BEC, a Metamorphosis of Advance Fee Fraud

BEC, a Metamorphosis of Advance Fee Fraud

BEC (Business Email Compromise) has gained more and more attention lately. Most recent statistics show $26 billion in losses the past three years.1 The sad reality is that BEC could have been avoidable if Advance Fee Fraud (AFF) had been recognized earlier as the threat it is and dealt with appropriately. Inaction on basic levels, despite alerts for the past 16 years from Artists Against 419,2 allowed these actors to escalate to unknown heights. BEC is the end product of AFF.  Domain name abuse in BEC was merely the trendy evolution of what AFF fraudsters had been using for years to target consumers.

Recent Numbers and Cases

Obinwanne Okeke, a young Nigerian billionaire known as Invictus Obi, was arrested in August 2019 for over $11 million BEC fraud.3

A few days later, 80 individuals, mostly Nigerians suspected to be part of a massive BEC and romance scam network, were also indicted.4

On Sept 10 2019,  the FBI released details of Operation reWired resulting in 281 arrests. Of these, 167 arrests were in Nigeria, 74  in the US, 18 in Turkey and 15 in Ghana. Fraudsters associated with the operation were also arrested in France, Italy, Japan, Kenya, Malaysia, and the UK.5

The ‘Behind the “From” Lines: Email Fraud on a Global Scale‘,6  ‘Scarlet Widow7 and ‘Scattered Canary8 studies done by Agari clarified a reality we tried to expose for a long time: BEC would never become possible without an entire infrastructure of advance fee fraud elements used against consumers and ending with them turned into money mules. Other similar studies mention the AFF-BEC connections, even though some not as clearly as others.9

In other words, the consumer was the training ground for BEC. Consumer fraud is the arena where the fraudsters crafted their fraud and saw what was the most effective way of upping their game to the next level. This was done through email correspondence, fraudulent domain names abusing the DNS infrastructure, VOIP phone numbers and also impersonation of real people or entities having no connection with the fraud.

Social media was a main vector, allowing the fraudsters to study their victims and adjust the “game” to what triggers the victims. There are also never-ending breaches, exposing consumer details or companies internal structure, allowing for a rich source of information to refine their social engineering.  After testing it on average people, the fraud recipe was improved and used to target people with financial responsibilities in various companies. These victims were lured into making payments to fraudsters in the belief that they were paying a regular business partner, or that they were fulfilling an urgent financial need for their company’s boss.13

Social media admits that killing the fake profiles used in fraud doesn’t help much when, for each suspended account, the fraudsters will create more. Each one in turn will only be reported after someone else becomes a target.14 Anything free that can be abused, will be abused.

High level breaches shows that anyone can become a victim of a breach. We see more and more data dumps sold to cyber-criminals, in turn fueling more targeting of consumers and businesses.16

So far the phone providers are unable to deal with clients abusing their services to commit fraud, be it SIM-swap, spam calls or AFF fraudsters.17 Free online telephone verification services to “protect consumer privacy” adds another layer of complexity undermining methods used to ensure services aren’t abused, ending up causing greater harm than the harm they’re meant to protect against.18

DNS abuse is also massive and no one seems to care enough to change anything in the AFF arena. For each suspended domain, others are registered daily, sometimes spoofing the same entities.

Recognition of Advance Fee Fraud as a Threat

Reporting DNS abuse is easy when it involves phishing, botnets, spam or malware. Advance Fee Fraud doesn’t get the same recognition and is disavowed as DNS abuse.

Any further mention of domains in this post will refer to domains registered explicitly to be used for AFF activities and not compromised domains or hosting content.

The Anti Phishing Working Group defines phishing as:19

Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.

AFF might look like phishing in some cases, but it’s not the same thing. While AFF uses social engineering and technical subterfuge, the goal is not to steal personal identity data and financial account credentials.

Any such theft is incidental. There are cases where AFF victims details were used for further fraud in identity theft, but this  is merely a crime of convenience, the end result of successful AFF rather than phishing.

Pretending to be a bank isn’t phishing when a fake site is used to confirm the financial status of a fake character used in a romance scam. Such a bank might not even impersonate a real bank, but be a totally fictitious bank. Typically a fake identity used in a Romance Scam will show an equally fake bank account to a target as a token of trust, ultimately showing that he is good for the money he is asking for.20

Pretending to be a company while using a domain name slightly similar to a real one, or perhaps totally bogus, to defraud small businesses is also not phishing. Yet these scams accounts millions of dollars in losses annually, easily causing small businesses to close their doors forever and the staff to lose their jobs.21

Impersonating the FBI or Homeland Security, asking an AFF victim to send his / her bank account where the recovery money needs to be paid into, is also not phishing.22 Likewise impersonating the authorities, extorting victims who purchased items in AFF fraud, is not phishing. No website is even needed. It’s not content issues. Yet these result in massive consumer losses annually.23

A fake courier pretending to deliver goods, asking for upfront fees, is also not phishing.24 Yet this is where the fake authorities, previously mentioned, will suddenly impose their customs fees, fines etc in fake parcel scams. This tactic alone has resulted in over 17,000 victims being targeted by one small Nigerian syndicate in Malaysia over a three year period.25 Real companies may or equally might not be impersonated. But even if it was the case, this is not a copyright or trademark issue, this is a fraud issue. This is reason why UDRPs massively fail to resolve these problems while the infringing domain owners never respond.26

A fake lawyer offering help with an Inheritance or Romance Scam, asking for fees to be paid upfront to obtain bogus court papers and certificates, is also not phishing.27 Spoofing and a stolen website is incidental and not even required to succeed, it’s merely a crime of convenience. Spoofing or not, neither makes it less of a crime.28

A bespoke company, or one impersonating a real entity, offering jobs and asking fees for a non-existent job is not phishing either.29 Yet it is fraud, Advance Fee Fraud and it’s a crime.

A bogus lottery or alleged legal department offering non-existent prizes or grants, that you need to pay for before receiving, is not phishing and it isn’t legal either – it’s AFF.30

All the above examples and a myriad of other fake instances used in AFF are using fraudulent domain names, abusing the DNS system as well. In our experience, over 80 percent of AFF scam-spam emails end up with malicious domains being uncovered. Some of these domains get reported by victims after the fraud, or attempted fraud, occurred. Logically, known fake entities should be mitigated. Not doing so creates perpetual consumer traps defrauding more and more victims as time goes by. Much of the internet reputational systems rely on the domain name’s age.31

The Minefield of AFF Mitigation

Things should be easy when reporting Advance Fee Fraud. Not so!

To register a domain name, the person registering the domain name (registrant) needs to provide his name, location, email address and phone number. These details must be accurate and verifiable. They are part of what is known as the domain WHOIS. Each company involved in giving access to the online space has a TOS (Terms of Service) and AUP (Acceptable Usage Policy), mentioning what type of activities are not allowed on a domain name registered / hosted with them. These mention fraud and other illegal activities as a major “No!”

If AFF activities are committed using a malicious domain name, a factual report sent to the registrar abuse team should result in them investigating the report and taking the appropriate measures.  A valid report should result in the domain name being suspended. Likewise, deliberately supplying invalid domain registration details are grounds for an immediate domain suspension.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization governing (among others) the Internet’s global Domain Name System (DNS). They also publish and monitor compliance with policies. These policies are based upon community, government and business input.33

The current Registrar Accreditation Agreement (RAA) dates back to 2013 and governs the requirements for domain registration and surrounding policies.34 The same year also saw the GAC Beijing Communiqué published.35 Both mention registering a domain for fraud as a reason for suspending such a domain name. Both also mention the importance of accurate WHOIS details, free access to those details and the retention of those details.

Free access to WHOIS was revoked May 25 2018. From that date on, ICANN’s interpretation of the new European General Data Protection Regulation (GDPR) was implemented.36 The GDPR was adopted in 2016 and became European law two years later. Despite knowing about it and given time to develop policies to implement and meet the new GDPR rules, ICANN had done nothing until the last minute. Their solution was predictable; a big mess and free access to WHOIS disappeared.

The end result solved a long standing issue for some registrars. By hiding the WHOIS details these Registrars would no longer be flooded with reports of invalid registration details. We can only question if this is a lesson they learnt from their abusive clients who started using proxy services to hide invalid registration details. How can you report what you cannot see? The self serving ICANN privacy won and the consumers were thrown to the wolves. No general consumer can check who owns a domain name if protected by this WHOIS GDPR mask and thus cannot report abuse. Advance Fee Fraudsters were quick to adopt addresses in the EU, despite clear indications they are Nigerian based, ditto parties in the Cameroon.

The irony was that the GDPR only protected the privacy of natural persons in the EU, yet large swathes of WHOIS went dark, for domains belonging to businesses and individuals alike internationally. The consumer had no way of checking if the bank/lawyer/business website he was looking at was real or a spoof, an AFF scam or phishing. The consumer was further insulted by “experts” claiming the casual user never really used WHOIS. Other “experts” justified the disappearance as most of it was fake anyway and having no value. The real experts were ignored.37

Essentially this GDPR-WHOIS made registrars the custodians of trust on the net, a responsibility they disavow. It was still the consumers problem to find other ways to protect themselves. Likewise all abuse issues was the responsibility of law enforcement, even where they had no jurisdiction. In a nutshell, the least qualified party became the key holder of trust on the net – much like a taxi driver without a driver’s license.

Moving forward, as shown above, spoofing is not always phishing. Nor is all AFF spoofs. While many Registrars will accept, for example, reports of a fake spoofing bank only as phishing, it leaves the entire plethora of other fraudulent domain names that aren’t spoofing, like bespoke fake banks or couriers, hanging without a solution for mitigation.

Surely anybody selling forged passports, visas and currency in Canada would be doing something illegal? Common sense is an oxymoron in registrar land and lacking. Consider numerous domains found doing so, belonging to the same party at the same registrar. More worrying is the bogus German registration details used and pointed out. This was reported to the registrar just as this registrar chose to implement blanket GDPR protection on all domains in their portfolio, also the identified forger’s domains. The registrar chose to do nothing about the abuse, simply pointing out all the potential (other) venues for relief, some appropriate, some not. In the process they made themselves off as merely a registrar; “Essentially, we are an administrative body and do not judge or adjudicate issues of dispute.” The fact of clearly illegal activities and accompanying fake registration data was of no concern to them.39 Perhaps they should have considered sections 1.13, 3.18 and of the ICANN RAA. This is the same holding company that challenged ICANN in the European arena “to protect consumers”. Yet this registrar was happy to devolve responsibility to a European jurisdiction based upon the fake registration, allowing consumers to be extorted in clearly illegal activities and a resultant loss of privacy, while the bad actor was clearly engaging in AFF commonplace in the arsenal of Cameroonian fraud. In case anybody thinks BEC only originates from Nigeria, Cameroonian actors equally engage in it.40 This is a latent threat hardly recognized so far, much like 419 fraud was. Advance Fee Fraud constitutes many sub-fraud types, some known about, some ignored.

Proper research done on fraudulent domain names can establish patterns of the same actor creating an entire nest of domain names used in Advance Fee Fraud. It doesn’t matter if the WHOIS details are real of fake, they can establish the context and intent. Still, some Registrars will never accept a report involving more that one domain name at a time (nor will ICANN), even if they belong to the same party. The reporter is forced to report domains individually. In this way the context of the linked fraudulent activity gets lost. It also results in cherry-picking only some of the domain names for suspension, mostly those impersonating banks, while leaving the rest of the malicious domains active and defrauding consumers until the domain expires. This also places disproportionate work on the abuse reporter, resulting in frustrating anti-abuse efforts.

Is there any Accountability ?

According to the ICANN RAA 2013:

3.18.2 Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week, to receive reports of Illegal Activity by law enforcement, consumer protection, quasi-governmental or other similar authorities designated from time to time by the national or territorial government of the jurisdiction in which the Registrar is established or maintains a physical office. Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law.

3.18.3 Registrar shall publish on its website a description of its procedures for the receipt, handling, and tracking of abuse reports. Registrar shall document its receipt of and response to all such reports. Registrar shall maintain the records related to such reports for the shorter of two (2) years or the longest period permitted by applicable law, and during such period, shall provide such records to ICANN upon reasonable notice.

Advance Fee Fraud is illegal activity in all jurisdictions. Theoretically it should be easy to report it if it can be proven. This last part created another issue; based on the area where they have located their main offices, some Registrars will deny any responsibility for consumer protection, asking for a court order to do anything. This ignores the reality that victims are in a different geographic area and might also be already penniless after being defrauded, unable to pay a lawyer for obtaining a court order. Typically law enforcement will also not do take downs for the bulk of malicious domains. Some countries don’t even have a mature cyber anti-abuse strategy. Where there is mature enforcement, the authorities are overwhelmed with cyber crime mitigation.  This leaves more than 99 percent of malicious AFF domains at some Registrars free to defraud.  What might seem to be a reasonable registrar response to the unenlightened, is suddenly grossly unfair in terms of human rights. Yet nobody knows this better than the registrars and ICANN.

In 2015 ICANN published the article “ICANN Is Not the Internet Content Police”.41 Essentially ICANN tried distancing themselves from any illegal abuse on the Internet. While there may be some merit to some of the content, such as the types of complaints ICANN tried making these issues out to be, they failed to acknowledge that much of the more serious illegal abuse was fueled by the DNS infrastructure. More so, many of the abusive domains were registered with invalid registration details in what was clearly a violation of their own policies. This blog was published by the head of Compliance that did not even realize that ICANN also had duties as per the Affirmation of Commitments. The result was rather interesting and saw people resign, new posts being filled.42 Not that it helped much, as nothing stopped the growing DNS abuse and consequent AFF and BEC abusing the DNS system. It would appear by not formally allowing AFF and BEC to be given a name, it was hoped it could be swept under the carpet. ICANN continued ignoring what was being demonstrated to them. Formal ICANN Complaints processes were abused to frustrate reporters, even closed as resolved where the abuse was ongoing and in violation of their own policies.43

Other Registrars deal with abuse reports by blindly forwarding them to their downstream reseller, despite requests this not be done. Many of these resellers are hosting providers. Some of these hosting providers specialize in facilitating AFF (and consequently domain abuse) as a business, some being the very party that designed the fraudulent websites. Many such resellers have been caught over the years with their hands in the cookie jar.45 This makes out an insider threat to the DNS system. What is labelled as transparency, suddenly becomes a lesson to criminals on what not to do next time, what got their fraud exposed. In turn they refine their technique to defraud better.

Certain Registrars don’t use anti-abuse email address for reporting abuse anymore. Reports sent to the registrar anti-abuse email address will either get ignored, result in a request to use a web-based form, or result in an auto-responder reply to use such a form. Many of these forms limit abuse to pre-defined abuse types. Only one domain can be reported at a time. We’ve already mentioned how many registrars and ICANN community does not recognize AFF as DNS abuse. This results in shoe-horning malicious domains one by one into incorrect nearest categories, shoe-horning a bit more to get the message across what is being reported.  To add insult to injury, some registrars don’t even acknowledge such reports, leaving the reporter with no evidence of what was reported. Yet ICANN requires proof if any party wishes to point out a registrar not taking action as mandated in the ICANN RAA. This is a mechanism being abused for plausible deniability. This mechanism also fails to recognize that more than one party might have interest in an abusive domain. Also, very suddenly, all those forms might be collecting user IP addresses and details, perhaps even sent to the abusive party as in the previous paragraph. There is no recognition for the privacy, even security, of the abuse reporter or the threats this may expose him to, while the abuser has all the protection at the registrar.

Even if a malicious domain is suspended, the same Registrar that agreed it has to be suspended, will silently remove the suspension and allow it to jump back to life.46 It’s extremely counter-productive to have to re-mitigate a malicious domain, openly spoofing a well known bank, or where a public alert exists on the likes of the Solicitors Regulation Authority. Even more so, if a consumer reports being defrauded with such a domain after it jumped back to life.

Another infamous game to frustrate the WHOIS accuracy specifications, is the Registrar insisting the reporter sends a scanned copy of a returned envelope, to prove the street address is indeed inaccurate. This response blatantly ignore established geography at times. Consider;

Registrant Name: Morgan Lorga
Registrant Organization: Anonymouse Host
Registrant Street: Down street Rus
Registrant Street:
Registrant Street:
Registrant City: welmshi
Registrant State/Province: North West
Registrant Postal Code: 101000
Registrant Country: RU
Registrant Phone: +7.675552377
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registrant Application Purpose: P1
Registrant Nexus Category: C11

There is no Welmshi to be found in Russia,  there is no North West Province in Russia, the postal code is for Moscow.  The blatant self-blinding does not end here. Telephone number +7675552377 is not valid either. Let’s also not ignore the significance of P1/C1147 indicating this is a US business and belonging to a US resident. Russia was never part of the USA, need more be said?

The Registry for this domain ccTLD has some very specific requirements for any domain in their Registry. This was also escalated to them. Surely this would have upset them as they market themselves as the compliance experts? Not so, this farce was allowed to continue to drive their sales. The consumer was the party paying the real price for this lack-lustre policy enforcement and self blinding. Yet one of largest economies had entrusted them to manage their national country TLD. Marketing trumped reality.  It’s no surprise that the fraud that’s being perpetuated with these domain names reached such pandemic levels, that the Better Business Bureau initiated a research project, culminating in the publishing of an international study.48 Even today this abuse is ongoing and constant alerts are being put out to the public. For the informed, we can connect these very same parties to other issues affecting this country and numerous other alerts, where even this country’s cancer sufferers are being targeted and extorted in drug scams.49

To some Registrars consumer protection has zero meaning. The only party they will consider abuse reports from, are the actual victims. Of course this would only be after somebody has been defrauded. There is no recognition that much of the ongoing fraud can be prevented. Others insist on reporting such fraud to the likes of IC3, Action Fraud, ACORN or law enforcement, then distance themselves from any further responsibility. Yet these parties will hardly ever investigate individual complaints. There will be no removal of the fraudulent content or a request for a domain suspension. As such the online trap continues and the result is treated with no forethought for protection. The victims become statistics.

The term “protection by proxy also exists”, referring to situations were an ICANN process called a UDRP51 can be used if, and only if, it can be proven that “(1) the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and (2) Respondent has no rights or legitimate interests in respect of the domain name; and (3) the domain name has been registered and is being used in bad faith.” The assumption exists that if such a brand owner mitigates the abuse (at a cost of about $1500 to $2500) the consumer will be protected. This fallacy falls far short of reality. Invariably in AFF, the Respondent will not challenge the action, the bulk of these UDRP actions names the abuse as phishing (which it is not). Even before the UDRP succeeds, the AFF actor has already registered his replacement domain in his portfolio of malicious domains. There is no penalty for him and the mitigation of a single domain does not really affect his malfeasance in any real way. A UDRP is not protection against AFF, it’s the wrong tool for the job and merely penalizes the legitimate rights holder with costs and with no real relief, also no sanction for a registrar continuously sponsoring such domain names.

Recently DomainTools discovered a set of malicious domain names.52 The same actor had setup a nest of defrauding websites used in Romance Scams. One of the domain names the registrant registered and abused was, which resulted in a successful UDRP.53 Even so, the same actor registered domains and afterwards at the same registrar.54 How many more thousands of dollars will it take the real Exxon to mitigate this threat? Will Chevron even try where they face the same problem? Even so, the sponsoring Registrar and Registry are allowing the same registration details (which are fake and proven to be equivalent to another party55, to blatantly continue his AFF abuse registering new domains, equally spoofing other real banks and companies simultaneously. This is as close to facilitation as can be without being directly involved. Yet they will never be held accountable for their gross negligence. It’s no coincidence the shown typo-domains are equally popular in BEC. In fact we can’t be sure it’s not being used for BEC as well.

Just for fun, the United Nations had a bank as well – managed by the above malicious actor:

Another method by which malfeasance is shielded is via proxy abuse. Here a Registrar or affiliate with allow their details to be substituted for the real user’s details. The theory is that this will protect the user from abuse such as spam. As per the ICANN RAA, the proxy owner becomes the domain holder and will accept all responsibility for the domain. The protected user will be the licensee. Theoretically as per policies, the proxy owner will reveal the licensee details when asked for such details and clear abuse of the domain name is shown. Failing to do so, he’ll accept liability for the harm.  Even so, despite the clear language, many proxy owners insist on court orders in specific jurisdictions to reveal these details, or simply refuse to divulge these details, that could be used to protect the consumer.56 Although outside the scope of this post, we’ve seen what constitutes as licensee details for some of these proxies and the resulting abuse. Anything from spam to child pornography is hidden behind one Registrar’s free affiliated proxy service. Yet many Proxy Providers openly publish on their websites, or reply via email, that they are not the domain owner, contrary to ICANN published policies.

Another method of buck-passing it to make any abuse the responsibility of the hosting provider as content issues. We have already discussed who some of these hosters are, the very parties facilitating the fraud. This approach disavows the DNS abuse nature of AFF.  Some of these hosters have multiple hosting accounts in various locations. An abuse report to them will see such a domain have it’s DNS changed to another hosting account and within a day, the malicious domain is resolving to the re-published fraudulent content in what is called “host-hopping”. One such fake lawyer website host-hopped 27 times between different networks, resulting in a strongly worded abuse report to the sponsoring Registrar.57 While a hosting provider abuse report might work with phishing, mis-identifying the threat may cause even worse problems. One domain spoofing the Bank of America disappeared and was suspended for a day as per it’s index page. Yet the MX (mail server) record was changed to point to a professional email provider the next day, from where the rather unique email address on the bespoke domain was resolving again. This approach also disavows the reality that sub-domains can be pointing to different hosting providers. Yet this is what AFF is, DNS abuse.  It’s also no small irony that certain AFF actors were quick to adopt plausible deniability with hidden content on a seemingly innocent website. Certain Registrars taught them well. The same practices can also be seen in BEC where the MX is pointing elsewhere.

Even currently a “Repossessed Domain” is still merrily spoofing a major financial institution.58 Where the domain should have been suspended, non-standard practices where deployed and merely took care of online content issues. There are reasons for best practices, such as suspending the domain with the appropriate locks.59 It will disable all the various ways a domain can be abused in AFF and BEC.

Setup for failure

A consistent solution for mitigating AFF abusing the DNS system has never existed.  Though we theoretically have strong policies and procedures that should be applied against any abuse of the DNS system, these policies are gamed and never properly applied, sometimes much watered down for the financial benefit of self-interests and substituting for real action. While the general outcry of businesses getting defrauded grows as BEC grows, we need to remember this abusive growth was at the cost of thousands of consumers getting defrauded annually. These victim’s complaints were not properly mitigated, some simply just ignored. BEC is only the most recent evolution of AFF.  Without a clear policy of mitigating AFF abusing the DNS system, we are setting ourselves  and the internet up for failure. Previously the price of this failure was borne by the casual consumers. Now businesses are equally joining the victim arena. How many lives need to be destroyed and how much more money needs to be lost, before we start to really solve this systemic abuse? No provider of any service on the net can any longer pretend “it’s not my problem”: it’s everybody’s problem.

No Registrar can any longer afford to say “We are only a registrar”, not when only is wrapped in a myriad of obligations.  Only has bolted the stable.  The slow growing “joker” AFF problem we’ve been recording since at least 2003 is now a full blown threat to the world economy in your domain of responsibility and it has a name; Business Email Compromise, or BEC. What more will it take? Some class action lawsuits to the risk averse registrars that bury their heads in the sand? A de-registration as per section of the RAA?

2019 is your wake up call back to reality.

This is a joint blog post by Scam Survivors and Artists Against 419.
Comments are closed.