Australian real estate agents a trending target for cybercrime

Typically Nigerian, these cybercriminals are highly organised. Their teams of mules can shift everything from iPhones to Lego, not just money. And they can smell blood in the water.
Written by Stilgherrian , Contributor

Cybercriminals are inserting themselves into real estate transactions and making off with the money. They've been targeting Australia since late 2017, the problem is growing, and you'll soon be heading a lot more about it, according to Alex Tilley, a senior security researcher with Dell SecureWorks' Counter Threat Unit Research Team.

These attacks are yet another example of an organisation's staff or individuals being manipulated into sending money to cybercriminals. The Australian Federal Police (AFP) calls them "CEO impersonation" or "senior executive impersonation" attacks, and the US Federal Bureau of Investigation (FBI) calls them "business email compromise" (BEC).

The AFP has been warning that these attacks have been getting smarter, more subtle, and better organised for at least two years now. They continue to rise in both frequency and severity, and corporate victims are now losing millions of dollars in single transactions.

Targeting residential property transactions means that the money is often coming from individuals rather than large organisations. Individual consumers are unlikely to detect the fraudulent emails. Even if the criminals fail to mimic the real estate agent's communication style, the documents are often based on standard invoice templates, or even just ordinary email. For many potential victims, it might even be the first such transaction they've executed.

There's "a lot of implicit trust" in the real estate sales process, Tilley told ZDNet, and "that's the way the system's always worked". No one is ever told to cross-check the account details, even when they do come from the correct email address.

"Since late last year I'm hearing about more and more of it, and I'm sure the banks hear more and more of it as well. The ones that I'm hearing about have been successful, which means that they'll be coming back," he said.

"They can smell the blood in the water."

The cybercriminals could potentially capture smaller, regular transactions, such as rental payments, or rental bond returns, but the cases Tilley is familiar with have been at the higher end. Individuals stand to lose their deposit when buying a home -- or perhaps in the case of buying a property outright, their life savings.

"When it does start to become more publicly known it's going to be heartbreaking."

The cybercriminals will usually start by breaking into a real estate agent's Outlook Web Access (OWA) account, Tilley told the AusCERT Cyber Security Conference on Australia's Gold Coast on Thursday. They'll send a single test email to confirm that they're in, and to see if they're detected. If not, they'll wait 30 days -- the default log rotation period -- for the evidence of their hack to be erased.

They'll then log back in, check for scheduled sales settlements, begin emailing both parties, and eventually send the altered account details for the funds transfer.

Nigerian criminals with trusted local support

While it's not always the case, these real estate attacks are typically masterminded and executed by Nigerian criminals. They're supported by a network of local money mules, who are organised by trusted local recruiters. These mules transfer the funds through a second layer of money mules, and eventually to the organising criminals.

Tilley is fascinated by mules.

"Mules are brilliant," he told ZDNet with tremendous enthusiasm. "The entire spectrum, from the poor person who's applied for what they think is a job online, through to the knowingly travelling nearside mule [a mule who is organisationally closer to the master criminals], and everything in between."

Organising mules has always been a part of organised crime, and organised cybercrime is no different. It's a full-time job, Tilley said, "like herding cats", which is why the mule handlers typically take a 15 percent cut of the funds that go through their networks.

Criminal networks can handle more than just financial transactions. Money mules can also be packet mules, handling physical goods.

"Be that iPhones, be that pounds of drugs, be that people, be that weapons, that mechanism for distribution and delivery and monetisation, that has [always] existed. That is crime," Tilley said.

Or be that Lego.

"Lego is really popular, right? It's small, it's light, it's very valuable, and they love it in Eastern Europe. They just have a real affinity for it, and they really enjoy it. So if I want to sell goods, iPads are good, iPhones are good. But, on the black market, Lego is worth a lot of money," Tilley said.

In 2012, F-Secure chief research officer Mikko Hypponen described a Russian-controlled trans-European criminal network of package mules that included women aged in their 80s reshipping dodgy iPhones.

What border protection agents would stop a grandmother carrying gifts of Lego?

Disclosure: Stilgherrian travelled to the Gold Coast as a guest of AusCERT

Related Coverage

Cybercriminals now target payroll, invoicing, and superannuation systems: AFP

The cybercriminals attacking financial systems are smarter, more subtle, and better organised, and they're stealing unprecedented amounts of money. Businesses need processes that can spot the signs of fraud.

MoneyTaker hacking group steals millions from US, UK, Russian banks

Researchers say the cyberattackers have been able to steal potentially millions of dollars in the past two years alone.

Fight against financial crime requires both artificial and human intelligence

Combating financial crime requires a combined approach using data, people, and technology.

Encryption of AMD EPYC VMs can be broken, researchers prove (TechRepublic)

AMD EPYC server chipsets are supposed to provide a high level of security, but a German team has managed to gain control through a hypervisor exploit.

GDPR vs. ePrivacy: The 3 differences you need to know (TechRepublic)

GDPR isn't the end of stringent regulations for privacy in tech.

Editorial standards