Nigerian scammers move from gullible consumers to businesses

Security researchers find malware linked to Nigeria-based 419 scammers in corporate networks


Nigerian scammers known for grammatically challenged email promising riches in return for a small up-front payment are moving into the business of launching malware attacks against companies.

The criminals have graduated from the so-called "419 scams" to using the same tools criminal groups deploy to steal passwords and other sensitive data from businesses, researchers with security company Palo Alto Networks, reported Tuesday.

[5 summer scams to watch out for this season]

The easily recognizable 419 scams, one of the most common confidence tricks, targets the Web's most gullible in an attempt to collect credit-card details or personal information.

Over the last few years, the Nigeria-based criminals have expanded their skillset to target businesses with remote administration tools (RATs) available on underground forums, Palo Alto reported.

RATs used by the Nigerian groups include NetWire, which provides attackers complete control over an infected system. Criminals in Eastern Europe often use such tools.

The attackers have managed to configure the malware to evade standard security tools, such as anti-virus software. As a result, Palo Alto has spotted the RAT on corporate networks, Rick Howard, chief security officer for the company, said.

"These guys have typically been on the low end of the attack spectrum and didn't normally go against businesses," Howard said. "But this research shows these kinds of attacks are showing up inside the business networks."

Because the scammers are using off-the-shelf software, signature updates to AV software and intrusion preventions systems will catch most of the malware.

However, the criminals are worth monitoring, because they are expected to grow more sophisticated in time.

"That will be the trend, but I don't expect it to happen tomorrow," Howard said. "But then again, many of us did not expect these kinds of hackers to move into this layer of attack capabilities."

The scammers distribute the malware via email as attachments with the names Quatation [sic] For Iran May Order.exe, Samples Photos Oct Order.exe and New Samples Required.exe.

The malware does not exploit any software vulnerabilities, but rely instead on social engineering to trick recipients into installing the malicious applications.

Traffic between the malware and its command-and-control server is sent over a virtual private network service called, which routes traffic through an IP address different from the one provided by the attackers' Internet service provider (ISP).

"This both hides the traffic from their local ISP and allows them to route the TCP port their RAT uses to their system," the Palo Alto paper on the attackers said. "In the case of NetWire, the default port is 3360, but may be changed by the operator."

The criminals' objectives appear to be stealing data they can use to further compromise the victim, Palo Alto said. Researchers had not seen any secondary payloads installed or lateral move between systems on a corporate network.

"The tactics, techniques and procedures deployed by Silver Spaniel actors indicate their sophistication level is low compared to that of nation state sponsored actors and advanced cybercriminals," the report said.

Silver Spaniel is the code name researchers have given to the attackers' activities and techniques.

Palo Alto is not the first to spot the evolution of 419 scams. In November 2013, Trend Micro spotted similar attackers using malware called Ice IX, a variant of the Zeus Trojan, to try to capture online banking credentials.

Palo Alto identified alleged Nigerian attacker Ojie Victor as an example of the transition from 419 scammer to malware operator.

Victor came to the attention of researchers through a post on his Facebook account. Victor had sought help May 6 in using the latest release of NetWire.

The cover photo on Victor's Facebook profile shows a hand holding a small stack of $100 bills. Victor uses the handle "lovenotwars" on Facebook and many other locations on the Web, including dating websites.

[Purchase order scams now targeting construction suppliers]

Scammers often set up fake dating profiles to trick people into thinking they have entered an online relationship. Once hooked, the crooks try to trick the victims into sending money.

"While we have not connected Ojie Victor to specific attacks on Palo Alto Networks customers, his activities represent the characteristics of the Silver Spaniel campaign: individuals who began their criminal careers operating 419 scams and are evolving their craft to use malware tools found on underground forums," the research report said.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)