Wed | Jan 24, 2018

Tech Times | Five things you should know about Nigerian scam emails: Wired B2B payments are all too common - and easy money for con artists expert at diverting cash transfers.

Published:Monday | September 26, 2016 | 12:37 AM


These gambits revolve around tricking the victim into thinking he or she can help transfer a large sum into a U.S. bank, and make a tidy profit on the side.
But now some veteran Nigerian criminals have evolved--ripping off small- and medium-sized businesses on a grander scale. This is much more than a simple progression.

This new intelligence comes from Joe Stewart and James Bettke, researchers at Dell SecureWork's Counter Threat Unit, who have spent the past several months closely monitoring the activities of a gang designated "wire-wire Group 1 or "WWG1."

What they do

This ring specialises in infiltrating and then manipulating email Web servers inside the networks of small and medium size businesses (SMB). They specifically target those in verticals like manufacturing, chemical and others that routinely issue and fulfill high-dollar purchase orders.

The thievery exploits the fact that the victim companies rely on emailing wire transfer instructions to execute payments.

When a wire transfer payment request is sent, the gang intercepts it and replaces it with one sent from a lookalike domain. The replacement carries instructions to divert the payment to a bank account they control.

Since February, SecureWorks has observed WWG1 orchestrate several payment diversions per week, typically stealing $30,000 to $60,000 per caper, including one big score of $400,000 that a U.S. chemical company attempted to wire to a supplier in India.

"They're patient," Stewart told me. "They'll work on several deals at a time. They have plenty of other companies they've compromised, so they'll just go from mailbox to mailbox to see what new deals are coming in and start preparing for the high-end payments."

How they do it

WWG1 uses a simple tool to crawl the Internet and scrape employee email addresses from corporate websites. Those employees are then bombarded with viral emails (the kind with a virus, not the kind that gets Internet-famous).

The goal is to infect one machine, and then use that as a foothold to ultimately secure privileged access to the company's Web email server.

Once they gain control of the email server, they begin daily monitoring for purchase order communiques. They also prepare lookalike emails, as well as arrangements to wire funds into bank accounts set up to launder stolen payments.

None of this requires any special hacking expertise; the necessary software and tutorials are widely available online.

Distinctive traits

Stewart says certain members of WWG1 began years ago carrying out 419 scams.

The classic variant of this con is carried out by the supposed agent of a Nigerian prince, who cajoles the victim into seeding an account into which the royal is getting ready to move large sums--but never does.

They've now progressed to SMB wire transfer scams that make use of tried-and-true hacking techniques.

"All of this communication takes place over email," Bettke says adds. "The attacker is essentially doing digital check washing, taking that invoice and just changing the destination bank account details to divert the funds."