeared to be his Office365 login page, asking for his credentials: when entered, these were then stolen by the attackers.
Now with full access to the CFO’s email account, the attackers reviewed emails and invoices to create realistic (but falsified) invoices, sending requests for payment from the CFO’s email to Unatrac’s finance team. The attackers also sent emails from external accounts posing as suppliers, with further fictitious invoices and requests for payment to the CFO’s email that were then forwarded to the finance team for payment.
Additionally, email filter rules were created to hide responses from the finance team to the CFO. This meant that any queries or confirmation requests by the finance team were marked as read and filed so they could then be responded to by the attackers without having been seen by the CFO.
In total, it is believed that between 6 April 2018 and 20 April 2018, access to the CFO’s email account occurred at least 450 times. Such access was mostly from Internet Protocol (IP) addresses based in Nigeria.
Those IP addresses were later tracked back to Okele.
As the requests had ‘come from’ the CFO, the requests for payment were made by Unatrac staff, in total transferring over $11 million to overseas accounts. Unfortunately, by the time the fraud was investigated and discovered, it was too late to cancel the transfers and little was able to be recovered.
As well as access to the CFO’s email, the attackers also had access to OneDrive using the same credentials. One file from OneDrive was downloaded and sent from the CFO’s account to the account email@example.com.
An open source investigation into this email address found that it had been used for other potentially fraudulent schemes, including setting up web domains with apparently deliberate spelling mistakes. It was also found to have been used in further phishing schemes, used to receive stolen usernames and passwords and was used to set up further domains then used for other phishing attacks.
A subpoena to Google resulted in access to the email account which demonstrated further wrongdoing and details of other email addresses involved in potentially fraudulent conduct.
The iconoclast1960 account was later demonstrated to be owned and used by Okeke.
Linking the iconoclast email to Okeke
In the data provided by Google for the iconoclast account, Ward found that people would often refer to the user of the iconoclast email as either “Obi”, “Chief Obi” or “Obiwanne”. Other accounts were found to be linked to the iconoclast email by information from Google relating to the login session cookies, which suggests that they were being operated by the same person. One of these was firstname.lastname@example.org.
Ward found a forum (Nairaland.com) where a user (Invictusobi) used the email@example.com account as a contact address. The Invictusobi user also had a Twitter account linked – “@invictusobi”.
The Twitter account @invictusobi is owned by Obinwanne Okeke, and in turn is linked to an Instagram account under the name “invictusobi”.
The Instagram account covers travel all around the world – Ward tied the locations featured with those recorded by Google for the iconoclast email.
A post on Okeke’s Instagram had a picture in June 2018 of Okeke in a hospital bed, Ward ties this to a discussion in the iconoclast account in early August about having been in hospital.
There was also an email from the iconoclast email to firstname.lastname@example.org, attaching a picture of a white bath tub. The same picture was found on the invictusobi Instagram site.
Data from the invictusobi@icloud account were requested from Apple, and the content therein demonstrated that the email@example.com account and the firstname.lastname@example.org account were used by Okeke.
Using the login session cooking information from Google, Okleke was then directly tied to the iconoclast email as well.
This fraud further highlights the dangers that email phishing can pose, and the importance of good cybersecurity. Unfortunately Unatrac and Caterpillar were not able to recover much from the payments that were made. In cases such as these timing is key, the sooner issues are uncovered, the more likely recovery of payments is going to be.
This story also links back to the article published on my blog earlier this month – Security Bypasses and the C-Suite) where this scenario was discussed as a result of senior executives bypassing cybersecurity measures.
Had further defences been in place, such as multifactor authentication, then such an attack would have been much less likely to succeed.
Again, for those interested in the finer details of this story, I would recommend reading through the affidavit from Marshall Ward which you can read here.