Nigerian scammers buy exploit kits to defraud Asian businesses

A small group of Nigerian scammers is using more sophisticated methods to defraud mostly Asian businesses, including buying exploit kits and malware from experienced coders, according to a new report from FireEye.

The security company said the group performs deep reconnaissance of its potential victims, jumping inside financial transactions in order to try to divert payments to their own accounts.

The schemes are much more complex than so-called 419 or advance fee fraud scams, where random victims are induced to send funds in order to get a non-existent but much larger payoff.

To carry out the scam, the group often uses the Microsoft Word Intruder exploit kit. The kit can be used to create malicious Word documents that are then sent over email. If opened, the victim’s computer will be infected with a keylogger.

The group buys the tools from experienced malicious software coders, paying for remote access tools, keyloggers and exploit kits, FireEye said.

More than 2,300 victims have been targeted in 54 countries. It appears the group seeks out small to medium size businesses in Asia that perform financial transfers to suppliers. By targeting non-Asian speakers, the grammatical atrocities of the phishing emails are also less noticeable, which can be tipoffs to a scam.

The exploit kit will install the HawkEye or KeyBase keyloggers, which collect authentication credentials for email accounts. The scammers then watch those accounts, monitoring correspondence between businesses and suppliers, looking for an opportune moment to inject themselves into a transaction.

“Once the scammers identify an interesting victim, they log into the victims accounts using the stolen credentials and study the different transactions in which the victims are involved,” FireEye wrote.

If a pending transaction looks promising, the group creates a similar email address as to the victim, copying the email thread between the two parties to make it look legitimate. The scammers then pressure one party to accept different bank account details, diverting money to their own accounts.

The scammers then use a network of mules to accept the payments into their own accounts and forward it on.

Some operations have been very lucrative successes. FireEye included emails from one scammer to a money mule partner in Indonesia alerting that $900,000 and €300,000 would be transferred to an account soon.

“With this single transaction, the scammer is slated to collect over $1 million,” FireEye wrote. “We believe that they launder their money through a few strategies such as buying gold and luxury items, or mixing the money they have obtained through these scams with money collected legitimately.”

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk