I’m often asked why I transitioned from Anti-Financial Crime/Fraud to Cyber Security. The answer is I didn’t transition. Crime transitioned, and I moved along with it.
In recent times, there have been quite a few cases to hit the news headlines where we clearly see the convergence between Financial Crime and Cyber Security, or should I say, Cyber crime. There’s no way I can talk about this without referring to the most recent case of Rammon Abbas a.k.a- “Ray Hushpuppi”.
Described as a social media celebrity, Rammon was arrested in Dubai in late June and arrived in the U.S on 3 July to face criminal charges over allegations of business email compromise and other scams. Abbas flaunted his opulent lifestyle to his millions of followers on Instagram. Ironically, his social media activity was key as investigators were able to track his movements by following his posts on Instagram and Snapchat.
The FBI’s investigations revealed that Abbas’ opulent lifestyle was financed through crime. He is considered to be one of the leaders of a transnational network that facilitates computer intrusions, fraudulent schemes, and money laundering.
Detection
The Criminal Investigation Department (CID) at Dubai Police received intelligence that there was an African gang involved in money-laundering and cyber fraud. Once the intel was verified, the team started tracking the gang including “Hushpuppi”, who celebrated his ‘wealth’ via social media under a ‘businessman’ façade.
The anti-cybercrime task force was able to track the gang members and detect their criminal activities which included: creating fake social media accounts, hacking corporate emails, creating fake websites for well-known companies and banks in a bid to steal victims’ credit card information etc.
Business Email Compromise Fraud (Cybercrime)
Abbas’ main modus operandi was to operate Business Email Compromise fraud (also known as CEO fraud). CEO fraud is a scam in which a cybercriminal pretends to be an executive in order to trick an employee into releasing company funds or confidential information. In effect, the organisations’ email addresses would have been spoofed at some point (i.e. fake emails created from their domain names. Criminals can also spoof text messages and even phone calls).
Next, the attacker would have penetrated the organisation’s network by sending out phishing emails. These emails have attention grabbing subjects and just beg to be opened – they could have links, attachments or just plain text. However, it takes just one click and malware or spyware enters the target organisation. Organisational level security awareness for employees can reduce the likelihood of this happening.
Once the attacker has penetrated, they may do nothing for a period of time, and can sit ‘unobserved’ for months, studying key individuals and protocols required to perform wire transfers, typically employees in the Financial and HR departments, CFOs, CEOs etc. Federal documents detailed how a paralegal at a New York law firm, wired $923,000 meant for a client’s real estate refinancing to a bank account controlled by Mr Abbas and his co-conspirators.
Additionally, having gained unauthorised access to organisations’ business email accounts, they would block or redirect communications to/and from that email account. They would then proceed to use the compromised email account or a separate fraudulent email account to communicate with personnel from the victim company in an attempt to trick them into making an unauthorised wire transfer.
According to the US Secret Service, this was a challenging case that spanned international boundaries, traditional financial systems and, the digital sphere. Technology has essentially erased geographic boundaries leaving trans-national criminal syndicates to believe that they are beyond the reach of law enforcement.
Money Laundering (Financial Crime)
Money laundering is typically the end result of most financial crime/fraud as most career criminals want to portray their ill-gotten funds as ‘clean’ money. It typically has 4 stages: Sources of Funds (Income), Placement (depositing criminal proceeds into the financial system), Layering (concealing the criminal origins of proceeds), Integration (creating an apparent legal origin for proceeds of crime).
Rammon Abbas conspired to launder funds stolen in a $14.7m cyber-heist from a foreign financial institution in February 2019, by sending it in smaller amounts to bank accounts around the world (layering). He allegedly provided a co-conspirator with two bank accounts in Europe that he anticipated would each receive about $5.6m of the fraudulently obtained funds. He also claimed he was a real estate developer and a Brand Influencer (integration).
The Raid
The raid resulted in confiscating incriminating documents of a planned fraud on a global scale worth $435m. Also, seized was $40.9m in cash, 13 luxury cars with an estimated value of $6.8m obtained from fraud crimes, 21 confiscated computer devices, 47 smartphones, 15 memory sticks, five hard disks containing 119,580 fraud files as well as addresses of about 1.9m victims.
Following analysis of confiscated electronic devices, Dubai Police investigators uncovered sensitive information mined by the suspects on individuals and companies including documents condemning the gangs’ illegal activities. A dozen alleged co-conspirators were also arrested in a series of co-ordinated raids.
The Good Guys
Well, if cybercriminals can use the digital world to exploit victims, law enforcement can use the same digital footprint to apprehend criminals. Hushpuppi is a classic example, as his Instagram and Snapchat accounts were key in tracking him and gathering evidence.
For instance, having an IG account meant he had to provide an email address and phone number for account security. Federal officials were able to link the email and phone number to financial transactions and transfers with people the FBI believed were his co-conspirators. The email account also contained emails with attachments relating to wire transfers in large dollar values. His birthday celebration on Instagram was used by investigators to confirm his date of birth on a previous US visa application.
At the start of this article, I wrote that financial and cybercrime had merged. The main change is in the Source of Funds which typically used to be tax crimes, drugs, bribery & corruption, fraud and theft. This still the stays the same, but it is the nature of fraud and theft that have changed. They are now almost all cyber enabled.
Rammon Abbas’ case is a classic case of the convergence of forensic investigations (electronic reviews, data analytics, computer forensics evidence collection etc.), money laundering (layering & integration), fraud, cyber security (business email compromise, phishing, key stroke captures etc.) and organised crime.