Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/22/2014
05:45 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Nigerian 419 Scammers Evolving Into Malware Pushers (But Not Very Good Ones)

"Silver Spaniel" attacks use commodity malware to damage others' security, but they aren't very good at protecting their own.

Nigeria's 419 scammers are evolving. Instead of just using charm to con wealthy marks into handing over their cash, these actors are now also using malware, according to a Palo Alto Networks report released today.

Palo Alto has dubbed this series of attacks "Silver Spaniel." Fortunately, "these individuals are often experts at social engineering, but novices with malware."

The attackers are primarily using the NetWire remote access tool along with DataScrambler, a crypter used to evade anti-virus software. These are relatively inexpensive commodity tools that can be easily obtained at online marketplaces. So far, the attackers are delivering these executables as email attachments. "Silver Spaniel attacks have thus far not exploited any software vulnerabilities and have instead relied entirely on social engineering to trick victims into installing malware," according to the report.

The attackers are using dynamic DNS domains from NoIP for command-and-control, but in an effort to make it easier to manage their malicious activity, they're making it easier for law enforcement officials to locate them. From the report:

    At least one attacker configured their system to use the Dynamic Update Client (DUC) provided by NoIP.com to automatically direct traffic destined for their domain to the IP address of their PC. This automated the assignment process, but also exposed their non-VPN IP address and location. These non-VPN IP addresses belong to ISPs that provide mobile Internet access to much of Nigeria.

Not only are they doing a poor job of hiding their IP addresses, but they're also doing a poor job of hiding their own identities. Palo Alto provided the example of Ojie Victor, a rather hapless fellow who may or may not be involved in Silver Spaniel attacks but is certainly attempting to commit acts that are consistent with the style.

Victor was found posting messages on social networks and forums, publicly seeking assistance buying and using malware. For example, he tweeted: "I NEED A SPOOFER FOR MY CYBERGATE RAT... CAN SOMEBODY HELP ME OUT HERE? [email protected]"

Read the full report at paloaltonetworks.com/resources/research/419evolution.html (registration required).

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/23/2014 | 8:47:16 AM
Executables in Emails?
Some of this was actually quite comical. But on a serious note, to confirm with your article, they are sending .exe's in the email attachment? Just to be clear, I am unsure as to why anyone would use an executable from an email. 
Manos Chatzikyriakos
50%
50%
Manos Chatzikyriakos,
User Rank: Apprentice
7/24/2014 | 10:00:01 AM
Re: Executables in Emails?
Unfortunately you would be surprised by how many people would actually do that. It doesn't take more than poor social enginnering skills and a .exe file named "picture.exe.jpg"
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2014 | 10:30:24 AM
Re: Executables in Emails?
Understood, does anyone know if there is an age demographic that shows those who respond to phishing attacks? I am just curious because I know a large percentage of exploited individuals are elderly in terms of technology/financial scams. I would be interested to see if they are the largest group who open unknown attachements.
Manos Chatzikyriakos
50%
50%
Manos Chatzikyriakos,
User Rank: Apprentice
7/24/2014 | 10:56:02 AM
Re: Executables in Emails?
You might find this paper interesting. It's about a study on the subject you mentioned, different factors that might have an impact someone's behaviour susceptibility to falling victims of phising attacks. 

http://lorrie.cranor.org/pubs/pap1162-sheng.pdf

The paper is a derivative of a thesis which you can find online if you need the full information.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/25/2014 | 8:46:13 AM
Re: Executables in Emails?
Very interesting thanks for the reply. Some of the most interesting pieces from that article was that ages 18-25 are the most susceptible age bracking for phishing attacks. I thought it would be the opposite.

Also, that women are more susceptible than men statistically. The article attributes this to less technical training however I am not convinced. In the study was half women and half men with men receiving 48% training materials and women receiving 52% which is pretty much even. So I don't think the results support their hypothesis. But I cannot think of other reasoning as to why this would be true. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 9:56:53 AM
Re: Executables in Emails?
As the parent of a 24-year old (who probably should know better), I'm not surprised that that demographic is more susceptiable to a phishing attack. That's a very impulsive age at which point the "judgement" brain cells have not fully matured. The rental car industry figured that out a long time ago when they set 26 as the minimum age that people can rent a car without a big  surcharge.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/28/2014 | 12:20:04 PM
Re: Executables in Emails?
This does make sense from an impulse perspective but then what are the action items? Educating people at a younger age to protect against phisihing? My high school had CISCO Networking classes and basic computer classes but I have not seen a InfoSec related class or one that taught InfoSec related principles. 

Or would this be better projected at the university level which comprises the age most susceptible for exploitation?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 12:23:32 PM
Re: Executables in Emails?
My thinking is that the earlier good practices can be drummed in the better. I've seen many tweens with smartphones! Then by the time the judgement kicks in in the mid 20s, presumaby some of the basics will be already baked in...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 12:23:37 PM
Re: Executables in Emails?
My thinking is that the earlier good practices can be drummed in the better. I've seen many tweens with smartphones! Then by the time the judgement kicks in in the mid 20s, presumaby some of the basics will be already baked in...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 12:23:42 PM
Re: Executables in Emails?
My thinking is that the earlier good practices can be drummed in the better. I've seen many tweens with smartphones! Then by the time the judgement kicks in in the mid 20s, presumaby some of the basics will be already baked in...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.