West African bad actor impersonates financial advisors to steal millions

A Hazardous Hooded Hacker Infiltrates Government Data Systems an

In an ongoing scheme, a West African threat actor is impersonating financial advisors and their regulator by creating lookalike websites and fake customer onboarding processes real enough to reel in wealthy clients. Along the way, the group is hurting the brands of impersonated advisors, their employers and social media influencers whose image and likeness fraudsters are using to promote the scams.

Impersonating financial advisors is hardly a new idea, but this scheme has a few new wrinkles. For one, the threat actor is impersonating brokers as well as influencers on TikTok and Instagram to snare victims. For another, the perpetrators are well-organized enough to and able to quickly spin-up new impersonation websites.

According to DomainTools, a cybersecurity company that provides threat intelligence data, another recent twist is that the yet unnamed threat actor behind the scheme has started impersonating the Financial Industry Regulatory Authority. FINRA is a self-regulatory organization that governs U.S. broker-dealers.

DomainTools says the West African threat actor behind the scheme is using the domain finraglobal[.]org (which is currently active), email address admin@finraglobal[.]org and IP address 82.180.172[.]248. These are all indicators of compromise that banks and their technology vendors can look for in incoming network traffic and block to protect themselves from the threat.

On BrokerCheck, FINRA's website for researching brokers' backgrounds, FINRA warns that fraudsters "may link to BrokerCheck from phishing and similar scam websites" and that each user should "make sure you know who you're dealing with when investing, and contact FINRA with any concerns."

FINRA reported in February 2021 that it had observed an increase in cyber-related incidents, including those exactly mirroring the active campaign DomainTools reported earlier this year. 

How it works

In these schemes, the threat actor registers a domain name that includes, or in some cases exactly matches, the name of a real broker. The threat actor then builds a website at that domain that includes true information about the broker and uses actual images of them, but replaces their real contact information with email addresses, phone numbers and links that route the victim to the threat actor.

image3.png
DomainTools found this website, impersonating a financial advisor, with information about their background taken from LinkedIn and other sources, according to the company. DomainTools blurred identifying information to protect the identity of the person being impersonated.

The threat actor steals money from the victim under the guise that it is going toward an investment fund, which they depict over time as growing, in hopes of stealing additional funds.​ This scheme is known as pig butchering because it involves fattening up a faux investment account that the threat actor eventually closes without notice, or kills.

On top of stealing funds, the West African threat actor in this case is imitating FINRA to steal identifying information about victims.

pasted image 0.png
Part of a website impersonating a financial advisor claims that FINRA is the person's KYC and AML services provider. FINRA does not actually provide such services.

The faux broker websites that DomainTools found claim that FINRA is the KYC (know your customer) and AML (anti-money laundering) services provider. These websites direct victims to an identity verification form where they can upload a utility bill, proof of residence, driver license or other kinds of identification.

FINRA does not actually provide KYC or AML services. DomainTools said the threat actor impersonates FINRA simply to create credible grounds for stealing identifying information, which the threat actor can then use itself or sell to other malicious actors.

How the threat actor gets online

The unnamed threat actor in this case has apparently gotten some help from a service provider known as SpeedHost247, a reseller of hosting tools and content delivery services, according to Sean McNee, DomainTools' vice president of research and data. McNee said it is unclear where exactly the company is based but includes U.S., Canadian and Nigerian contact information on its website.

"We don't think that SpeedHost247 is just ignorant to what's happening," McNee said. "We think they are a willing partner in providing these hosting services for entities to scam people's money, and they are probably making good cash."

DomainTools has found a "considerable amount" of overlap between financial advisor impersonation activity and hosting provider SpeedHost247, according to the researchers' blog post on the matter, but SpeedHost247 is not the only provider the threat actor has used.

During a conversation between a DomainTools researcher and a SpeedHost247 representative, the researcher acted as an interested customer inquiring about services. The representative told the researcher to use "fake information please" when registering the website and promised "no blocking" and "no suspension" for the website after the researcher said simply they were looking to host a "financial service" site.

In response to a request for comment, a SpeedHost247 representative said the service hosts "over 3 million websites and 99% of the orders and process are carried out automatically" and that "on each report related to fraudulent website activity we take those websites down on report."

The representative said the provider has "zero idea" what type of website runs on the server until reported because "we can't possibly monitor" all websites that have been ordered, and DomainTools' claims were grounds for a lawsuit.

"We could sue DomainTools for wrong finding," the SpeedHost247 representative said. The representative added that DomainTools' claims amounted to "a promotion for more bad [actors] and scammers to order services."

How West African threat actors operate

In the fraud and phishing space, West African threat actors are perhaps best known for the Nigerian prince scams, which are emails, text messages, faxes and other communications that claim royalty requires the would-be victim's help moving a large inheritance to safety and promising a handsome reward for assistance.

Cybersecurity researchers refer to these scams today as 419 scams, a reference to the section of Nigeria's criminal code dealing with fraud. Despite their notoriety, these scams raked in more than $700,000 in 2018, according to a report from ADT Security Services, using data from the Better Business Bureau's Scam Tracker.

West African threat actors run more than just 419 scams. Last year, the Department of Justice announced that the United Kingdom would extradite three Nigerian nationals for their alleged roles in trying to steal $5 million from universities in North Carolina, Texas and Virginia via business email compromise schemes.

Most scams that West African threat actors run do not yield losses as large as the $1.9 million that the North Carolina university in that case lost, according to McNee. In the scheme DomainTools has been monitoring, the company has found by monitoring cryptocurrency blockchains that the group in this case has netted stolen assets totaling at least $1 million.

These losses come in the form of "$50,000 here, $100,000 there," McNee said, and the threat actor targets numerous victims for these relatively small amounts rather than a few big whales for large sums. He said these small individual thefts gain the threat actor less attention than the sum of their efforts warrant.

"The entire West African nexus of cybercrime and scams is extraordinarily large, and I don't think it gets enough notice or respect like it should," McNee said. "This entire area is amazing in how well-organized it is, at how fast and efficiently it operates and how well it pivots through different technologies."

For reprint and licensing requests for this article, click here.
Cyber security Fraud Technology
MORE FROM FINANCIAL PLANNING