Three UK-based Nigerian BEC scammers used construction intelligence service to target their victims

esteria.white

On August 10, 2022, three Nigerians were extradited from the United Kingdom to the United States to face charges related to their role in carrying out Business Email Compromise (BEC) attacks against a number of companies based in the United States. UNITED STATES.

Oludayo Kolawole John Adeagbo, 43, Donald Ikenna Echeazu, 40, and Olabanji Egbinola, 42, were brought to North Carolina to face their charges, although some of their crimes were also charged in Texas and their victims are found across the world. The United States and the world.

The three men were linked by the exchange of data linked to construction companies involved in multi-million dollar construction projects and whose emails they were able to acquire through phishing attacks against targets they had purchased from a business intelligence service intended for use by prospective individuals. subcontractors.

BEC via similar domains

Victim A informed the FBI that someone was impersonating Victim B by sending emails from the address “accounts@lucasconstruct.com.” (The real company, Lucas Construction, of League City, Texas, uses the domain “lucasconst.com.”) In one email, a victim received an appropriate form that his company used to update his banking information. The email sender was clearly familiar with their processes, as the email said:

Please find attached our completed ACH form and a copy of a void check as requested. Please let us know once updated.

After processing the change in banking information, Victim A sent the next construction payment of $525,282.39 to a SunTrust bank account rather than to Lucas Construction!

Victim C, a community college student in the Houston, Texas area, had a similar experience, resulting in her sending $1,995,168.64 to a PNC bank account controlled by criminals after receiving a request similar to updating its records from “accounts@tellepsengroup.com”. The real domain (victim D) should have been telpsen.com, a four-generation family-owned construction and concrete business in Houston.

Victim E, a Texas county government, sent $888,009.40 to a JPMorgan Chase account after being asked to update his bank statements via an email sent by “accounts@dwcontractorsgroup.com.”

These three domains were registered to NameCheap by “Daniel Roberts” who used three different email addresses for the domains. danielroberts604@mail.com, danielroberts605@mail.com and danielroberts606@mail.com. Additional domains, including TellepsenGroup.com, D1construct.com and SouthWoodBuilding.com, were also created by the criminal – close imitations of the real domains, telpsen.com, d1construction.com and Southwoodbuilders.com. These domains were used to target additional victims with BEC attempts via requests to “update” banking records.

FBI investigators in Texas learned that Danielroberts604 was also linked to an investigation by the FBI in Charlotte, North Carolina, in which he used the domain rodgersbuildersinc.com to commit a similar scam, as well as another Texas scam using the domain leelewisusa.com to steal funds from a school system in Dallas, Texas.

North Carolina was able to add another victim to the case: Appalachian State University, from which ADEAGBO and ECHEAZU were able to steal $1,959,925.02 using a similar methodology. The two men recruited a money mule in Los Angeles, California, Ho Shin Lee, who agreed to register a company “Royce Hub Trading” and open a JPMorgan Chase bank account in the same name. Funds stolen by impersonating North Carolina-based “Rodgers Builders” were stolen after emails were sent from “accounts@rodgersbuildersinc.com” to change banking information. (The real company uses the domain rodgersbuilders.com.)

Construction market data

The scammers had subscribed to a service operated by Construction Market Data (CMD), which provided contact details relating to “hundreds of thousands” of commercial and civil construction projects.

CMDGroup.com
CMD allows a contractor to request a list of new projects under construction in their area and provides contact information for decision makers who are interested in hiring various specialty subcontractors and who have recently won large contracts. Although not specified in court documents, it is likely that the scammers sent phishing emails to construction companies listed as being involved in multi-million dollar projects and then created lookalike domains for those. targets where they were able to begin monitoring the victim’s email messages for the opportunity to show up in an email stream from one of their “like domains.” This can be accomplished by planting malware, but is often done by adding “email forwarding rules” on the victim’s account who sends relevant financial emails back to the criminal.

CMD provided data to the FBI indicating that the relevant records had been requested by a John Edwards who listed both an address in the United States and the United Kingdom:

  • 1270 Hasen Hurst Drive, Apt 12, West Hollywood, CA 90046
  • 14 College Gardens, London, GB e47ALG

and who used the email JohnEdwards79@yahoo.co.uk. The associated telephone number +44 797.335.9482 belonged to ADEAGBO. JohnEdwards79 was actually an alias for the OludayoAdeagbo@yahoo.co.uk email account.

Adeagbo had three passports, a Nigerian and a British passport in his real name, showing the date of birth as April 6, 1979, and a second British passport in the name “John Edwards” b. Nigeria on April 6, 1979.

Prior to his involvement in the BEC, the BBC reported that ADEAGBO was part of a car theft ring that used stolen identities to allow them to drive away in Jaguars, Mercedes, BMWs and Porsches. Calling himself “the iPod team“Adeagbo’s car theft ring stole 70 luxury automobiles worth $1.8 million over a ten-month period in 2001. Adeagbo told the BBC in 2004 that he had served a 2.5 year prison sentence during which he “found God” and “exchanged crime for Christianity”.

Both JohnEdwards and DanielRoberts were found to have used the same IP addresses to access various online accounts that all provided IP history to the FBI, including Apple, Yahoo, LocalBitcoins.com, and Namecheap. OludayoAdeagbo@yahoo.co.uk also had real name bank statements for his bank accounts in Santander.

JohnEdwards79’s CoinBase account was actually confirmed to someone else! Donald Echeazu, who used the email diecheazu@yahoo.co.uk and telephone 7837887959. Although Coinbase recorded two photos of JohnEdwards that matched those of Adeagbo, the third photo matched ECHEAZU’s British passport .

Homeland Security Investigations (HSI) and Customs and Border Patrol (CBP) learned more when they searched the phone of another co-conspirator as he entered the country. In this phone, he chatted with ADEAGBO’s known UK phone number, labeled “John Dayo” in his contacts, about the bank accounts he was providing. ADEAGBO asked him to open an account with JPMorgan Chase in order to receive funds. They discussed a bank transfer where they expected to receive 12 million (currency not specified) but were only able to take 8 million.

Photos shared on the account, showing ADEAGBO in a Porsche, matched the car he was driving when he received a ticket in London (a black Porsche.)

Another phone conversation showed a Bank of America account (#32508061285) in the name of “Oludayo Kolawole John Adeagdo” using the address 1270 Havenhurst dr Apt 12, West Hollywood, CA 90046.

The Bank of America account had been used to pay $4,510 in installments to receive commercial information from individuals working in North American construction companies from the aforementioned CMD.

Olabanji Egbinola

The latest member of the group of extradited crooks, Olabanji Oladotun Egbinola, was victimized in exactly the same way. Likely having received construction data from the same source (CMD), Olabanji used the email address “accounts@kjellstromleegroup.com” to impersonate the real Kjellstrom and Lee company based in Richmond, Virginia. Using the name “Rachel Moore,” Olabanji interacted with the university’s Treasury Department, acting as if a payment had been missed and then providing new bank details to resolve the problem. As a result, they wired the next construction payment of $469,819.49 to the new Bank of Hope bank account.

The fake domain was registered on NameCheap by “bridgetclark” who also registered more than 50 other domains with namecheap, each “deceptively similar to Internet domain names associated with legitimate construction companies.” Because “bridgetclark” used a TOR-based cryptocurrency wallet to mask its true location, the FBI issued a Rule 41(b)(6)(A) search warrant. Rule 41(b) allows a search warrant to be issued from any U.S. jurisdiction if the location of the target has been obscured using technology and to use technology to seize data from ‘such a targeted computer. In the case of the FBI, this is called NIT, or Network Investigative Technique. After receiving court authorization, the FBI sent an NIT-laden email message to accounts@kjellstromleegroup.com, which was used to determine that the account was operated from a computer at the IP address 86.191. 189.88, a British Telecom IP address in the United Kingdom. . BT was then able to provide UK law enforcement with the subscriber identification of this IP address and it was found that subscriber Samiat Egbinola in Essex shared residence with OLABANJI OLADOTUN EGBINOLA.

Egbinola was previously arrested in 2008 for money laundering in the United Kingdom and had previously traveled to Los Angeles, California, when he used the email address aegbinola@gmail.com as a point of contact for go through customs. A review of the email account, active since 2008, showed he was in regular communication with the scammers listed above on their Yahoo.co.uk addresses.

Leave a comment