Nigerian Wire-Wire Gang Caught By Own Malware

Last Updated on August 9th, 2016.

I actually saw this in the newspaper yesterday and decided to share the article to enlighten others to be careful when using a cyber cafe or clicking on spam mails and other malicious links sent to you via the mail.

“Nigerian prince” and “419” scams have plagued victims for decades and transitioned to the Internet in the 1990s. There are many variations and names for these scams, which originated in Nigeria.

The scammers refer to their trade using the terms “yahoo yahoo” or “G-work,” calling themselves “yahoo-yahoo boys,” “yahoo boiz,” or “G-boys.” However, the simple con man fraud practiced by many West African-based threat actors is being replaced by a new crime they refer to as “wire-wire,” “waya-waya,” or “the new G-work.” These terms have not entered the mainstream lexicon as of this publication and are not well-defined, but SecureWorks® Counter Threat Unit™ (CTU) research indicates that they refer to the evolution of low-level con games into more sophisticated and conventional cybercrime that is compromising businesses around the world. The businesses range in size and span industries from machinery manufacturers to countertop material manufacturers to chemical companies. The cybercriminals use spearphishing and malware to gain direct access to organizations’ computers to facilitate the theft of large sums of money without the victim’s knowledge.

A Facebook search for “wire-wire” reveals numerous multiple groups and users operating in the open. They advertise their services or offer training courses about wire-wire to would-be criminals. Multiple social media platforms have a wealth of information about individual threat actors, but meticulous research is necessary to understand how these thefts are being accomplished.

Two Security researchers from Secureworks, Joe Stewart and James Bettke, recently discovered a Nigerian scam ring. They were eventually caught in their own web after several years of operation. The ringleader unknowingly infected his computer with the same malware that they want unsuspecting victims to download.

This vulnerability made it possible for the researchers to monitor the ringleader for several months. Information concerning his contacts, tools, messages, his victims and the amount of money transferred were revealed, according to Bettke’s account.

A more refined version of the Business Email Compromise (BEC) scam was employed by the criminals. It is also known as wire-wire which involves picking random email addresses from public sources and attacking them with malware so that they are easily accessible. After the attack, if a victim orders for anything through email, the group hijacks it and altered details are sent to the victim. The group consists of over 30 members with earnings around $3 million annually.

While investigating BEC, CTU researchers discovered a threat actor infecting his own system with malware and uploading screenshots and keystroke logs to an open directory on a web server. This misstep by the threat actors has become common and provides intelligence for some investigations into BEC activity. This cybercriminal was the key figure in a wire-wire group with more than 30 members. The information from his computer led to a valuable cache of information about the operations and identities of what CTU researchers refer to as “Wire-Wire Group 1” (WWG1) or Threat Group-2798 (TG-2798).

WWG1 operations

From an operational standpoint, WWG1’s fraud activity is similar to other West African threat actors. It uses well-known commodity remote access trojans (RATs) and public webmail services to accomplish its goals. Members do not have a sophisticated understanding of malware, but the key figure in this group, named “Mr. X,” provides the technical support and infrastructure that allows the group to function successfully.

WWG1 is loosely structured and does not have the conventional top-down hierarchy that is typical of organized crime groups. Instead, members pay Mr. X for his services and training by reimbursing him for expenses and providing a percentage of their ill-gotten gains. Most WWG1 group members reside in the same geographical area of Nigeria and know each other personally or are at least Facebook friends.

WWG1 social context

There are several differences between the conventional profile of a typical West African threat actor and the characteristics of WWG1 members. For example, the following attributes are often associated with “yahoo-yahoo boys”:

  • College-age to late twenties
  • Huddle in cybercafes all day scamming victims
  • Spend extravagantly and show cash and fancy cars on social media
  • Resort to “juju” (voodoo) charms to improve their success (i.e., Yahoo Plus)

WWG1 members have a nearly opposite profile:

  • Late twenties to forties
  • Operate from home using their personal Internet connection
  • Appear wealthy on social media but never display cash or fancy cars
  • Are typically devoutly religious and active in mainstream churches

Social media intelligence indicates that WWG1 members are often family men that are well-respected and admired. They feel obligated to uplift other members of their community, but that usually means introducing others to the wire-wire scheme given the lack of opportunities for legitimate employment.

With the ring busted and its operators arrested, the FBI has issued a warning about the growing scam.

It echoes what Stewart and Bettke statement that technology is the best defence against such attacks.

That means making sure that everybody handling payments checks account details, rather than merely reading it from the document in an email. And if you’re phoning to check an invoice, get the phone number from a source outside the e-mails or invoices.

Related Posts Plugin for WordPress, Blogger...

There are no comments yet