Ah, the boys from Lagos. From princes and other royalty needing help transferring money to CEOs with too-good-to-be-true business opportunities, Nigeria has been a hotbed for online scams for more than a decade.
Researchers at Dell SecureWorks decided to target a Nigerian kingpin that sat atop a complex business email compromise (BEC) operation in an effort to give these folks a taste of their own medicine—with wildly successful results.
It’s important to note that while most overseas scams are easy to spot—broken English, easy riches, asking for wire transfer information—this is starting to change.
“Whether the goal is to convince a victim to divulge their email password or send a wire transfer to a CEO impersonator, the criminals have fine-tuned their pitches and are becoming difficult for the average victim to detect,” Dell SecureWorks researchers noted. “Even worse, the fraudsters are teaching each other these improved methods, creating a problem that is growing exponentially over time.”
To help the side of the good arm itself a little better, Dell researchers Joe Stewart and James Bettke have made an effort to infiltrate and study groups involved in wire fraud, down to learning local dialects used by the criminals, such as Pidgin.
“We’ve gotten a good handle on local dialects and learned how to speak as they speak to one another,” Stewart said, speaking at RSA last week. “This gave us the opportunity to go deeper with these operations.”
And in one case, they were able to scam the scammer. It was a campaign targeting the CEO of an American private equity firm specializing in investments in technology services. They used spear-phishing emails to establish a rapport with the executive, going on to try to convince him to make a large transfer of money to a third party. The “ask” came complete with wire instructions that included necessary account numbers and SWIFT transaction codes.
Stewart and Bettke decided to see what they could entice from the crooks, to learn about their numerous third-party money mule accounts and potentially identify the criminals behind the scam. They started by impersonating the CEO, and then later, a fellow scammer.
First they stalled, telling the bad guys that the banks involved in the transactions were returning payments. They asked for new account information to gain further details on the mule accounts used to launder money. Then, they claimed to need a second form of authentication from the scammer to collect the wire transfer receipt—and presented an elaborate, customized front-end for harvesting this information. Which the kingpin fell for hook, line and sinker.
Unable to download the non-existent payment slip, the bad actors entered more and more information into the phony interface—allowing the researchers to gain a real mobile number, which led them to a personal Facebook account. They dubbed their mark “Seun.”
From there, the researchers posed as yet another Nigerian fraudster, telling the original scam artist that he also was targeting the same executive, and had in fact compromised the CEO’s email with a RAT. From there they strung the scammer along, amassing more information and eventually leading to seven email addresses and numerous mule accounts being taken offline and frozen.
It’s unlikely that the coup will deter future Nigerian scammers from doing what they do, on a regular and endemic basis. But it’s nice to know the tables can be turned.