The Nigerian cyber-crime scene, famous for its Nigerian Prince and 419 scam tactics, has evolved to using malware and is now actively targeting enterprises using BEC (Business Email Compromise) techniques, a SecureWorks investigation has revealed.
For many years, the Internet has been plagued by massive spam floods, in most instances carrying emails from Nigerian cyber-crime crews that were trying to extort and fool home users into sending them money via various methods. Historically, these crews have been calling themselves “yahoo-yahoo boys,” “yahoo boiz,” or “G-boys.”
As time passed and as the Internet population got more educated, their tactics became known and entered the Internet lore. As such, a change was needed.
Nigerian scammers shift focus to businesses
, Nigerian scam crews have shifted their focus towards businesses instead of home users. Using BEC (Business Email Compromise) and BES (Business Email Spoofing) tactics, these crews are targeting the email communications between companies, looking for orders and invoices.
The scammers compromise email servers or email accounts, search for ongoing business leads, and register look-alike domains in order to intervene as a middleman between those email exchanges.
Most of the time they clumsily edit emailed PDF invoices, adding their bank account details instead of the correct one. They also send spoofed emails claiming to be one or another high-ranking exec inside a company, requiring an urgent payment. The first method seems to be more lucrative than the second since it’s harder to spot.
WWG1 uses email bombs and RATs
it discovered a group which they named “Wire-Wire Group 1” (WWG1) or Threat Group-2798 (TG-2798), actively targeting businesses.
This group uses commodity remote access trojans (RATs), which they email en-masse to victims in a tactic called email bomb. The malware is used to infect targets, get control over their PC, and gather intelligence. SecureWorks says the group is not particularly apt at dealing with malware but has one member that handles this operation.
In fact, the group managed to infect one of their own computers, allowing SecureWorks experts that were investigating the RAT’s server to discover details about their operations.
WWG1 has over 30 members
WWG1 consists of over 30 members, most of which are from their late twenties up to the forties, operate from home, don’t flaunt their wealth on social media, and are very active in their local churches.
This is opposite from the image of yahoo boyz everyone had in the past, of college teens that operate from cyber-cafes, and show off on social media.
In fact, most of the Nigerian BEC scammer gangs don’t use the yahoo boyz term to describe themselves, but use expressions such as “wire-wire,” “waya-waya,” or “the new G-work.”
What businesses should do, according to SecureWorks, is to implement 2FA for corporate and personal email accounts, inspect corporate email control panels for suspicious redirect rules, carefully review current and past wire transfers for the correct payment details, and use non-email channels to confirm wire transfers with their business partners.
To help enterprises targeted by this kind of BEC groups, the company has eventhat can analyze PDFs and highlight any later edits, such as new bank account numbers overlaid on top of the original document.