Email Crimes Funding Global Terror
“It’s Not Just Who Emails Are From, It’s Where”
Cyber Crime Reaches Janet at Work
It’s 8:35 am on a Tuesday morning, and Janet has arrived at her work desk, as she has for the past twelve years. Janet is a hard worker, and has a great work ethic. She is the glue that holds the office together when the company is busy. Janet has opened her email and sees and email from her boss, the owner of the company.
The email reads:
Good morning Janet,
One of our vendors (ACME steel) will be contacting you this morning about our recent purchase of wall materials being put into the warehouse by David and his team. Please go ahead and use my card to pay the $4,450 fee and I will resolve it once I get to the office about 11am.
Let me know if you have any questions.
Approximately 15 minutes later, Janet’s phone rings and it’s Cynthia from ACME steel, who promptly takes the payment and thanks Janet for handling this issue first thing in the morning.
In this example, Janet has just paid over $4,000 to someone who will eventually fund a firearm purchase in Syria. Janet, the prompt and hardworking employee, never really received an email from the owner of the company, or a company called ACME steel. The email and the phone call were from one of the thousands of centralized centers sponsoring this kind of criminal activity. In fact, annual revenue to these online virtual crime centers exceeds $2.5 billion dollars a year. These cyber criminals gain a new victim every 82 seconds on average, twenty-four hours a day, seven days a week.
Cyber Criminals Quickly Invest Their Free Money
So, where does all that free money go? Some of it goes to general travel, creating fake passports, housing, and even gambling ventures. After all, if they win at gambling, they get more money. If they lose, they just go scam more money from people with malware and ransomware. Or, maybe just another boss scam email campaign like the one experienced by Janet in the first example.
Due to fast turnaround and the use of existing infrastructure to hold cash, the drug trade most directly connects the scammed dollars to the people who fund and support terror organizations. The money collected by ransomware and other socially-engineered crimes primarily goes to the raw materials and labor used for the illegal drug production, while hundreds of millions of dollars go to complex transactions like the resale of military equipment, or something as simple as the daily living expenses of a criminal network. Every step taken to reduce this revenue stream is a step toward the reduction of global terror networks and the cyber criminal networks that support them.
Understanding an Email’s Origin
Before we look at correlating email crime revenue to the funding of terror organizations, we need to review some less obvious things about email crimes. Most email crimes don’t occur from someone’s home PC, but they do come from somewhere. The email criminal is looking for a weakly protected server at a web site provider, or perhaps a desktop PC owned by a student in India. These cyber criminals may also look for a computer host that has the operating system they are best at penetrating (i.e. Windows, Linux). They are always looking for computer operating systems that haven’t been patched for vulnerabilities in a long time. Many of these criminals will use emails to deliver malware via links in the email, or use attachments like documents or computer “helper” programs that aren’t what they seem.
The cyber criminals themselves aren’t typically computer security experts, because they don’t have to be. Criminals simply use stolen money to purchase vulnerable information found by the people who are computer experts. All the criminal really needs is a set of instructions and a bunch of unsuspecting email addresses to begin their rampage on their victim’s bank accounts.
Once the server has been selected and compromised by the cyber criminals, it becomes a race against the clock to use the server (or other host) before the owner has detected the criminal’s presence. Within minutes, the hijacked server (or other computer system) has sent millions of scam emails that are directing cash from their victims directly to accounts that are untraceable, or in the form of non-standard revenue like bitcoin.
Many of the people perpetrating these crimes don’t even return the computer back to the victim after the ransom is paid. Ironically, this is because it would cost the criminals more to build a program that returns the computer to its original state.
The email criminal by may be in Miami, Florida, but the unpatched server that sent the email crimes may be in a university computer lab in Germany that hasn’t had an IT team in five years due to lost funding.
In our earlier email fraud example, Janet’s email from her boss in Tempe, Arizona came from a hijacked PC in Vietnam. If only Janet could have known that before receiving the call for a terror-funding money transfer.
A Geolocation Perspective of Email Crime Comes into View
Email security is an investment, like any security technology strategy. The more you invest in protecting yourself or your customers from cyber crimes, the less crime will typically occur, even though no strategy is 100% effective. Cyber criminals who generate revenue from email campaigns aren’t looking for the ultimate hack to show their skills. They’re looking for the easiest path to revenue.
A data center with a lack of security investment is a breeding ground for the email cyber crime used to fund terror activities. Security investment takes a geo-perspective, as shown in red sections of the map where phishing and malware concentrations exist.
As you would see in a side road motel, where the front desk attendant is asleep and the locks are old, criminals will check in and set up shop, always making sure not to close the motel, or remind the hotel owner that they are there.
Security investment in email infrastructure can generally be classified by the wealth of the country (or other entity) the computer host resides in. Weak government laws and little enforcement, a lack of funding for security staff, a lack of controls around patching, not enforcing password expirations, and a loss of other security best practices has pushed criminals literally into specific corners of the world. These computer systems, even if the criminal themselves are not, are generally located in the same regions we see reported as terror-sponsoring/sponsored states.
U.S. Efforts Causing Geolocated Cyber Crime
The U.S. Congress has taken some serious steps toward protecting companies, government networks, and U.S. citizens from cyber crime. The U.S. Senate Intelligence Committee met in January of 2017 to review the impact of email compromise for every aspect of life in the U.S., including the potential impact on a presidential election, but ultimately resolved to the American public that they need to protect themselves and stop looking to the government for answers to computer cyber crimes, 85% of which occur over email. But the U.S. government’s efforts are better than most, and the best security innovation and investment in the world take place in the U.S., so U.S. companies are just too difficult to compromise for email campaigns, as compared to their international counterparts. These U.S. entities are instead targets of the crimes, instead of systems that deliver them.
Cloud Expansion Causing Geolocated Cyber Crime
As cloud providers have taken on the responsibility of email security, they also balance the open nature of email communications. After all, many of their customers will have entities in other countries that send and receive legitimate emails to them.
Thus, the geolocation door is left open and instead extreme efforts are taken for user authentication (password) protection and watching for anomalies in network traffic, as in the case of government and corporate entities scrambling email content.
The cloud-based email platforms have continued to push crime and activity that supports terror efforts into less capable network environments. Committing bulk email crimes in cloud environments turns up as abnormal activity, while a simple customer complaint about an email scam can give cloud providers all they need to trace the email sender down to their IP address and block it while pursuing charges where they can. This is not the world a cyber criminal supporting terrorist activities wants to operate in.
Many cloud providers will have U.S.-based data center resources and email server resources offshore. Their email traffic is designed to stay within the country of origin to improve performance and reduce costs, unless it is to be sent to someone in another country. This strict cloud traffic behavior makes geolocating emails even more revealing, even when both the sender and recipient are part of the same global cloud provider.
Banking Rules Causing Geolocated Cyber Crime
Continued email fraud geolocation-restriction comes into play when the cyber criminals want to collect money from their victims, or transfer it to terror organizations. Banking systems in the U.S. and many developed countries have become very sensitive to money movement to identify, stop, and prosecute banking fraud used by the criminals who are sending phishing, malware, and ransomware emails. This intensification of money monitoring has further forced the criminal activity into less-managed global locations, the same locations reported by the U.S. government as terror-prone, having restricted travel for safety, or other global warning messages.
The Geolocation of Emails
Not who the email came from, where the email came from. With all that we have discussed in this article, it becomes clear that most email crimes come from certain places due to the same circumstances that cause all global crimes to occur. Current security efforts, in critical and well-funded email environments, are working to make sure the sender is verified at a high level, and checking if emails contain web links that are known dangers, and some even encrypting the email to scramble its contents, ensuring the email recipient is the only one that can read it.
But, it has become the physical global origin of an email that can provide the most understanding into an email’s intentions, and it needs to be done at a desktop email client to provide the last line of defense against email compromise. It isn’t that all malicious emails come from non-U.S. sites, but most email crimes do. Another major factor in the physical locations of hosts that get away with cyber crimes is the white list/blacklist approach to threat prevention.
When a server in the U.S. begins to propagate email crimes, it is found, plugged, and reported. That server host becomes part of a blacklist, until it is verified to be on track for security again. In less secure countries, this process is rarely followed, or not in place at all. For non-U.S. servers, it is typically a U.S.-based entity that identifies, plugs, and reports that email source to protect U.S. assets.
Locating the Email Sender from Their Email Location
As we have seen, crimes that use bulk email delivery prefer systems that will allow massive computing power with little notice of their activities, and rarely does the email sender reside in the same location as the systems they use for these purposes.
But, terror-related activity can (and does) sometimes occur directly from the computer system the criminal is using. Examples of this could be bomb threats to educational institutions, direct threats to someone’s general safety, or the phishing of information for stalking a victim’s residence or work place. In these cases, knowing the origin of an email can lead investigators almost directly to the person sending it.
In cases of first responders using emails from runaways to their parents, emails received from suicide threats who won’t disclose their locations, or emails received requesting assistance where no phone is located and their location is unknown, having the ability to determine “email origin” can be the difference in minutes between life and death.
As we build an awareness of an email’s geographic origins, we begin to build a “trust wall” between the end users and the criminals plotting to lock their computers, steal their passwords, or just gather intelligence for other crimes.
Email security teams everywhere need to provide an understanding of an email’s literal geographical origin as it arrives in user mailboxes (after cloud email processing), and the best place to do that is at the desktop email client where security decisions are made in real-time as people work, play, and communicate every day.
Knowing where an email came from, as much as who it came from, can reveal an email’s intentions and provide that one last piece of awareness to stop, glance, geolocate, resolve, before acting on an email’s content.
Kent Cartwright- CTO & Co-Founder at eMailGPS
With over 27 years in business technology experience, Mr. Cartwright has provided business service monitoring strategies, professional services, support, and alignment of people, process, and technology for some of the largest network enterprises in the world.