This is not your parents' Nigerian scam. Cybercrime gangs out of West Africa are upping their seasoned social engineering game with more advanced scams like business email compromise (BEC) and targeting health savings accounts.
Cybercriminals out of West Africa pilfered an average of $2.7 million from businesses and $422,000 on average from individuals during 2013-2015, according to new INTERPOL and Trend Micro data, a rate that is on the rise. It's a mixture of their traditional infamous 419 or Nigerian prince-type scams, and increasingly BEC and other scams that rely heavily on social engineering enhanced with a personal touch, with voice and Skype calls in addition to the usual email, social media, and instant messaging.
As in other regions such as Eastern Europe where cybercrime is rampant, the growth in West Africa's online scams correlates with an educated yet unemployed populace. Only half of the 10 million students who graduate from Africa's nearly 670 universities each year find jobs, and West Africa law enforcement says half of the cybercriminals they see are unemployed.
"The depth and breadth is larger and the impact is greater" with today's West African cybercrime gangs' scams, says Ed Cabrera, chief cybersecurity officer at Trend Micro. "What they've done is evolve their fraud schemes so they now encompass cybercrime tools and techniques to further or advance their fraud schemes."
But the West Africa cybercriminals still are not quite as technically sophisticated as their Eastern European cybercriminal counterparts. "They are doing a lot by trial-and-error, and tapping into other undergrounds to capacity-build" with malware and tools, he says of the West African cybercriminals.
There have been cases of Nigerian cybercriminals inavertently infecting themselves with malware while infecting their victims. Trend Micro researchers report a recent case where a West Africa cybercriminal using keyloggers to steal email credentials for potential financial scams accidentally installed the keylogger on his own machine: that allowed researchers to sneak a peek at his logs and information and get a front-row seat to understand the inner workings of his operation.
SecureWorks last year revealed a similar situation, where the head of a cybercrime gang out of Nigeria, whom they dubbed "Mr. X," was outed by researchers after apparently infecting his machine with his own malware and ultimately leaving a trail of his online information and theft activity and his victims.
Scammers in this region often make up for their technical inexperience with sophisticated social engineering skills. "Part of their strength is the human element to affect these types of attacks," and they are more advanced with that personal touch than most Eastern European cybercrime groups that rely more on malware, says Cabrera, who at the upcoming Interop ITX conference will give tips on how to either stop or respond to ransomware attacks.
An emerging scam targets corporate health savings accounts. Researchers at SecureWorks have been tracking this scam, where Nigerian hackers as well as cybercrime gangs out of Southeast Asia send victims spearphishing emails purportedly from HSA administrators. The emails typically ask the victim to confirm his or her username and password for the account: if the victim falls for it, the attackers then go into the account and have it direct funds to the attackers' bank account, typically a money mule account.
The National Health Information Sharing and Analysis Center (NH-ISAC) has identified at least six different businesses that have suffered from HSA scams. According to SecureWorks, victims have lost anywhere from several hundred to several thousands of dollars each.
Joe Stewart, director of malware research for SecureWorks, says his team spotted at least three groups focusing on HSA fraud, one of which had Nigerian origins and the other, Indonesian. "They were targeting those accounts for most of 2016," Stewart says.
The HSA attackers aren't making as much money as the BEC attackers, however, because those accounts typically don't have more than a few thousand dollars, Stewart notes.
BEC scams spread to nearly 100 nations last year and costing victims some $3 billion in losses, according to the FBI. The average loss is $140,000 per incident. The BEC typically works like this: the scammers pose as a company executive or other person to dupe the recipient employee into wiring money to an account that's actually that of the scammer, unbeknownst to the victim. BEC attacks don't even require malware.
These scams affect all kinds of industry sectors. Cybersecurity and policy attorney Kenneth Dort says he's seen a massive jump on these types of scams. "To be candid, my firm has gotten a few" Nigerian scam attempts, he says.
"The Nigerian prince scam got a little old, so it morphed into something else. I can't tell you how many times clients' CFOs are just inundated with bank requests, fake checks," says Dort, a partner with Drinker Biddle & Reath LLP.
INTERPOL and Trend Micro's study found that West African cybercriminals are typically men aged 19- to 39 years old, and fall into two categories: what they call "Yahoo boys" or "nextlevel cybercriminals," based on their levels of technical expertise. Yahoo boys are known for 419 scams and operate under the supervision of others, while next-level cybercriminals focus on BEC, tax scams, and also employ keyloggers, remote access Trojans, phishing tools, and ransomware they obtain from underground marketplaces.
SecureWorks refers to the latter group as "wire-wire" scammers. Unlike the traditional Nigerian 419 scams, this new generation of scammers is not employed by college-age fraudsters but by men in their late 20s to 40s, many of whom are considered pillars of society, active in their churches and communities.
Some 30% of cybercriminals in this region are arrested. Nigerian law enforcement has been aggressive in pursuing these scammers: a Nigerian national considered the mastermind behind several BEC and other scams was arrested by INTERPOL last August on charges of cheating companies out of more than $60 million, The arrests were reportedly made with the help of Nigeria’s Economic and Financial Crime Commission (EFCC) as well as Trend Micro's findings.
But old-school, tried-and-true advance-fee fraud, aka 419 or Nigerian prince scams, is still alive and well – and lucrative.
SecureWorks' Stewart and his team, while doing research earlier this year looking at the operations of a specific wire-wire gang, stumbled across some fake documents and the mention of a "Mr. White" with whom the gang was scamming. They contacted the possible victim, Henry White, a real estate developer.
White had been working with what he thought was a group of foreign investors to raise funding for his dream of starting his own construction business. He wrote a business plan, and through a friend found a website that provides information on investors in China. He was contacted by someone in London who had seen his post there, and who told White he had an interested investor so to send him his business plan, which he did. White was approved for a $2.2 million loan at 2% interest and payment deferred for a period of two years.
The memorandum of understanding required a documentation fee for overseas transaction; White said he inquired about the investor, and the London man gave him the name of a legitimate multi-millionaire named Mr. Mohammed out of Saudi Arabia who had several investments in US firms.
He even held Skype sessions with Mohammed, and the scammers used a screenshot of a man appearing to be a Saudi prince. "We spoke on Skype back and forth," White says.
White wired $10,000 for the fee to Mohammed, and then was billed for another $2,800 for "proof of funds documentation."
He received documentation that the $2 million was on its way. But it never came, and after several attempts to contact Mohammed to no avail, White realized he had been duped. "Lo and behold, it was my worst nightmare."
[Trend Micro's Ed Cabrera will be speaking about ransomware during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]
SecureWorks contacted White around that time, and continues to work on unmasking the gang behind the scam. "If he continues to communicate and is asking for money transfers, we may be able to social-engineer him" to snare him, Stewart says. "Or since all this went down with Mr. White, these fraudsters might start testing the waters with malware," which then could provide another trail to them, he says. The challenge is that these scammers use money mule accounts, so they are covering their tracks.
In the meantime, White says he is informing other users of the "investment" website and getting the word out as much as he can to warn other would-be victims not to fall for this and other similar scams.