Security vendor FireEye has shed light on a new group of 419 scammers using keyloggers and other malware to divert potentially millions of dollars in payments from over 2000 victims worldwide.
The new report, An Inside Look into the World of Nigerian Scammers, reveals the work of a small group of at least four cyber-criminals living in the African nation.
They all share the same C&C server and the MWI exploit kit to create malicious documents that infect victims with keyloggers like HawkEye and KeyBase.
Although the group’s victims number 2328 in 54 countries thus far, the majority are in Asian countries including India (45%), Indonesia (19%), Vietnam (17%), Malaysia (4%) and China (3%).
This is because they appear more credible to non-native English speakers, who are less likely to spot their own grammatical mistakes.
The group also chooses its victims according to those countries where it already has bank accounts or can easily transfer money into said accounts, and victims using free webmail accounts – “which might indicate that the user is not technically savvy or is a small business.”
Lacking technical skills to mount attacks on their own, the scammers search for help on the dark net, FireEye explained:
“To obtain exploits, crypters, infostealers and remote access tools (RATS), they access forums to inquire and search for malicious software…We have observed several instances of the scammers interacting with tool providers. As these interactions show, the scammers are heavily reliant on third-party malicious tool developers to create and maintain their tools. They rely on these third-party tool providers to furnish them with documentation or tutorials on the tools, to create stealthy exploits, and to troubleshoot issues.”
Having infected their victims, the scammers monitor the keylog files for email accounts dealing with purchase transactions.
On spotting such a transaction they’ll log into the victim account and play man-in-the-middle, waiting for the right moment before emailing the buyer to change the payment account details to their own.
They then contact the money mule to alert them about the new transaction.
FireEye observed one single transaction worth $1m.
“We believe that they launder their money through a few strategies such as buying gold and luxury items, or mixing the money they have obtained through these scams with money collected legitimately,” the report explained.
To mitigate the risk of attack, FireEye recommended small business owners use two-factor authentication for sensitive online accounts, never open attachments in unsolicited emails, and contact the buyer directly via phone to validate transaction details.
It’s also a good idea to pay close attention to business transactions and email addresses, it added.