Nigerian scammers switch to malware

explicit_nigerian_scamsNigerian 419 scammers are moving out of targeting the terminally stupid and are coming up with malware schemes that are making them a bundle.

FireEye researchers Erye Hernandez, Daniel Regalado, and Nart Villeneuv claim scammers  are now targeting users with exploit tools and keyloggers, and are breaking into legitimate business email transactions to con buyers and sellers.

In a report “An Inside Look into the World of Nigerian Scammers” FireEye said that it discovered an active operation of a group of cybercriminals involved in multiple executions of the payment diversion scam.

“The group is composed of loosely organised individuals who use basic, but effective, tools to defraud their victims of thousands of dollars.”

So far, 2,328 victims in 54 countries have been hit. Small to medium businesses in Asia are considered soft targets because they are non-native English speakers and can’t spot the terrible spelling.

The criminals will pay $3,600 for malware tools including encryptors, builders, remote access trojans, and various info-stealers, using the tools to conn users out of cash ranging from thousands to possibly millions of dollars.

FireEye examined one Nigerian collective of at least four individuals who shared a single command and control server.

They used the popular Microsoft Word Intruder tool, and keyloggers HawkEye and KeyBase, buying the MWISTAT builder to track the effectiveness of their campaigns.

The scammers gain access on an email account and identify threads regarding business transactions. They then create spoof threads contacting buyers and sellers in a bid to obtain financial data.

Sites like Alibaba are used to identify victims residing in countries in which they have bank accounts.

Most of the hacks are through booby trapped Word documents masquerading as the kind of tailored customer inquiry a business would routinely receive and open. It is a step up from the 419 scams at least.