Nigerian scammers have a new target: small businesses

Hackers lurk on business email systems, wait to pounce on high-dollar wire transfers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Niger­ian 419 scams have been around seem­ing­ly for­ev­er, seduc­ing one vic­tim at a time.

But now some vet­er­an 419 con men have shift­ed their focus to tar­get­ing small- and medi­um-size busi­ness­es for sys­tem­at­ic thiev­ery that piv­ots off how SMBs have come to rely on email as a pay­ment tool.

Clas­sic 419 advance-fee scams trick one indi­vid­ual at a time into putting up seed cap­i­tal to help a per­se­cut­ed Niger­ian prince, or some oth­er wealthy per­son caught in a bind, trans­fer a large sum into the Unit­ed States. The carrot—a promised share of the trans­ferred funds—never mate­ri­al­izes, of course.

But this new form of attack elim­i­nates the need to orches­trate an elab­o­rate ruse just to dupe an indi­vid­ual vic­tim. Instead, the preda­tors lurk in the shad­ows of the inter­net, weasel their way onto busi­ness email sys­tems, and then wait patient­ly for oppor­tune moments to inter­cept funds on the move between two companies.

Relat­ed: JP Mor­gan breach impacts 7 mil­lion SMBs

The emer­gence of these attacks demon­strates just how sus­cep­ti­ble SMBs par­tic­i­pat­ing in the glob­al sup­ply chain are to hack­ers of mod­est tech­ni­cal skill.

Joe Stewart, Dell SecureWorks researcher
Joe Stew­art, Dell Secure­Works researcher

Intel­li­gence about this new tech­nique comes from Joe Stew­art and James Bet­tke, researchers at Dell SecureWork’s Counter Threat Unit, who con­duct­ed inten­sive sur­veil­lance on one Niger­ian ring, in par­tic­u­lar, that has scored big.

Wait­ing for mon­ey to flow

Secure­Works researchers have observed this gang orches­trate sev­er­al pay­ment diver­sions per week, typ­i­cal­ly steal­ing $30,000 to $60,000 per caper, includ­ing one theft ear­li­er this year of $400,000 that a U.S. chem­i­cal com­pa­ny attempt­ed to wire to a sup­pli­er in India.

They’ll work on sev­er­al deals at a time,” Stew­art says. “They have plen­ty of oth­er com­pa­nies they’ve com­pro­mised, so they’ll just go from mail­box to mail­box to see what new deals are com­ing in and start prepar­ing for the high-end payments.”

Stew­art says cer­tain mem­bers of this ring began years ago car­ry­ing out clas­sic Niger­ian 419 scams. They’ve pro­gressed to SMB wire fraud by teach­ing them­selves how to apply tried-and-true hack­ing tech­niques to pay­ment prac­tices rou­tine­ly used as part of the glob­al B2B sup­ply chain.

James Bettke, SecureWorks researcher
James Bet­tke, Secure­Works researcher

How the scam works

The gang uses a sim­ple tool to crawl the inter­net and scrape employ­ee email address­es from cor­po­rate web­sites, Bet­tke says. Those employ­ees are then bom­bard­ed with viral email. The goal is to infect one machine, and then use that as a foothold to ulti­mate­ly secure priv­i­leged access to the company’s web email server.

Once con­trol of the email serv­er is in hand, dai­ly mon­i­tor­ing for pur­chase order com­mu­niques begins. Prepa­ra­tion of looka­like email, as well as arrange­ments to wire funds into bank accounts set up to laun­der stolen pay­ments, also gets underway.

None of this requires any spe­cial hack­ing exper­tise; the nec­es­sary soft­ware and tuto­ri­als are wide­ly avail­able online, Bet­tke says.

At the opti­mum moment, i.e., when a wire trans­fer pay­ment request is sent through, the gang inter­cepts that legit request and replaces it with one sent from a looka­like domain car­ry­ing instruc­tions to divert the pay­ment to a bank account they control.

All of this com­mu­ni­ca­tion takes place over email,” Bet­tke adds. “The attack­er is essen­tial­ly doing dig­i­tal check wash­ing, tak­ing that invoice and just chang­ing the des­ti­na­tion bank account details to divert the funds.”

Brac­ing for more attacks

Secure­Works turned their find­ings over to Inter­na­tion­al Law Enforce­ment, specif­i­cal­ly the Eco­nom­ic and Finan­cial Crimes Com­mis­sion, as well as Niger­ian author­i­ties. No arrests have result­ed yet. Stew­art expects vari­ants of this type of attack to scale up in the months ahead, thanks to the low entry bar­ri­er, com­par­a­tive­ly low risk of get­ting caught and high mon­e­tary gain.

This means any orga­ni­za­tion that has come to rely on email com­mu­niques to car­ry out high-dol­lar wire trans­fers should be on high alert. A thor­ough assess­ment of how your orga­ni­za­tion uses web email is the first step, and deep­er due dili­gence is def­i­nite­ly in order.

More sto­ries about SMB susceptibilities:
Dyre Wolf mal­ware hun­gry for cash in SMB accounts
SMBs must under­stand and counter new dig­i­tal risks
More SMBs let their guard down on cybersecurity