Nigerian hackers steal $3bn worldwide – Reports
According to experts, the Nigerians
are able to carry out the heist by sending phishing emails to commercial
organizations and industrial enterprises, which they later steal dry.
The FBI estimates that these
phishing attacks have cost companies over $3 billion. The number of affected
companies exceeds 22,143.
Kaspersky Labs, an internet security
company said it has found over 500 companies that are under attack in at least
50 countries.
Those under attack are mostly
industrial enterprises and large transportation and logistics corporations,
based in Germany, UAE, Russia and India.
In a blog post, Kaspersky said the
cyber-criminals managed to steal technical drawings, floor plans and diagrams
showing the structure of electrical and information networks.
Researchers said that all
indications are that these were business email compromise (BEC) attacks that
have come to be associated with Nigerian cyber-criminals.
Emails received by victims looked
authentic enough to fool people. Some had attachments with names such as
“Energy & Industrial Solutions W.L.L_pdf”, “Woodeck Specifications best
Prices Quote.uue” and “Saudi Aramco Quotation Request for October 2016”.
These are well crafted emails that
look legitimate and are crafted to make the victim open the malicious
attachment.
The emails ask the recipients to
check information as soon as possible, clarify product pricing or receive goods
specified in the delivery note attached. The malicious attachments contain RTF
files with an exploit for the CVE-2015-1641 vulnerability.
They may also contain archives of
different formats containing malicious executable files or macros and OLE
objects designed to download malicious executable files.
Kaspersky discovered that the
malicious files are intended to steal confidential data and install stealthy
remote administration tools on infected systems.
Using Whois services, Kaspersky
found that the domains used to host the malware were registered to residents of
Nigeria. Once in, the hackers compromise a legitimate email and change the
banking account details.
The malware used in these attacks
belonged to families that are popular among cyber-criminals, such as ZeuS,
Pony/FareIT, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer and iSpy
keylogger.
”The phishers selected a toolset
that included the functionality they needed, choosing from malware available on
cyber-criminal forums. At the same time, the malware was packed using VB and
.NET packers – a distinct feature of this campaign. To evade detection by
security tools, the malicious files were regularly repacked using new
modifications of the same packers,” said the researchers.
At least eight different Trojan-Spy
and Backdoor families were used in the attacks.
Further research found that the
domain names of some of the malware command-and-control servers used by the
attackers mimicked domain names used by industrial companies – “more proof that
the attacks were primarily targeting industrial companies,” said researchers.
They added that most domains used
for malware C&C servers were registered to residents of Nigeria.
Researchers warned that it would be
very dangerous if, because of an infection, cyber-criminals were able to gain
access to computers that are part of an industrial control system (ICS). “In
such cases, they can gain remote access to the ICS and unauthorised control
over industrial processes,” said researchers.
Owen Connolly, vice president
services (EMEA) at IOActive, told SC Media UK that this attack is not actually
targeting industrial control systems or operational technology. “It’s just
targeting users that work for large companies. The fact that those companies
may also have OT systems could just be coincidence, not correlation,” he said.
Mark James, security specialist at
ESET, told SC Media UK that scammers are opportunistic. They understand they
need to adapt and will change their tactics to get the best result.
“With the 419 scams being so
synonymous with the public, the scope for business users being victims is massive.
We also need to consider the scope for larger, single successful attacks
reaping the benefits much quicker than the smaller, and often much harder,
sells through the public,” he said.
Javvad Malik, security advocate at
AlienVault, told SC that organisations dealing with industrial control systems
may not be as savvy to scams as financial services, so it could be that the
success rate of targeted emails is higher.
“Allowing criminals to make quick
money. On the other hand, it could allow criminals to implant malware on
industrial control systems, or at least on systems that support the ICS. This
can then be allowed for further nefarious purposes such as deploying ransomware
– or selling on the access to other criminals or ever nation states,” he said.
– Vanguard.
No comments