'Nigerian princes' snatch billions from Western biz via fake email – Interpol

Cybercrime even has its own religion in Ghana


Spoofed email and malware hidden in attachments netted crooks in West Africa more than $3bn in three years from businesses.

That's according to research carried out by the International Criminal Police Organization (Interpol) and infosec biz Trend Micro. Forget claims of money stuck in bank accounts. Scammers are now raking it in from so-called business email compromise (BEC) schemes, according to the security team.

A BEC crook sends authentic-looking invoices and internal memos to businesses and their finance staff, tricking the employees into paying money into the thieves' accounts. The messages can also be booby-trapped with malware that infects work PCs and logs key-strokes. This information is then used to log into the company's online bank account, and transfer money to criminals' pockets.

The Interpol-Trend study found that between October 2013 and May 2016, BEC scammers walked off with more than $3bn having exploited the technique globally.

Such frauds are becoming a serious pain in the fundament: the FBI warned last year that they had siphoned over $1bn from American companies. Victims of BEC scams included the city of El Paso, in Texas, America, which got scammed out of $3.2m, and Austrian engineering firm FACC, which lost over $54m. Much of the money in both cases has now been recovered – but by no means all of it, and the problem is getting worse.

"West African cybercriminals are clearly shifting to more elaborate crimes, complex operations, and business models – BEC and tax fraud, in particular," the report [PDF] states.

"Armed with their social engineering expertise and ingenuity, and augmented by tools and services (keyloggers, RATs, crypters, counter-AV services, etc), West African cybercriminals are stealing large amounts of money via crimes targeting individuals and companies worldwide."

Quite why West Africa is such a hotspot for online crime isn't hard to work out – education and motive. Around half of all university graduates in West Africa are unemployed a year after graduation and so the lure of crime is strong.

It's now so established in some cultures that it has entered the pantheon of religion in Ghana, under the name Sakawa. The fraudsters make offerings to a supreme being that will protect their fraud from being discovered and ensure good fortune.

The study identified two big gangs working in the regions. The first, known as the Yahoo! Boys, concentrate largely on the traditional types of fraud like 419 scams – where an online figure (typically a bogus Nigerian prince or foreign lawyer) promises a big payout if the victim coughs up fees to free up the supposed fortune.

The Yahoo! Boys – so named because until recently they used the failing portal's chat tools to coordinate their scams – also carry out romance scams, forming faux relationships with the lonely and then 'borrowing' money for plane tickets to consummate the relationship. Another is the so-called "send money" scam, whereby they pretend to be a foreign traveler who has been mugged and needs funds from friends and family.

Typically members of the Yahoo! Boys are in their twenties, like to show off their wealth on social media, and operate in small, local groups. While their methods of fraud are relatively unsophisticated, they still make a good living.

More dangerous are what the study calls next-level cybercriminals. This group is generally older, doesn't show off their wealth, and operates in a more sophisticated way. It concentrates on BEC fraud and also harvests financial details to scam funds from victims with fake tax returns.

Next-level cybercriminals are highly professional, running money-laundering operations, a network of money mules, and working closely with relatives in the target countries to smooth out the scamming process. It's this group that has been raking in the billions.

Interpol reports some limited success in shutting down these groups, but says that for all the tips they pass on to local police, only about 30 per cent end up in an arrest. As ever with online crime, finding the physical location of the criminals is a major issue. ®

Similar topics


Other stories you might like

  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading
  • Indian authorities issue conflicting advice about biometric ID card security
    Government authority forced to backtrack warning that photocopied Aadhaar cards represent a risk

    The Unique Identification Authority of India (UIDAI) has backtracked on advice about how best to secure the "Aadhaar" national identity cards that enable access to a range of government and financial serivces.

    UIDAI promotes the cards as "a single source offline/online identity verification" for tasks ranging from passport applications, accessing social welfare schemes, opening a bank account, dispersing pensions, filing taxes or buying insurance.

    Although Bill Gates has lauded Aadhaar cards for improving access to services, the scheme has been the subject of many security-related scares as inappropriate access to personal information has sometimes been possible, UIDAI's infosec has sometimes been lax, and the biometrics captured to create citizens' records have sometimes been used for multiple individuals. Privacy concerns have also been raised over whether biometric data is properly stored and secured, if surveillance of individuals is made possible through Aadhaar, and and possible data mining of the schemes' massive data store.

    Continue reading
  • State of internet crime in Q1 2022: Bot traffic on the rise, and more
    According to this cybersecurity outfit that wants your business, anyway

    The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation.

    That's according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like.

    The biz, which touts device and network defense software, said it came to this conclusion after analyzing "billions of sessions ... across our global network" during the first three months of the year. These sessions apparently spanned account registrations, logins, and interactions with financial, ecommerce, travel, social media, gaming, and entertainment services. Take all these numbers with a grain of salt as ultimately Arkose wants you to buy its stuff to prevent all this kind of crime.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • IBM deliberately misclassified mainframe sales to enrich execs, lawsuit claims
    Lawsuit accuses Big Blue of cheating investors by shifting systems revenue to trendy cloud, mobile tech

    Special report IBM has been sued by investors who claim the company under former CEO Ginni Rometty propped up its stock price and deceived shareholders by moving revenues from its non-strategic mainframe business to its strategic business segments, allegedly in violation of securities regulations.

    The investors' securities fraud lawsuit [PDF] was filed on Tuesday, April 5 in a southern New York federal court. It names as defendants not only IBM but current and former executives including Rometty, former CFO Martin J. Schroeter (now CEO of IBM spin-off Kyndryl), current CFO James J. Kavanaugh, and current CEO Arvind Krishna.

    IBM "improperly and in violation of Generally Accepted Accounting Principles ('GAAP') embarked on a fraudulent scheme to shift billions of dollars in revenues from its mainframe line of business to its Strategic Imperatives and CAMSS line of business," the complaint reads.

    Continue reading

Biting the hand that feeds IT © 1998–2022