We’ve all received at least one email from a Nigerian prince or businessman, offering us a huge sum of money. However, we know it’s fake and the mail is a scam. Now that we’ve understood their game, they have leveled up and have come up with new tricks.
Security experts at Palo Alto Networks have reported that Nigerian cyber criminals have changed their strategies and are now using malware to target corporate houses that were not earlier on their hit list. For the past three years, cyber crooks from Lagos have been using IT tools that are generally used by criminal groups to steal corporate or government data.
The malware is generally sent as an email attachment with the aim of these hackers to make the recipient click on it. Once the user clicks on the attachment, it installs a spyware tool on the system that steals passwords and other private data from the computer. This data can then be used for financial gain.
Palo Alto Networks have tracked their activity with the codename Silver Spaniel. The criminals have many tools, including RATs (Remote Administration Tools) such as NetWire that they have purchased through black hat forums. These tools give them complete access over the victim’s computer.
Although the attackers from Nigeria don’t seem to have a high technological background, they are certainly a threat to businesses. They also use an encryption tool called DataScrambler that encrypts the malware so that it remains undetected by antivirus programs. Two such infected attachments were called “New Samples Required” and “Quotation for Iran May Order”.
Ryan Olson, the Intelligence Director of Palo Alto Networks (PDF):
“These Silver Spaniel malware activities originate in Nigeria and employ tactics, techniques, and procedures similar to one another. The actors don’t show a high level of technical acumen, but represent a growing threat to businesses that have not previously been their primary targets.”
A few years back, 419 scams were a famous industry across Africa. Cyber crooks sent out a series of implausible mails to target unsuspecting victims who would divulge their details to the criminals.
In most of these cases, the victims were promised a huge sum of money and they were encouraged to pay a certain fee to be able to get hold of that “huge amount”. In some cases, the victims were asked to travel to Nigeria to meet a middleman to claim the reward and when the victims traveled out of town, they were beaten and robbed. These crimes have been given the code name 419 because it’s the penal code of Nigeria for such crimes. Although 419 scammers are social engineering experts, they are not technically proficient.
People in South Korea and Taiwan have been attacked in the recent months. Some cyber crooks have taken to Facebook to get help for their scams.
One such “hacker” Engr Ojie Victor has his Facebook page and has multiple posts asking for help regarding NetWire, SpyEye, and Zeus features. Although the page isn’t officially linked to Silver Spaniel attacks, according to Palo Alto, he is an example of someone who would start his criminal career with 419 scams, and then later migrate to craftier attacks using malware obtained from underground forums.
Although many scammers used VPN services to hide their IP addresses, many DNS domains pointed towards the original IP addresses in Nigeria.
To stay safe, users can block all .exe files on emails, and inspect all .rar and .zip archives to make sure there is no malware in them.
Installation of firewalls is also a good idea as they can block all access to the most commonly abused DNS domains. Also, users need to be aware of suspicious looking emails, even when the subject revolves around their business or line of work. There are some tools to help users fight against cyber attacks. Some such prominent tools are Snort and Suricata. Traditional antivirus software would be useless against these malicious .exe files, since they are encrypted to look like harmless files.
Although the technical expertise of Nigerian scammers lacks behind those of Russian, Chinese, and US hackers, they do represent an oncoming threat. At this time, they are not equipped with the latest tools, but they may get hold of more advanced techniques if these attacks are successful.
As of now, these scammers are using basic techniques which can be evaded by using the right tools. Even if the user does not have any advanced tools, the best method is not to open any suspicious mails, especially the ones with attachments.