CultureAmerican-based network security company FireEye has published a thorough report on the malfeasances of this particular group. Authors Eyre Hernandez, Daniel Regalado and Nart Villeneuve explain that the technical expertise of the members varies. Even so, the scammers do share techniques and tools with one another, including lists of compromised email accounts, malicious documents and binaries, and Vip72, which provides a VPN and SOCKS proxy that enables the scammers to conceal their IP addresses when logging into a victim's account.
CampaignsTo select their victims, the group of fraudsters peruses sites such as Alibaba in an effort to identify potential victims who reside in countries in which they already have existing bank accounts. An ideal target is one who lives in Asia and who is not a native speaker of the English language, with the latter condition meant to ensure that grammatical errors on the part of the scammers will not raise too many red flags with their victims. The scammers also tend to target users who have registered accounts with free email providers, such as Yahoo!, Google and Hotmail. This tactic is motivated by the attackers' assumption that people who use free email accounts are not tech savvy, the authors explain, and/or that they might be a small business. A malicious document attached to a business inquiry succeeds in compromising these targets in most situations. Once a victim has been chosen, the fraudsters must figure out a way to deliver to them remote access tools (RATs) and other exploits. To overcome its unequal distribution of skills, the group often relies on third parties to develop, sell, and even protect malicious software on their behalf.
"The scammers are… concerned about their malware being 'Fully UnDetectable' (FUD)…. Additional layers of protection, like encryption, are used to prevent exploits from being detected," explain the authors. "…Aside from encoding or encrypting their exploits, they [malicious service providers] also run them through underground antivirus scanners to verify detection rates and ensure that their tools will bypass AV detections on their victims' computers."
CompromiseArmed with the multitude of tools described above, the scammers at this point scan their victims for evidence of monetary transactions, such as new purchases or refunds. If they spot such a payment, they log on to the victim's account and at that point execute a man-in-the-middle attack (MitM). This is done via the use of homograph "spoofing" techniques in which the attackers purchase domains and create emails that are similar to the victim and their correspondent. In some cases, the emails may differ by only one letter.
"Since the thread was legitimately established before the scammer hijacked it and the scammer copies the names and signatures of the original emails, both parties seldom realize that they are dealing with the scammer," FireEye explains. "The only difference is the spoofed email address, which would be hard to spot if the victim is not paying close attention."Using these fake emails, they are able to inject their own content into the discussion and mislead both the buyer and seller of a financial transaction.
"Cha-Ching"All scammers want one thing: money. This group of Nigerian fraudsters is no different. Once they have inserted themselves into an otherwise legitimate payment transaction, they begin forwarding fake invoices and product inquiries to the buyers and sellers, respectively. They also send updated payment instructions to the buyer and will follow up to make sure the transaction has been processed.
"Occasionally, the victim is reluctant to change the banking information as instructed, so the scammer must adapt and pressure the victim into sending the money," the authors have observed. "The scammer can use the information gleaned from the captured conversations and transactions to aide in convincing their victim."In most cases observed by FireEye, money mules that have some relationship with the scammers receive the funds in their bank accounts. Depending on the size of the receipt, they may launder the money by purchasing luxury items or by mixing it with monies acquired legitimately.