Attacks/Breaches
7/22/2014
05:45 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Nigerian 419 Scammers Evolving Into Malware Pushers (But Not Very Good Ones)

"Silver Spaniel" attacks use commodity malware to damage others' security, but they aren't very good at protecting their own.

Nigeria's 419 scammers are evolving. Instead of just using charm to con wealthy marks into handing over their cash, these actors are now also using malware, according to a Palo Alto Networks report released today.

Palo Alto has dubbed this series of attacks "Silver Spaniel." Fortunately, "these individuals are often experts at social engineering, but novices with malware."

The attackers are primarily using the NetWire remote access tool along with DataScrambler, a crypter used to evade anti-virus software. These are relatively inexpensive commodity tools that can be easily obtained at online marketplaces. So far, the attackers are delivering these executables as email attachments. "Silver Spaniel attacks have thus far not exploited any software vulnerabilities and have instead relied entirely on social engineering to trick victims into installing malware," according to the report.

The attackers are using dynamic DNS domains from NoIP for command-and-control, but in an effort to make it easier to manage their malicious activity, they're making it easier for law enforcement officials to locate them. From the report:

    At least one attacker configured their system to use the Dynamic Update Client (DUC) provided by NoIP.com to automatically direct traffic destined for their domain to the IP address of their PC. This automated the assignment process, but also exposed their non-VPN IP address and location. These non-VPN IP addresses belong to ISPs that provide mobile Internet access to much of Nigeria.

Not only are they doing a poor job of hiding their IP addresses, but they're also doing a poor job of hiding their own identities. Palo Alto provided the example of Ojie Victor, a rather hapless fellow who may or may not be involved in Silver Spaniel attacks but is certainly attempting to commit acts that are consistent with the style.

Victor was found posting messages on social networks and forums, publicly seeking assistance buying and using malware. For example, he tweeted: "I NEED A SPOOFER FOR MY CYBERGATE RAT... CAN SOMEBODY HELP ME OUT HERE? ojeyvictor19999@yahoo.com."

Read the full report at paloaltonetworks.com/resources/research/419evolution.html (registration required).

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 12:23:42 PM
Re: Executables in Emails?
My thinking is that the earlier good practices can be drummed in the better. I've seen many tweens with smartphones! Then by the time the judgement kicks in in the mid 20s, presumaby some of the basics will be already baked in...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 12:23:37 PM
Re: Executables in Emails?
My thinking is that the earlier good practices can be drummed in the better. I've seen many tweens with smartphones! Then by the time the judgement kicks in in the mid 20s, presumaby some of the basics will be already baked in...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 12:23:32 PM
Re: Executables in Emails?
My thinking is that the earlier good practices can be drummed in the better. I've seen many tweens with smartphones! Then by the time the judgement kicks in in the mid 20s, presumaby some of the basics will be already baked in...
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/28/2014 | 12:20:04 PM
Re: Executables in Emails?
This does make sense from an impulse perspective but then what are the action items? Educating people at a younger age to protect against phisihing? My high school had CISCO Networking classes and basic computer classes but I have not seen a InfoSec related class or one that taught InfoSec related principles. 

Or would this be better projected at the university level which comprises the age most susceptible for exploitation?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 9:56:53 AM
Re: Executables in Emails?
As the parent of a 24-year old (who probably should know better), I'm not surprised that that demographic is more susceptiable to a phishing attack. That's a very impulsive age at which point the "judgement" brain cells have not fully matured. The rental car industry figured that out a long time ago when they set 26 as the minimum age that people can rent a car without a big  surcharge.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/25/2014 | 8:46:13 AM
Re: Executables in Emails?
Very interesting thanks for the reply. Some of the most interesting pieces from that article was that ages 18-25 are the most susceptible age bracking for phishing attacks. I thought it would be the opposite.

Also, that women are more susceptible than men statistically. The article attributes this to less technical training however I am not convinced. In the study was half women and half men with men receiving 48% training materials and women receiving 52% which is pretty much even. So I don't think the results support their hypothesis. But I cannot think of other reasoning as to why this would be true. 
Manos Chatzikyriakos
50%
50%
Manos Chatzikyriakos,
User Rank: Apprentice
7/24/2014 | 10:56:02 AM
Re: Executables in Emails?
You might find this paper interesting. It's about a study on the subject you mentioned, different factors that might have an impact someone's behaviour susceptibility to falling victims of phising attacks. 

http://lorrie.cranor.org/pubs/pap1162-sheng.pdf

The paper is a derivative of a thesis which you can find online if you need the full information.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2014 | 10:30:24 AM
Re: Executables in Emails?
Understood, does anyone know if there is an age demographic that shows those who respond to phishing attacks? I am just curious because I know a large percentage of exploited individuals are elderly in terms of technology/financial scams. I would be interested to see if they are the largest group who open unknown attachements.
Manos Chatzikyriakos
50%
50%
Manos Chatzikyriakos,
User Rank: Apprentice
7/24/2014 | 10:00:01 AM
Re: Executables in Emails?
Unfortunately you would be surprised by how many people would actually do that. It doesn't take more than poor social enginnering skills and a .exe file named "picture.exe.jpg"
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/23/2014 | 8:47:16 AM
Executables in Emails?
Some of this was actually quite comical. But on a serious note, to confirm with your article, they are sending .exe's in the email attachment? Just to be clear, I am unsure as to why anyone would use an executable from an email. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.