Nigerian prince swaps the sweet talk for keyloggers and exploits

Their emails still reek, but non-English natives don't notice


Nigerian 419 scammers have taken to the crime-as-a-service model using cash to plug their technical capability shortfalls to build malware campaigns that could be making millions, according to FireEye researchers.

Erye Hernandez, Daniel Regalado and Nart Villeneuv said that scammers, notorious for their attempts to fleece the gullible, were now targeting users with exploit tools and keyloggers and breaking into legitimate business email transactions to swindle buyers and sellers.

The team said, in a report entitled An Inside Look into the World of Nigerian Scammers (PDF), that this was the first time the end-to-end activities of the group had been detailed.

"FireEye Labs discovered an active operation of a group of cybercriminals involved in multiple executions of the payment diversion scam," the team added.

"The group is composed of loosely organised individuals who use basic, but effective, tools to defraud their victims of thousands of dollars.

"We estimate the group has targeted 2,328 victims in 54 countries [preferring] small to medium businesses in Asia because they are non-native English speakers and are usually not as technically savvy as big businesses."

The criminals will pay up to US$3,600 for malware tools including encryptors, builders, remote access trojans, and various info-stealers, using the tools to con users out of cash ranging from thousands to possibly millions of dollars.

The report illustrated one of the ways in which luddite scammers can use efficient cybercrime services to break into the malware game, and the effectiveness of targeting non english-speaking countries in a bid to conceal otherwise noticeable grammatical errors.

FireEye examined one Nigerian collective of at least four individuals who shared a single command and control server. They used the popular Microsoft Word Intruder tool, and keyloggers HawkEye and KeyBase, buying the MWISTAT builder to track the effectiveness of their campaigns.

They shared tools and traded tips, with more experienced scammers offering potential victim lists to noobs.

While tactics vary, the scammers will generally gain access on an email account and identify threads regarding business transactions. They then create spoof threads contacting buyers and sellers in a bid to obtain financial data.

The researchers said scammers will peruse sites like Alibaba in a bid to identify victims residing in countries in which they have existing bank accounts to make the fleecing easier.

Their exploits are often delivered through a booby-trapped Word documents masquerading as the kind of tailored customer inquiry a business would routinely receive and open.

Here's how the scam works:

For example, one scammer had access to a server with over 2.5GB of HawkEye text logs and screenshots, while another server hosted KeyBase logs and screenshots.

These scammers consult these logs on a daily basis to determine which accounts are of interest. They primarily seek out email accounts from companies that deal with purchase transactions. Since the scammer’s primary goal is to divert payments from ongoing transactions into their bank accounts, these victims are the most valuable to them.

Once the scammers identify an interesting victim, they log into the victim’s accounts using the stolen credentials and study the different transactions in which the victims are involved.

The tools, tactics and procedures of the Nigerian hackers were a step up from the 419 scams, but still fall dramatically short of the well-oiled targeted malware campaigns of which El Reg security readers will be all-too-familiar. ®


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Heineken says there’s no free beer, warns of phishing scam
    WhatsApp messages possibly the worst Father's Day present in the world

    There's no such thing as free beer for Father's Day — at least not from Heineken. The brewing giant confirmed that a contest circulating on WhatsApp, which promises a chance to win one of 5,000 coolers full of green-bottled lager, is a frothy fraud.

    "This is a scam. Thank you for highlighting it to us. Please don't click on links or forward any messages. Many thanks," the beermaker said in a tweet.

    The phony WhatsApp giveaway includes an image of a cooler of 18 Heinekens and a link to a website purporting to run the giveaway. That page asks visitors vying to bag free booze for their personal information, such as names, email addresses, and phone numbers, which is all collected by miscreants.

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022