'Nigerian scammer' busted after he infected himself with malware

Researchers able to watch wire-fraudsters operate in real time


The ancient-in-internet-years “Nigerian email” scam remains popular and profitable for its operators ... when they don't shoot themselves in the foot.

Some scam operators infected themselves with their own malware, and SecureWorks has been discussing the outcome of that: the massive own goal meant researchers like Joe Stewart could watch the scammers at work, all the way down to capturing screen grabs of their operation.

Stewart's colleague, SecureWorks researcher James Bettke, said while looking for command-and-control servers, the team spotted a keylogger logging into an unsecured Web-exposed server.

Stewart told The Register that once the researchers had access to the scammer's machine, they were also getting the outputs of the key loggers and copies of spreadsheets.

They were able to monitor the ringleader of this particular operation for “several months”.

Bettke explained that “we saw who he contacted, his instant messages, the tools he was using, his victims, the amounts of money transferred – how the whole thing worked.”

That included the real identities of more than 30 people in the ring, Bettke said.

The operators refer to the scam as “wire-wire” (there are, the researchers said, plenty of Facebook groups devoted to such operations), and it worked like this:

  • Obtain target email addresses from public sources;
  • Infect the target, so as to get access to their inboxes. This lets the scam operator identify contacts like suppliers that the target has a financial relationship with;
  • The scammer then creates an email address similar to a supplier's – for example, it might be payments@securworks.com instead of payments@secureworks.com.

Bettke noted that it only needs one end of the conversation for the scam to work: the victim tries to place an order via email; the scammer sees the message and passes it on to the intended recipient.

With the order placed, the supplier issues an invoice, which the scammer intercepts. The scammer creates their own invoice, substituting their own account details, and passes that to the victim from their spoofed email account.

With the ring busted and its operators arrested, the FBI has issued a warning about the growing scam.

It echoes what Stewart and Bettke told The Register: process rather than technology is the best defence against such attacks.

That means making sure that everybody handling payments checks account details, rather than merely reading it from the document in an email. And if you're phoning to check an invoice, get the phone number from a source outside the e-mails or invoices. ®

Similar topics


Other stories you might like

  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading
  • Visiting a booby-trapped webpage could give attackers code execution privileges on HP network printers

    Patches available for 150 affected products

    Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers.

    The Finland-headquartered infosec firm said it had found "exploitable" flaws in the HP printers that allowed attackers to "seize control of vulnerable devices, steal information, and further infiltrate networks in pursuit of other objectives such as stealing or changing other data" – and, inevitably, "spreading ransomware."

    "In all likelihood, a lot of companies are using these vulnerable devices," said F-Secure researchers Alexander Bolshev and Timo Hirvonen.

    Continue reading

Biting the hand that feeds IT © 1998–2021