Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:40 PM
Connect Directly

Nigerian Cybercrime Matures, Morphs

INTERPOL, security researchers see West Africa cybercrime scene expanding and getting more sophisticated.

 This is not your parents' Nigerian scam. Cybercrime gangs out of West Africa are upping their seasoned social engineering game with more advanced scams like business email compromise (BEC) and targeting health savings accounts.

Cybercriminals out of West Africa pilfered an average of $2.7 million from businesses and $422,000 on average from individuals during 2013-2015, according to new INTERPOL and Trend Micro data, a rate that is on the rise. It's a mixture of their traditional infamous 419 or Nigerian prince-type scams, and increasingly BEC and other scams that rely heavily on social engineering enhanced with a personal touch, with voice and Skype calls in addition to the usual email, social media, and instant messaging.

As in other regions such as Eastern Europe where cybercrime is rampant, the growth in West Africa's online scams correlates with an educated yet unemployed populace. Only half of the 10 million students who graduate from Africa's nearly 670 universities each year find jobs, and West Africa law enforcement says half of the cybercriminals they see are unemployed.

"The depth and breadth is larger and the impact is greater" with today's West African cybercrime gangs' scams, says Ed Cabrera, chief cybersecurity officer at Trend Micro. "What they've done is evolve their fraud schemes so they now encompass cybercrime tools and techniques to further or advance their fraud schemes."

But the West Africa cybercriminals still are not quite as technically sophisticated as their Eastern European cybercriminal counterparts. "They are doing a lot by trial-and-error, and tapping into other undergrounds to capacity-build" with malware and tools, he says of the West African cybercriminals.

There have been cases of Nigerian cybercriminals inavertently infecting themselves with malware while infecting their victims. Trend Micro researchers report a recent case where a West Africa cybercriminal using keyloggers to steal email credentials for potential financial scams accidentally installed the keylogger on his own machine: that allowed researchers to sneak a peek at his logs and information and get a front-row seat to understand the inner workings of his operation.

SecureWorks last year revealed a similar situation, where the head of a cybercrime gang out of Nigeria, whom they dubbed "Mr. X," was outed by researchers after apparently infecting his machine with his own malware and ultimately leaving a trail of his online information and theft activity and his victims.

Scammers in this region often make up for their technical inexperience with sophisticated social engineering skills. "Part of their strength is the human element to affect these types of attacks," and they are more advanced with that personal touch than most Eastern European cybercrime groups that rely more on malware, says Cabrera, who at the upcoming Interop ITX conference will give tips on how to either stop or respond to ransomware attacks. 

An emerging scam targets corporate health savings accounts. Researchers at SecureWorks have been tracking this scam, where Nigerian hackers as well as cybercrime gangs out of Southeast Asia send victims spearphishing emails purportedly from HSA administrators. The emails typically ask the victim to confirm his or her username and password for the account: if the victim falls for it, the attackers then go into the account and have it direct funds to the attackers' bank account, typically a money mule account.

The National Health Information Sharing and Analysis Center (NH-ISAC) has identified at least six different businesses that have suffered from HSA scams. According to SecureWorks, victims have lost anywhere from several hundred to several thousands of dollars each.

Joe Stewart, director of malware research for SecureWorks, says his team spotted at least three groups focusing on HSA fraud, one of which had Nigerian origins and the other, Indonesian. "They were targeting those accounts for most of 2016," Stewart says.

The HSA attackers aren't making as much money as the BEC attackers, however, because those accounts typically don't have more than a few thousand dollars, Stewart notes.

BEC scams spread to nearly 100 nations last year and costing victims some $3 billion in losses, according to the FBI. The average loss is $140,000 per incident. The BEC typically works like this: the scammers pose as a company executive or other person to dupe the recipient employee into wiring money to an account that's actually that of the scammer, unbeknownst to the victim. BEC attacks don't even require malware.

These scams affect all kinds of industry sectors. Cybersecurity and policy attorney Kenneth Dort says he's seen a massive jump on these types of scams. "To be candid, my firm has gotten a few" Nigerian scam attempts, he says.

"The Nigerian prince scam got a little old, so it morphed into something else. I can't tell you how many times clients' CFOs are just inundated with bank requests, fake checks," says Dort, a partner with Drinker Biddle & Reath LLP.

Prince Update

INTERPOL and Trend Micro's study found that West African cybercriminals are typically men aged 19- to 39 years old, and fall into two categories: what they call "Yahoo boys" or "nextlevel cybercriminals," based on their levels of technical expertise. Yahoo boys are known for 419 scams and operate under the supervision of others, while next-level cybercriminals focus on BEC, tax scams, and also employ keyloggers, remote access Trojans, phishing tools, and ransomware they obtain from underground marketplaces.

SecureWorks refers to the latter group as "wire-wire" scammers. Unlike the traditional Nigerian 419 scams, this new generation of scammers is not employed by college-age fraudsters but by men in their late 20s to 40s, many of whom are considered pillars of society, active in their churches and communities.

Some 30% of cybercriminals in this region are arrested. Nigerian law enforcement has been aggressive in pursuing these scammers: a Nigerian national considered the mastermind behind several BEC and other scams was arrested by INTERPOL last August on charges of cheating companies out of more than $60 million, The arrests were reportedly made with the help of Nigeria’s Economic and Financial Crime Commission (EFCC) as well as Trend Micro's findings.

But old-school, tried-and-true advance-fee fraud, aka 419 or Nigerian prince scams, is still alive and well – and lucrative.

SecureWorks' Stewart and his team, while doing research earlier this year looking at the operations of a specific wire-wire gang, stumbled across some fake documents and the mention of a "Mr. White" with whom the gang was scamming. They contacted the possible victim, Henry White, a real estate developer.

White had been working with what he thought was a group of foreign investors to raise funding for his dream of starting his own construction business. He wrote a business plan, and through a friend found a website that provides information on investors in China. He was contacted by someone in London who had seen his post there, and who told White he had an interested investor so to send him his business plan, which he did. White was approved for a $2.2 million loan at 2% interest and payment deferred for a period of two years.

The memorandum of understanding required a documentation fee for overseas transaction; White said he inquired about the investor, and the London man gave him the name of a legitimate multi-millionaire named Mr. Mohammed out of Saudi Arabia who had several investments in US firms.

He even held Skype sessions with Mohammed, and the scammers used a screenshot of a man appearing to be a Saudi prince. "We spoke on Skype back and forth," White says.

White wired $10,000 for the fee to Mohammed, and then was billed for another $2,800 for "proof of funds documentation."

He received documentation that the $2 million was on its way. But it never came, and after several attempts to contact Mohammed to no avail, White realized he had been duped. "Lo and behold, it was my worst nightmare."

[Trend Micro's Ed Cabrera will be speaking about ransomware during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

SecureWorks contacted White around that time, and continues to work on unmasking the gang behind the scam. "If he continues to communicate and is asking for money transfers, we may be able to social-engineer him" to snare him, Stewart says. "Or since all this went down with Mr. White, these fraudsters might start testing the waters with malware," which then could provide another trail to them, he says. The challenge is that these scammers use money mule accounts, so they are covering their tracks.

In the meantime, White says he is informing other users of the "investment" website and getting the word out as much as he can to warn other would-be victims not to fall for this and other similar scams.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/21/2017 | 3:34:20 PM
Re: Nigerian Cybercrime Matures..
After reading your write up about the emergence of Nigerian Cybercrime. I keep wondering if you have not really miss some important key elements in your article. For full disclosure. I am a Nigerian American. Degree in law and MBA. I am also into Cyber Security, the issues above has a lot to do with more than 10 millions graduates from various university from the region. The unemployed youths are much more sophiscated more than what is being reported. They are left with no option than to look into the web to come up with an idea of defrauding the society that they find themselves. This is by no means of justification for them. But, just letting you know that without no jobs they will look for any means to survive. To them, the rationalisation is that they need to survive. I grew up in africa. I know first hand the struggle over there. with access to the internet, the world has become a global village whereby anyone can access any information at anytime at anywhere. The government of these countries need to provide for an enabling environments for these youths by creating jobs for them in order to deter them from illegal activities.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.