Business Email Compromise (BEC) , Cybercrime , Email Security & Protection
Nigerian BEC Scammers Use Malware to Up the AnteBusiness Email Compromise Schemes Get More Sophisticated
Nigerian email scammers have come a long way from the days of asking for money to help a member of the country's royal family.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Times have changed and so have the scams. Over the last four years, several Nigerian criminal gangs have turned their attention to business email compromise schemes. Now they're using an increasing array of off-the-shelf malware to help advance their plans.
The most prolific of these groups, SilverTerrier, has been especially adept at adopting new technologies and techniques over the past several years, according to a recent analysis by Palo Alto Networks' Unit 42. The analysis determined this gang is using 20 types of commodity malware, including information stealers and remote administration tools - or RATs.
Over the last 12 months, the number of actors associated with SilverTerrier has increased to over 400, and during the last four years, this group has been responsible for over 1 million attacks, according to Unit 42. This has contributed to a 54 percen increase in BEC scams coming out of Nigeria in 2018, compared to 2017, the analysis found.
In 2018, Unit 42 recorded an average of about 28,000 Nigerian BEC attacks per month, with particularly high spikes in March and April.
"The latest research continues our chronicling of the evolution of Nigerian threat actors from unsophisticated spammers to proficient users and abusers of malware and other tools used by cybercriminals worldwide," says Jen Miller-Osborn, the deputy director of threat intelligence at Unit 42.
BEC Schemes on Rise Globally
What's happening with Nigerian scammers reflects a larger trend of cybercriminal gangs turning to business email compromise schemes to turn an illegal profit.
These schemes, which are also known as CEO fraud, have started to gain more attention from law enforcement as the number of incidents has increased over the past four years. In its annual Internet Crime Report released in April, the FBI reported that losses from business email compromise scams nearly doubled between 2017 and 2018, reaching $1.2 billion last year in the U.S. alone.
Globally, that number was over $12.5 billion between 2013 and 2018, according to FBI statistics (see: FBI: Global Business Email Compromise Losses Hit $12.5 Billion).
In the typical business email compromise scheme, attackers start by stealing the email credentials of a top executive through phishing or other methods. Then they impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to various bank accounts. In other cases, the attackers spoof a company's business partner.
The FBI's most recent report warns that criminals are constantly changing tactics.
"Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector," the FBI report says.
Also of note: Starting in 2018, cybercriminals began asking for gift cards instead of money.
"The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons," according to the FBI.
With all this increased attention, the FBI and other law enforcement agencies have started to step up prosecutions related to BEC scams. On May 9, the U.S. Attorney's Office for the Southern District of New York indicted four individuals for allegedly running a multi-million dollar BEC scheme from 2016 to 2018.
Earlier this year, a Maryland man was sentenced to seven years in federal prison for running a $4.2 million BEC scam (see: Maryland Man Sentenced for Leading $4.2 Million BEC Scheme).
Focus on Nigeria
The Nigerian gangs are casting their nets as wide as possible in search of BEC victims, exporting their schemes to the U.S., Asia and Europe, Miller-Osborn of Unit 42 says. The targets include the tech industry, wholesale, manufacturing, education as well as professional and legal services.
"We don't have a dollar figure for the attacks that we've talked about here," Miller-Osborn tells Information Security Media Group. "However, we know that BEC is very lucrative globally and that these attackers have carried out 1.1 million attacks over four years. Also, given that they're now using tools that hide their malware so that only 58 percent of the time it's successfully detected, we can conclude that these attacks are successful enough in the eyes of the attackers."
One of the reasons that the Nigerian BEC schemes have proven successful is the increasing use of commodity malware, especially within the SilverTerrier group, Miller-Osborn says. Many times, the attackers deploy "crypters" to obfuscate the tools they are using and to circumvent an enterprise's detection capabilities, according to Unit 42.
"What we've shown is that they're using the same widely and broadly available tools that other attackers are using," Miller-Osborn says. "We don't see these attackers building their own tools."
The Unit 42 analysis found that SilverTerrier and related groups are focused on two types of commodity malware: Information stealers and remote administrative tools - sometimes referred to as remote access Trojans.
The researchers found that the SilverTerrier group uses 10 types of information stealers: AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain and Zeus. In most cases, these are used to capture screenshots, passwords and other sensitive details belonging to the victims.
These information stealers usually rely on simple command-and-control mechanisms, including web servers, FTP servers and SMTP email connections, the researchers say.
The Unit 42 researchers also found that SilverTerrier and its associates use 10 types of commodity remote administrative tools, including NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind and HWorm. These are used for modifying systems, accessing network resources and performing functions on behalf of compromised users, including sending fraudulent emails and accessing databases.
The Unit 42 analysis shows that in addition to relying on more of these remote administrative tools, the SilverTerrier group has developed new and much more complex infrastructure to support them. For instance, because the control servers that support remote administrative tools are often running on a high number of ephemeral ports, the gang has developed dynamic DNS and virtual servers to add a layer of obfuscation to hide their activities and extend the life of the malware.
A deep look at the numbers over the last year, however, shows a shift away from information stealers and a greater emphasis on using remote administrative tools as part of these BEC schemes. The Unit 42 research shows that in 2018, SilverTerrier produced about 1,000 information stealer samples each month. But new samples of stealers declined 26 percent, while remote administrative tools increased 36 percent during this time, producing about 533 different samples each month.
The reason for this, according to Unit 42, is that the remote administrative tools are giving the cyber gang greater capability to pull off their schemes.
The fact that SilverTerrier and other Nigerian gangs are adopting more complex and dangerous tools shouldn't surprise anyone in the security field given the history of how cybercriminal schemes have developed over the last several years, Miller-Osborn says.
"For many people, the idea that Nigerian threat actors are acting on par with other cybercriminals around the world in terms of sophistication would be surprising," Miller-Osborn says. "However, this is in line with what we've been tracking since 2014 and so in that regard it's not surprising. The most important lesson here is that attackers evolve and it's important to continue to monitor threat actors to accurately reassess the threat they pose over time."