'Nigerian scammer' busted after he infected himself with malware

Researchers able to watch wire-fraudsters operate in real time

The ancient-in-internet-years “Nigerian email” scam remains popular and profitable for its operators ... when they don't shoot themselves in the foot.

Some scam operators infected themselves with their own malware, and SecureWorks has been discussing the outcome of that: the massive own goal meant researchers like Joe Stewart could watch the scammers at work, all the way down to capturing screen grabs of their operation.

Stewart's colleague, SecureWorks researcher James Bettke, said while looking for command-and-control servers, the team spotted a keylogger logging into an unsecured Web-exposed server.

Stewart told The Register that once the researchers had access to the scammer's machine, they were also getting the outputs of the key loggers and copies of spreadsheets.

They were able to monitor the ringleader of this particular operation for “several months”.

Bettke explained that “we saw who he contacted, his instant messages, the tools he was using, his victims, the amounts of money transferred – how the whole thing worked.”

That included the real identities of more than 30 people in the ring, Bettke said.

The operators refer to the scam as “wire-wire” (there are, the researchers said, plenty of Facebook groups devoted to such operations), and it worked like this:

  • Obtain target email addresses from public sources;
  • Infect the target, so as to get access to their inboxes. This lets the scam operator identify contacts like suppliers that the target has a financial relationship with;
  • The scammer then creates an email address similar to a supplier's – for example, it might be payments@securworks.com instead of payments@secureworks.com.

Bettke noted that it only needs one end of the conversation for the scam to work: the victim tries to place an order via email; the scammer sees the message and passes it on to the intended recipient.

With the order placed, the supplier issues an invoice, which the scammer intercepts. The scammer creates their own invoice, substituting their own account details, and passes that to the victim from their spoofed email account.

With the ring busted and its operators arrested, the FBI has issued a warning about the growing scam.

It echoes what Stewart and Bettke told The Register: process rather than technology is the best defence against such attacks.

That means making sure that everybody handling payments checks account details, rather than merely reading it from the document in an email. And if you're phoning to check an invoice, get the phone number from a source outside the e-mails or invoices. ®


Biting the hand that feeds IT © 1998–2017