SecureWorks researchers Joe Stewart and James Bettke uncovered a Nigerian bank-fraud ring after the scammers made a fatal mistake. They unwillingly infected their computers with their own malware. As a result, the research team was able to use their software against them. Stewart and Bettke monitored their keystrokes and captured the files they sent to their victims. The malware uploaded the malicious files on a server, making them accessible to the researchers. By monitoring their activity, the security experts were able to follow and analyze the pattern of the cyber scheme.
The criminals were using an advanced version of the business email compromise (BEC) scam. They had dubbed it “wire-wire”. A typical BEC scam sees the fraudsters send out phishing emails to the accounting or financial department of a given company. The unreliable senders ask the employees to transfer a sum to an overseas account. The email states that the transaction is for an invoice payment, pertaining to the company’s overseas affairs.
The Wire-Wire scheme sees a climb in the targeted company’s hierarchy. The bogus emails contain links and attachments, leading to malware and keyloggers. The scammers use the malicious programs for a couple of purposes. They monitor the activity of the infected computers. The keylogging activity allows them to obtain the credentials for the employees’ accounts. The fraudsters then proceeds to send emails from the company’s own accounts to higher level staff. The content of these messages is the same as with the initial spam campaigns. They contain links to malware and ask for transactions to be made. Since the emails are sent from corporate accounts, the recipients do not doubt their legitimacy.
The research team concluded that the Wire-Wire scheme targeted small- and medium-sized businesses. The amounts for the requested transactions ranged from $5,000 to $250,000. The most usual requests were for sums between $30,000 and $50,000.
The results of the SecureWorks research gave the estimate that the criminal group consisted of 30 or more members. In a bit of a surprise, the fraudsters appeared to have a good reputation in their social circles. The people involved were men in their late 20s to 40s. They had families, religious affiliation and were respected in their communities. The schemes are believed to raise about $3 million a year. The proceeds benefit all residents in their respective regions, as Stewart explained. “They’re increasing the economic potential of the region they’re living in by doing this, and I think they feel somewhat of a duty to do this”.
Because of the delays in overseas operations, victims often realize they have been scammed a while after. They may only become aware once the payment is overdue or the shipment runs late. This gives the fraudsters enough time to mislead the targeted company into making more payments. The good news is that it also gives Bettke and Stewart a vantage point. Since they receive information from the malware of the cyber criminals, they are able to identify the victims. The researchers took the initiative to warn the companies about the scams. They often had difficulty getting through to people, as they were mistaken for scammers themselves.
