Threat Intelligence
3/13/2017
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Nigerian Cybercrime Matures, Morphs

INTERPOL, security researchers see West Africa cybercrime scene expanding and getting more sophisticated.

 This is not your parents' Nigerian scam. Cybercrime gangs out of West Africa are upping their seasoned social engineering game with more advanced scams like business email compromise (BEC) and targeting health savings accounts.

Cybercriminals out of West Africa pilfered an average of $2.7 million from businesses and $422,000 on average from individuals during 2013-2015, according to new INTERPOL and Trend Micro data, a rate that is on the rise. It's a mixture of their traditional infamous 419 or Nigerian prince-type scams, and increasingly BEC and other scams that rely heavily on social engineering enhanced with a personal touch, with voice and Skype calls in addition to the usual email, social media, and instant messaging.

As in other regions such as Eastern Europe where cybercrime is rampant, the growth in West Africa's online scams correlates with an educated yet unemployed populace. Only half of the 10 million students who graduate from Africa's nearly 670 universities each year find jobs, and West Africa law enforcement says half of the cybercriminals they see are unemployed.

"The depth and breadth is larger and the impact is greater" with today's West African cybercrime gangs' scams, says Ed Cabrera, chief cybersecurity officer at Trend Micro. "What they've done is evolve their fraud schemes so they now encompass cybercrime tools and techniques to further or advance their fraud schemes."

But the West Africa cybercriminals still are not quite as technically sophisticated as their Eastern European cybercriminal counterparts. "They are doing a lot by trial-and-error, and tapping into other undergrounds to capacity-build" with malware and tools, he says of the West African cybercriminals.

There have been cases of Nigerian cybercriminals inavertently infecting themselves with malware while infecting their victims. Trend Micro researchers report a recent case where a West Africa cybercriminal using keyloggers to steal email credentials for potential financial scams accidentally installed the keylogger on his own machine: that allowed researchers to sneak a peek at his logs and information and get a front-row seat to understand the inner workings of his operation.

SecureWorks last year revealed a similar situation, where the head of a cybercrime gang out of Nigeria, whom they dubbed "Mr. X," was outed by researchers after apparently infecting his machine with his own malware and ultimately leaving a trail of his online information and theft activity and his victims.

Scammers in this region often make up for their technical inexperience with sophisticated social engineering skills. "Part of their strength is the human element to affect these types of attacks," and they are more advanced with that personal touch than most Eastern European cybercrime groups that rely more on malware, says Cabrera, who at the upcoming Interop ITX conference will give tips on how to either stop or respond to ransomware attacks. 

An emerging scam targets corporate health savings accounts. Researchers at SecureWorks have been tracking this scam, where Nigerian hackers as well as cybercrime gangs out of Southeast Asia send victims spearphishing emails purportedly from HSA administrators. The emails typically ask the victim to confirm his or her username and password for the account: if the victim falls for it, the attackers then go into the account and have it direct funds to the attackers' bank account, typically a money mule account.

The National Health Information Sharing and Analysis Center (NH-ISAC) has identified at least six different businesses that have suffered from HSA scams. According to SecureWorks, victims have lost anywhere from several hundred to several thousands of dollars each.

Joe Stewart, director of malware research for SecureWorks, says his team spotted at least three groups focusing on HSA fraud, one of which had Nigerian origins and the other, Indonesian. "They were targeting those accounts for most of 2016," Stewart says.

The HSA attackers aren't making as much money as the BEC attackers, however, because those accounts typically don't have more than a few thousand dollars, Stewart notes.

BEC scams spread to nearly 100 nations last year and costing victims some $3 billion in losses, according to the FBI. The average loss is $140,000 per incident. The BEC typically works like this: the scammers pose as a company executive or other person to dupe the recipient employee into wiring money to an account that's actually that of the scammer, unbeknownst to the victim. BEC attacks don't even require malware.

These scams affect all kinds of industry sectors. Cybersecurity and policy attorney Kenneth Dort says he's seen a massive jump on these types of scams. "To be candid, my firm has gotten a few" Nigerian scam attempts, he says.

"The Nigerian prince scam got a little old, so it morphed into something else. I can't tell you how many times clients' CFOs are just inundated with bank requests, fake checks," says Dort, a partner with Drinker Biddle & Reath LLP.

Prince Update

INTERPOL and Trend Micro's study found that West African cybercriminals are typically men aged 19- to 39 years old, and fall into two categories: what they call "Yahoo boys" or "nextlevel cybercriminals," based on their levels of technical expertise. Yahoo boys are known for 419 scams and operate under the supervision of others, while next-level cybercriminals focus on BEC, tax scams, and also employ keyloggers, remote access Trojans, phishing tools, and ransomware they obtain from underground marketplaces.

SecureWorks refers to the latter group as "wire-wire" scammers. Unlike the traditional Nigerian 419 scams, this new generation of scammers is not employed by college-age fraudsters but by men in their late 20s to 40s, many of whom are considered pillars of society, active in their churches and communities.

Some 30% of cybercriminals in this region are arrested. Nigerian law enforcement has been aggressive in pursuing these scammers: a Nigerian national considered the mastermind behind several BEC and other scams was arrested by INTERPOL last August on charges of cheating companies out of more than $60 million, The arrests were reportedly made with the help of Nigeria’s Economic and Financial Crime Commission (EFCC) as well as Trend Micro's findings.

But old-school, tried-and-true advance-fee fraud, aka 419 or Nigerian prince scams, is still alive and well – and lucrative.

SecureWorks' Stewart and his team, while doing research earlier this year looking at the operations of a specific wire-wire gang, stumbled across some fake documents and the mention of a "Mr. White" with whom the gang was scamming. They contacted the possible victim, Henry White, a real estate developer.

White had been working with what he thought was a group of foreign investors to raise funding for his dream of starting his own construction business. He wrote a business plan, and through a friend found a website that provides information on investors in China. He was contacted by someone in London who had seen his post there, and who told White he had an interested investor so to send him his business plan, which he did. White was approved for a $2.2 million loan at 2% interest and payment deferred for a period of two years.

The memorandum of understanding required a documentation fee for overseas transaction; White said he inquired about the investor, and the London man gave him the name of a legitimate multi-millionaire named Mr. Mohammed out of Saudi Arabia who had several investments in US firms.

He even held Skype sessions with Mohammed, and the scammers used a screenshot of a man appearing to be a Saudi prince. "We spoke on Skype back and forth," White says.

White wired $10,000 for the fee to Mohammed, and then was billed for another $2,800 for "proof of funds documentation."

He received documentation that the $2 million was on its way. But it never came, and after several attempts to contact Mohammed to no avail, White realized he had been duped. "Lo and behold, it was my worst nightmare."

[Trend Micro's Ed Cabrera will be speaking about ransomware during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

SecureWorks contacted White around that time, and continues to work on unmasking the gang behind the scam. "If he continues to communicate and is asking for money transfers, we may be able to social-engineer him" to snare him, Stewart says. "Or since all this went down with Mr. White, these fraudsters might start testing the waters with malware," which then could provide another trail to them, he says. The challenge is that these scammers use money mule accounts, so they are covering their tracks.

In the meantime, White says he is informing other users of the "investment" website and getting the word out as much as he can to warn other would-be victims not to fall for this and other similar scams.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmmyTor
50%
50%
jmmyTor,
User Rank: Apprentice
3/21/2017 | 3:34:20 PM
Re: Nigerian Cybercrime Matures..
After reading your write up about the emergence of Nigerian Cybercrime. I keep wondering if you have not really miss some important key elements in your article. For full disclosure. I am a Nigerian American. Degree in law and MBA. I am also into Cyber Security, the issues above has a lot to do with more than 10 millions graduates from various university from the region. The unemployed youths are much more sophiscated more than what is being reported. They are left with no option than to look into the web to come up with an idea of defrauding the society that they find themselves. This is by no means of justification for them. But, just letting you know that without no jobs they will look for any means to survive. To them, the rationalisation is that they need to survive. I grew up in africa. I know first hand the struggle over there. with access to the internet, the world has become a global village whereby anyone can access any information at anytime at anywhere. The government of these countries need to provide for an enabling environments for these youths by creating jobs for them in order to deter them from illegal activities.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.