Beagle sniffs out email scammers
- By Patrick Marshall
- Dec 05, 2018
While hackers get considerable media attention, most cybercrime actually comes from a less dramatic source: email phishing. In fact, in 2017 the FBI's Internet Crime Complaint Center logged 300,000 complaints from victims who had lost $1.4 billion to email scammers.
Researchers at New York University have responded with Beagle -- forensic software that scans streams of email content and metadata and then presents results in a visual interface that highlights suspicious connections.
The NYU team, led by Enrico Bertini, assistant professor of computer science and engineering, has already begun sharing Beagle -- named for its ability to sniff out evidence -- with law enforcement agencies at no cost.
Most forensic email analysis requires investigators to enter specific queries, which is helpful only when they know what to search for among thousands of emails and networks. Beagle, on the other hand, uses a visual interface to highlight common characteristics among the messages, such as the senders and the email sending times, even in data fields investigators might otherwise overlook. The visual display, the researchers said, can make it faster and easier for investigators to analyze data.
Beagle was developed over two years using a database of more than 100,000 emails intercepted from scammers by Agari Data Inc., a California-based email security company. Agari wanted to better understand how scammers operate so it could identify key features of scam emails and devise strategies to intercept future scam emails.
"Beagle has enhanced our ability to monitor and track these criminal organizations, painting a fuller picture of the individuals involved and their relationships between one another," Agari Field CTO John Wilson said.
The NYU team designed Beagle to look and feel like an email client and added powerful search tools -- including progressive and reversible data queries -- tagging capabilities, content extraction and email data summaries.
Beagle’s interface features four main panels: an interactive query window; a listing of correspondents; an email content section that displays summaries, entities and full details; and a window that shows the frequency of emails over time.
With Beagle’s query tools, analysts can identify scammers, see how they interact with each other and collect data that allows them to create interception strategies for future scam emails. They also can identify bank accounts that may be linked to scam emails.
While they were testing Beagle, the researchers were able to determine that one set of scam emails were actually texted from a single phone number. After a separate search on a reverse phone number lookup site, the analysts determined the identity and location of the scammer. An additional search on the same dataset for the scammer’s last name turned up his first name and reference numbers that the analysts suspected were Moneygram numbers.
Using Beagle, Agari was able to report bank accounts used by a scammer to a clearinghouse organization, which gave the bank in question the opportunity to shut down the account. Other banks were notified about the account so that they could stop money from leaving their banks.
Furthermore, Agari also shared data with Google, giving it access to large numbers of accounts used for crime and potentially improving the search company's security controls.
"We were surprised to discover that Beagle can actually build evidence," Bertini said, noting that the program helps analysts surface hidden connections in the flow of scam emails.
"Beagle builds pictures from the data, making it much easier to connect the dots and ultimately understand how scam networks operate, from first contact with a victim through what are often multiple rounds of extortion," Bertini said.
Patrick Marshall is a freelance technology writer for GCN.