Nigerian scammers have a new target: small businesses

Hackers lurk on business email systems, wait to pounce on high-dollar wire transfers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Nigerian 419 scams have been around seemingly forever, seducing one victim at a time.

But now some veteran 419 con men have shifted their focus to targeting small- and medium-size businesses for systematic thievery that pivots off how SMBs have come to rely on email as a payment tool.

Classic 419 advance-fee scams trick one individual at a time into putting up seed capital to help a persecuted Nigerian prince, or some other wealthy person caught in a bind, transfer a large sum into the United States. The carrot—a promised share of the transferred funds—never materializes, of course.

But this new form of attack eliminates the need to orchestrate an elaborate ruse just to dupe an individual victim. Instead, the predators lurk in the shadows of the internet, weasel their way onto business email systems, and then wait patiently for opportune moments to intercept funds on the move between two companies.

Related: JP Morgan breach impacts 7 million SMBs

The emergence of these attacks demonstrates just how susceptible SMBs participating in the global supply chain are to hackers of modest technical skill.

Joe Stewart, Dell SecureWorks researcher
Joe Stewart, Dell SecureWorks researcher

Intelligence about this new technique comes from Joe Stewart and James Bettke, researchers at Dell SecureWork’s Counter Threat Unit, who conducted intensive surveillance on one Nigerian ring, in particular, that has scored big.

Waiting for money to flow

SecureWorks researchers have observed this gang orchestrate several payment diversions per week, typically stealing $30,000 to $60,000 per caper, including one theft earlier this year of $400,000 that a U.S. chemical company attempted to wire to a supplier in India.

“They’ll work on several deals at a time,” Stewart says. “They have plenty of other companies they’ve compromised, so they’ll just go from mailbox to mailbox to see what new deals are coming in and start preparing for the high-end payments.”

Stewart says certain members of this ring began years ago carrying out classic Nigerian 419 scams. They’ve progressed to SMB wire fraud by teaching themselves how to apply tried-and-true hacking techniques to payment practices routinely used as part of the global B2B supply chain.

James Bettke, SecureWorks researcher
James Bettke, SecureWorks researcher

How the scam works

The gang uses a simple tool to crawl the internet and scrape employee email addresses from corporate websites, Bettke says. Those employees are then bombarded with viral email. The goal is to infect one machine, and then use that as a foothold to ultimately secure privileged access to the company’s web email server.

Once control of the email server is in hand, daily monitoring for purchase order communiques begins. Preparation of lookalike email, as well as arrangements to wire funds into bank accounts set up to launder stolen payments, also gets underway.

None of this requires any special hacking expertise; the necessary software and tutorials are widely available online, Bettke says.

At the optimum moment, i.e., when a wire transfer payment request is sent through, the gang intercepts that legit request and replaces it with one sent from a lookalike domain carrying instructions to divert the payment to a bank account they control.

“All of this communication takes place over email,” Bettke adds. “The attacker is essentially doing digital check washing, taking that invoice and just changing the destination bank account details to divert the funds.”

Bracing for more attacks

SecureWorks turned their findings over to International Law Enforcement, specifically the Economic and Financial Crimes Commission, as well as Nigerian authorities. No arrests have resulted yet. Stewart expects variants of this type of attack to scale up in the months ahead, thanks to the low entry barrier, comparatively low risk of getting caught and high monetary gain.

This means any organization that has come to rely on email communiques to carry out high-dollar wire transfers should be on high alert. A thorough assessment of how your organization uses web email is the first step, and deeper due diligence is definitely in order.

More stories about SMB susceptibilities:
Dyre Wolf malware hungry for cash in SMB accounts
SMBs must understand and counter new digital risks
More SMBs let their guard down on cybersecurity