A relatively unskilled man in his mid-20s, operating from a location near the capital of Nigeria, is the kingpin behind a four-month cyber-offensive that has affected 4,000 organizations globally.
According to an investigation by Check Point, a range of companies have been targeted by cyberattacks which aim to infect their networks, steal data and commit fraud. The victims include a marine and energy solutions company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction organization in Germany, and so on—leading international names in industries such as oil & gas, manufacturing, banking and construction.
“Successful attacks on this scale are usually attributed to expert gangs of cybercriminals—often backed by a nation-state, with the aim of destabilizing economies,” Check Point researchers said. “[Instead], he is a Nigerian national, working on his own. On his social media accounts, he uses the motto ‘get rich or die trying’.”
His attack campaign uses fraudulent emails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies to trick them into revealing company bank details, or open the email’s malware-infected attachment.
“It’s particularly striking that his techniques display a low level of cyber-skills,” the researchers said. “His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them. The titles of the emails are generic, and phrased as “Dear Sir/Ms.” The same mail is sent to numerous targets, all in blind carbon copy, urging victims to send back banking details, perhaps for future scams.”
The malware used is NetWire, a remote access Trojan which allows full control over infected machines, and Hawkeye, a keylogging program. These are old, generic and readily available online; and, he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns, Check Point said.
The ramifications are myriad: Both financial losses and the ability for follow-on attacks should both be concerns, the firm cautioned.
“In addition to the financial losses resulting from the attack, the malware used by the criminal to infect organizations gives remote control over infected machines, and can perform keylogging functions,” researchers explained “This enables harvesting of a variety of information from infected machines, such as details on the companies’ operations, assets and intellectual property. These can have a value far greater than the thousands of dollars obtained by fraud. What happens when the hackers realize the real value of these assets and start to exploit them?”
Check Point’s research team has notified law enforcement authorities in Nigeria and internationally, it said.