Lads from Lagos using 'Predator Pain' on hapless 419 victims

Emails from thieving RATs contain keyloggers

Advanced-fee fraudsters are adopting the tactics of state-sponsored hackers in attacks targeting small- to medium-sized businesses, rather than large corporates, according to research from Trend Micro.

419 gangs are using the Predator Pain and Limitless keyloggers to steal network credentials through spear-phishing attacks, mimicking the tactics of so-called APT-style attacks most associated with state-sponsored hackers.

"The common attack scenarios by cybercriminals using these toolkits involve sending out business-themed messages to publicly listed email addresses," Trend Micro warns. "The emails contain a keylogger that sends information back to the cybercriminal via email, FTP, or Web panel (PHP): system information, keystrokes, browser-cached account credentials, and screenshots."

A 419 scam typically involves promising the victim a significant sum of money, for which the fraudster requires a small up-front payment.

These stolen network credentials are being used to further 419-style scams. The two main goals of a run of attacks spotted by Trend Micro over the last few months are sending "419 or Nigerian scams through easy-to-deploy, high-volume attacks" and "scammed corporate emails that convince recipients to deposit payment to specially crafted accounts".

A white-paper (PDF) by Trend Micro concludes: "Investigations on several Predator Pain and Limitless attacks were conducted to find out how the keyloggers were used and what the operators’ end goal is. Findings revealed that most but not all of the operators were involved in 419 or Nigerian scams."

Stolen credentials are either used to commit fraud directly or used to identify new targets using the initial victims' contacts. In some cases the fraudsters take existing communications between compromised accounts and victims' business partners to defraud the latter.

Both Predator Pain and Limitless remote access tools (RATs) are easily obtainable from underground forums. Each comes with similar functions including keylogging and data-exfiltration methods. "These are off-the-shelf tools and are easily obtainable for US$40 or less in underground forums or websites run by their creators," according to Trend Micro.

Palo Alto Networks previously reported how Nigerian scammers are moving beyond 419 advance-fee fraud scams against individuals by using trojans to steal valuable information from businesses.

Trend's research expands on that work to look at the latest evolution in tactics and techniques by the Lads from Lagos. ®

Biting the hand that feeds IT © 1998–2021