Nigerian scammers move from gullible consumers to businesses

Nigerian scammers known for grammatically challenged email promising riches in return for a small up-front payment are moving into the business of launching malware attacks against companies.

The criminals have graduated from the so-called "419 scams" to using the same tools criminal groups deploy to steal passwords and other sensitive data from businesses, researchers with security company Palo Alto Networks, reported Tuesday.

[5 summer scams to watch out for this season]

The easily recognizable 419 scams, one of the most common confidence tricks, targets the Web's most gullible in an attempt to collect credit-card details or personal information.

Over the last few years, the Nigeria-based criminals have expanded their skillset to target businesses with remote administration tools (RATs) available on underground forums, Palo Alto reported.

RATs used by the Nigerian groups include NetWire, which provides attackers complete control over an infected system. Criminals in Eastern Europe often use such tools.

The attackers have managed to configure the malware to evade standard security tools, such as anti-virus software. As a result, Palo Alto has spotted the RAT on corporate networks, Rick Howard, chief security officer for the company, said.

"These guys have typically been on the low end of the attack spectrum and didn't normally go against businesses," Howard said. "But this research shows these kinds of attacks are showing up inside the business networks."

Because the scammers are using off-the-shelf software, signature updates to AV software and intrusion preventions systems will catch most of the malware.

However, the criminals are worth monitoring, because they are expected to grow more sophisticated in time.

"That will be the trend, but I don't expect it to happen tomorrow," Howard said. "But then again, many of us did not expect these kinds of hackers to move into this layer of attack capabilities."

The scammers distribute the malware via email as attachments with the names Quatation [sic] For Iran May Order.exe, Samples Photos Oct Order.exe and New Samples Required.exe.

The malware does not exploit any software vulnerabilities, but rely instead on social engineering to trick recipients into installing the malicious applications.

Traffic between the malware and its command-and-control server is sent over a virtual private network service called, which routes traffic through an IP address different from the one provided by the attackers' Internet service provider (ISP).

"This both hides the traffic from their local ISP and allows them to route the TCP port their RAT uses to their system," the Palo Alto paper on the attackers said. "In the case of NetWire, the default port is 3360, but may be changed by the operator."

The criminals' objectives appear to be stealing data they can use to further compromise the victim, Palo Alto said. Researchers had not seen any secondary payloads installed or lateral move between systems on a corporate network.

"The tactics, techniques and procedures deployed by Silver Spaniel actors indicate their sophistication level is low compared to that of nation state sponsored actors and advanced cybercriminals," the report said.

Silver Spaniel is the code name researchers have given to the attackers' activities and techniques.

Palo Alto is not the first to spot the evolution of 419 scams. In November 2013, Trend Micro spotted similar attackers using malware called Ice IX, a variant of the Zeus Trojan, to try to capture online banking credentials.

Palo Alto identified alleged Nigerian attacker Ojie Victor as an example of the transition from 419 scammer to malware operator.

Victor came to the attention of researchers through a post on his Facebook account. Victor had sought help May 6 in using the latest release of NetWire.

The cover photo on Victor's Facebook profile shows a hand holding a small stack of $100 bills. Victor uses the handle "lovenotwars" on Facebook and many other locations on the Web, including dating websites.

[Purchase order scams now targeting construction suppliers]

Scammers often set up fake dating profiles to trick people into thinking they have entered an online relationship. Once hooked, the crooks try to trick the victims into sending money.

"While we have not connected Ojie Victor to specific attacks on Palo Alto Networks customers, his activities represent the characteristics of the Silver Spaniel campaign: individuals who began their criminal careers operating 419 scams and are evolving their craft to use malware tools found on underground forums," the research report said.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securityapplicationsmalware toolkitsdata security breachessoftwarescams419 scamsdata protectionmalwarepalo alto networksnigerian scamssecurity

More about FacebookPalo Alto NetworksTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place