One Nigerian man, working alone and using old malware, launched an email-based campaign that successfully stole thousands of dollars from manufacturing, banking and construction companies around the world.
A new report from Check Point Software Technologies spotlights a low-sophistication campaign of business email compromise (BEC) attacks against 4,000 global companies in the last four months. Security researchers say they traced the attacks back to a single individual in his mid-20s aiming to infect networks, steal data and commit fraud.
The thousands of attempts have resulted in 14 companies being infected. Nigerian and international law enforcement were informed a month ago, Check Point threat intelligence manager Maya Horowitz told CyberScoop, but it’s not clear if any action has been taken.
The attacker uses the phrase “get rich or die trying” on social media accounts, the researchers said, lending that name to the case study.
The attacker uses fake addresses appearing to come from Saudi Aramco, the second-largest daily oil producer in the world, to send malware-laced phishing emails to financial staff at a wide range of global firms and industries. Check Point offered an overview of successfully infected companies, including a marine and energy solutions company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction company in Dubai, an oil and gas firm in Kuwait as well as a construction organization in Germany.
“Unfortunately it is pretty common,” Horowitz said. “As long as potential targets, which is everyone, don’t practice the necessary cautions and security measures, it will keep on being way too easy to throw a successful malware campaign.”
The unnamed attacker uses NetWire malware, a remote access Trojan (RAT) first launched in 2012 and available publicly around the web. Like any RAT, it allows control over an infected machine and steals important data like passwords that can then be used for profit. NetWire is a subscription-based RAT that attracts criminals because it doesn’t watermark data files which could be used to trace malware back to the attacker. He also uses Hawkeye for keylogging, a notoriously simple piece of malware sold on black markets and available for free on the open internet.
“The malware he uses is old, generic and readily available online,” the researchers wrote. “And he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns. The fact that the campaign was still effective, despite using only basic cyber-criminal techniques, highlights just how much of a problem these business email compromise attacks have become.”
This Nigerian scam rests, in virtually every way, on the small end of the scale when measuring cyberattacks and BEC campaigns. Earlier this year, a Lithuanian man named Evaldas Rimasauskas was arrested for a $100 million BEC scam that dented Google and Facebook when employees at both Silicon Valley giants sent money to foreign bank accounts after the attacker allegedly impersonated the Taiwanese electronics manufacturer Quanta Computer.
Nevertheless, the success of the thousand-dollar scam highlights how potent the threat has become. In a 2016 report, the FBI said BEC attacks cost over $1 billion per year on average, a number that’s rising, and cost victims between $25,000 and $75,000 per attack.