FireEye report on TTPs of Nigerian a 419 scammers group

FireEye published a report on the operations of a group of 419 scammers located in Nigeria, which is using malware as a component of their fraud scams.

Security firm FireEye has published a new report on a new group of 419 scammers that is using keyloggers and other malware to implement its fraud scheme. According to the investigators, the fraudsters diverted potentially millions of dollars in payments from over 2000 victims worldwide.

The report, titled “An Inside Look into the World of Nigerian Scammers,” reveals the TTPs of a small group composed of at least four criminals living in Africa.

The experts discovered a unique C&C server behind the operation of the gang, the fraudsters always used the MWI exploit kit to forge malicious documents used by the gang to infect victims with keyloggers like HawkEye and KeyBase.

“The cybercriminals behind this operation are located in Nigeria and are using malware as a component of their fraud scams. The group adopted the Microsoft Word Intruder (MWI) exploit kit 2 as one of its primary methods. It uses MWI to infect victims with HawkEye—a commercial keylogger that has become well known due to its high rate of infection success across multiple industries 3—and another keylogger called KeyBase.” states the report.

The report revealed that the number of victims is 2328 across 54 countries, the majority are in India (45%), Indonesia (19%) and Vietnam (17%).

According to the experts at FireEye the choice is not casual, the document used in the scam appear more credible to non-native English speakers in the Asian countries, the fraudsters also targeted individuals in those countries where they have bank accounts or can easily transfer money into said accounts.

“We have also seen scammers search Google for email listings of trade show participants and suppliers or distributors of various goods. The scammers extract email addresses from these pages using email scraping tools. Of particular interest to them are email addresses from free email service providers” states the report.”There are a few possible reasons for them to target free email accounts: n Fewer obstacles to spoof the email addresses. The scammers would not have to register a domain and set up an email server. A free email account might indicate that the user is not technically savvy or is a small business.”

The report also revealed that hackers have poor technical skills so they search for help on the dark net.

“To obtain exploits, crypters, infostealers and remote access tools (RATS), they access forums to inquire and search for malicious software…We have observed several instances of the scammers interacting with tool providers. As these interactions show, the scammers are heavily reliant on third-party malicious tool developers to create and maintain their tools. They rely on these third-party tool providers to furnish them with documentation or tutorials on the tools, to create stealthy exploits, and to troubleshoot issues.”

The way the fraudsters operate is simple as effective, once they have infected victim’s machine, they monitor the keylog files for email accounts dealing with purchase transactions.

Once the criminals intercept a transaction they’ll log into the victim account to impersonate him and they’ll ask buyers to send the payment to an account they own.

They then instruct the money mule about the new transaction to manage.

In one case, the experts at FireEye observed one single transaction worth $1m.

“With this single transaction, the scammer is slated to collect over $1 million. We believe that they launder their money through a few strategies such as buying gold and luxury items, or mixing the money they have obtained through these scams with money collected legitimately.” states the report.

In order to avoid being victims of 419 scammers there are a few rules that could mitigate the exposure to fraudsters including the adoption of two-factor authentication for online accounts, never open attachments in unsolicited emails, pay attention to the source of emails, and always contact the buyer through another channel, for example on phone, before any transaction.

Pierluigi Paganini

(Security Affairs – 419 scammers, cybercrime)