My work station is the Interpol Global Complex for Innovation in Singapore. In fact, I am in Singapore right now.
The role of the cybercrime directorate is to provide operational support to member countries in the area of cybercrime investigations. The main functions of the cybercrime directorate include assisting member countries in coordinating and facilitating investigations into transnational crime and focusing on pure cybercrime—botnets, malware, and high-end cybercrime enablers, such as bulletproof hosting services, professional remittance services, or DDoS.
I understand that we are here to discuss the anti-spam legislation. Please be aware that from the perspective of the cybercrime directorate of Interpol, we do not focus much on anti-spam activities. Instead, we focus on criminal investigation. However, I can provide details in the context of cybercrime, since a lot of cybercrime originates from spam emails.
Among these, one of the most typical examples is the business email compromise, the BEC fraud. Email fraud spamming is one form of normal commercial spamming activity. Of note is that we are not talking about normal and commercial spam emails, which only contain commercial messages and do not contain any attachment or malware. Most BEC fraud, which we sometimes call the “CEO fraud”, starts with spam emails.
Before going further into these emails, we need to understand the modus operandi of such crime. For most situations, the CEO, or any high official of the company, receives spam emails with a malicious attachment. If someone executes such an attachment from the spam email, it allows their computer to be compromised. The culprit, after being able to access the email account of the CEO, through reading the emails studies the operation of the company, the way the company spends money, and even the style of email writing of that CEO. The culprit will then choose optimum timing—for example, during the vacation of the CEO—to send fraudulent emails on behalf of the CEO to order payment to specific bank accounts.
This modus operandi that I mentioned was further confirmed from the BEC cases provided by member countries who asked for assistance from Interpol. It can also be confirmed from a proactive investigation that Interpol participated in. In 2016, with the assistance of experts from external companies, we carried out reverse engineering on some malware samples that we found on common spam emails. We found that the attachment of the spam email, after being executed, would equip the function of capturing the email log-in credentials from the victims. With detailed analysis of the behaviour of the malware, we were able to dig out some of the clues that led to the identification of the suspect who controlled the malware. Eventually, we were able to fully identify the suspect through open-source investigation. The same information was passed to the law enforcement agency in the country where the suspect was situated. At last, in June of 2016, the suspect was arrested.
After the arrest, our unit was further asked to assist in the examination of the notebook computer seized from the suspect. The sending of spam emails in order to phish for compromised email accounts from victims was further confirmed. Evidence suggested that the suspect downloaded millions of email addresses and used specific software to send out bulk junk emails in an automated manner. The content of the email was very simple:
Good day,
Final invoice copy attached.
Best regards,
xxx
A file named “invoice” was attached to the email. We carried out further analyses on this attachment file and confirmed that it was malware. It had the capability to steal email credentials from victims.
After stealing email log-in credentials, the suspect logged in to victims' computers and their email accounts and breached their email. There was evidence that suggested the suspect logged in to some of the accounts over 200 times within a few months, and hundreds of emails were compromised.
There was also evidence to suggest that the suspect modified invoices that he very likely obtained from the compromised email accounts. In his computer, he amended the bank account details of the original document, with a view to deceiving the financial staff into depositing money into malicious accounts.
Interpol did not collect crime figures from member countries, and I'm afraid that I cannot give you detailed quantitative statistics. However, Interpol got feedback from member countries that the issue of BEC has been one of the types of crime of most concern recently.
Interpol has organized two international conferences recently, one in Spain in June and one in France in October, both concerning BEC fraud. A total of 60 participants from 30 countries participated in the meetings and raised concerns about BEC.
That's all.