A group of Nigerian online scammers accidentally revealed their identities and work to the public after infecting themselves with malware.
The scammers were found utilizing a new kind of attack called "wire-wire", which enabled the cybercrooks to rake in large amounts of money from businesses around the world, according to a report by IEEE Spectrum. SecureWorks security experts Joe Stewart and James Bettke discovered this when they came across a keylogger malware online, which was sending unsecured data to an open web server.
The typical scamming method in Africa involves a technique known as "Business Email Compromise," or simply BEC, where criminals use internal corporate email accounts to execute fraudulent transactions. Wire-wire, on the other hand, brings a more sophisticated approach to BEC, and is harder to detect. Stewart and Bettke discovered the modus back in February when five of the scammers infected their own computers using the same malware they use to steal from other businesses.
The malware continuously uploaded screenshots and keystrokes from the infected computers to an open web database, which was found by using a virus scanning tool to search for malicious email attachments. There were even instances where scammers were training new recruits, which led to the leakage of more information on how their scamming techniques work.
How does the scam work? The cybercriminals use a marketing tool to gather the email addresses of businesses. Then, they blast malicious emails to the collected addresses, which contain keylogging malware or malicious links. If the victim opens these, they will be prompted to enter their password, which in turn will be acquired by the criminals.
Once they gain access to the email accounts, they will discreetly hunt down potential financial transactions by the owner without their knowledge. When they notice that the owner is sending an invoice to a customer, they will reroute this transaction using their own email account, and then alter the account and routing number before forwarding it, thus creating a man-in-the-middle attack. During this, the scammers are using a similar-looking email account from the original, which is the usual ploy in phishing. Once this is all done, the buyer will inadvertently wire money to the criminal, and not the seller.
The scam has reportedly raked in $30,000 to $60,000 from small to medium-sized businesses per transaction since February. Bettke and Stewart estimate that the Nigerian scammer group observed has at least 30 members, and steals $3 million a year.
The two security researchers contacted those companies who were victimized, and told them about the scam, but they were also reportedly mistaken for scammers themselves. However, the SecureWorks team has already informed Nigeria’s Economic and Financial Crimes Commission, which is now conducting an active investigation.
Source: IEEE Spectrum