Security Weekly News Episode #47 - July 07, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. News - Try2Cry, TikTok Bans Pt. 2, & Facebook Under Fire - 02:00 PM-02:30 PM
This week, TikTok bans part 2, Try2Cry, Lazarus rises from the dead, Chinese Data blocking, and the Bubonic Plague! Jason Wood returns for Expert Commentary on how a flashy Nigerian Instagram star was extradited to the U.S. to face BEC charges!
Doug White's Content:
- Lazarus Group branches out to skimming.
- BIG-IP devices are issued a 10/10 CVE.
- E-Verify report.
- Facebook and Twitter suspend Chinese data requests.
- US may also ban TikTok.
- Facebook under fire by advertisers over hate speech.
- US to withdraw student visas if schools are online.
- At least there isn't a bubonic plague, oh wait.
Jason Wood's Content:
Last week I talked about the criminal operations of a group dubbed Pinchy Spider. This week we are taking a look at that Nigerian Prince we all have heard from. Ok, he wasn’t actually a prince and his scams were more sophisticated than those I’ve seen in my spam folder. Ramon Olorunwa Abbas, aka “Ray Hushpuppi” and “Hush” was extradited to the US to face charges for conning employees of various companies into wiring him money for “owed” for services that did not exist or transactions that totally fraudulent. It appears that Abbas has been under investigation for quite some time and he made the mistake of traveling to the UAE, which has an extradition treaty with the US. He was arrested and is apparently in Los Angeles (or will be soon) to face charges.
The post on the Naked Security blog has some interesting photos that are worth checking out. Abbas is apparently a fairly flamboyant person and has an Instagram account with 2.4 million followers. He enjoyed sharing pictures that demonstrate his success, though he posts as a real estate developer. There’s a pic of him lounging in a private jet and showing off some beautiful cars while he wears a robe with his nickname “Hushpuppi” showing across his shoulders. This all struck me as pretty bold for someone who is alleged to have made his money by committing fraud. But he lived in a country that doesn’t cooperate with foreign law enforcement, so he probably felt pretty safe.
So how did the scams work? Well, it was pretty much what you would expect. His organization would spoof emails from a company or straight up compromise their mail infrastructure and use it to send fraudulent emails. The emails would be sent to someone in a target organization and request money to be transferred to them for some kind of business deal they had with them. According to the FBI complaint, the transactions were fairly large. In one example they tricked a New Your law firm into sending them a bit over USD $900,000. A paralegal was conned into wiring the money for a fake real estate deal. Another got a non-US financial institution to send them USD $14.7 million.
The freaky thing about these scams is that they get to people who have the ability to wire money, but not necessarily executives (though there have been examples of those too). Some how they establish enough credibility that someone agrees to send them a lot of money. I don’t know much about the structure of law firms, but the idea that a paralegal can wire almost a million dollars apparently without checking with someone blows my mind. These exchanges tend to be completely done over email and this is a terrible medium to validate someone’s legitimacy and identity. In fact, one of the FBI’s recommendations to prevent being scammed like this is validate the person with face to face or via voice communications. If the CEO sends you an email asking you to wire a lot of money to someone, walk down the hall and ask them if they actually sent the the request. I’d also add that we need to watch out for emails that try to make us feel time pressure to get something done. If the scammer can get us worrying about angering an executive or major business partner, then they’ve gained a major advantage in trying to get us to send them money.
In Abbas’ case, he faces the possibility of a number of years in prison. Naked Security notes that someone getting the maximum sentence is rare, but if found guilty Abbas could face up to 20 years in prison. If he is found guilty, then I have a hard time being too sympathetic for him. I’ve read of a number of these scams over the years and they have put companies out of business and made people lose their jobs. That’s an incredibly traumatic thing to people and the thieves behind these scams really don’t care what they do to people’s lives. Arresting Abbas doesn’t solve the problem, since there are many of these groups operating out there. However, it does put a hit on one of these operations and that’s not a bad thing.
If you would like to read more about how the scam works, how the money gets moved around, or just check out some pictures of Hushpuppi enjoying his Bentleys, head to the show notes and check out the link to the original post.