Nigerian 419 con artists have been around seemingly forever, relentlessly sucking funds out of the bank accounts of one duped individual victim at a time.
You’ve probably heard of them. These gambits revolve around tricking the victim into thinking he or she can help transfer a large sum into a U.S. bank, and make a tidy profit on the side.
But now some veteran Nigerian criminals have evolved–ripping off small- and medium-sized businesses on a grander scale. This is much more than a simple progression.
The ongoing criminal pursuits of one particular Nigerian ring of fraudsters is demonstrating just how susceptible SMBs are to hackers of relatively modest technical skill.
This new intelligence comes from Joe Stewart and James Bettke, researchers at Dell SecureWork’s Counter Threat Unit, who have spent the past several months closely monitoring the activities of a gang designated “wire-wire Group 1 or “WWG1.”
The name is a nod to how ring members refer to what they do as “wire-wire” or “waya-waya” fraud.
SecureWorks has turned over the identities of some 30 WWG1 members to law enforcement, which is investigating.
What they do
This ring specializes in infiltrating and then manipulating email Web servers inside the networks of SMBs. They specifically target those in verticals like manufacturing, chemical and others that routinely issue and fulfill high-dollar purchase orders.
The thievery exploits the fact that the victim companies rely on emailing wire transfer instructions to execute payments.
When a wire transfer payment request is sent, the gang intercepts it and replaces it with one sent from a lookalike domain. The replacement carries instructions to divert the payment to a bank account they control.
Since February, SecureWorks has observed WWG1 orchestrate several payment diversions per week, typically stealing $30,000 to $60,000 per caper, including one big score of $400,000 that a U.S. chemical company attempted to wire to a supplier in India.
“They’re patient,” Stewart told me. “They’ll work on several deals at a time. They have plenty of other companies they’ve compromised, so they’ll just go from mailbox to mailbox to see what new deals are coming in and start preparing for the high-end payments.”
How they do it
WWG1 uses a simple tool to crawl the Internet and scrape employee email addresses from corporate websites. Those employees are then bombarded with viral emails (the kind with a virus, not the kind that gets Internet-famous).
The goal is to infect one machine, and then use that as a foothold to ultimately secure privileged access to the company’s Web email server.
Once they gain control of the email server, they begin daily monitoring for purchase order communiques. They also prepare lookalike emails, as well as arrangements to wire funds into bank accounts set up to launder stolen payments.
None of this requires any special hacking expertise; the necessary software and tutorials are widely available online.
Distinctive traits
Stewart says certain members of WWG1 began years ago carrying out 419 scams.
The classic variant of this con is carried out by the supposed agent of a Nigerian prince, who cajoles the victim into seeding an account into which the royal is getting ready to move large sums–but never does.
They’ve now progressed to SMB wire transfer scams that make use of tried-and-true hacking techniques.
“All of this communication takes place over email,” Bettke says adds. “The attacker is essentially doing digital check washing, taking that invoice and just changing the destination bank account details to divert the funds.”
Wider implications
SecureWorks just turned their findings over to U.S. and Nigerian law enforcement in July. Cross-border criminal investigations take time.
Although the Nigerian Economic and Financial Crimes Commission has arraigned a number of suspects for similar thefts, no arrests of any WWG1 members have yet been made.
Across Africa and parts of Europe and Asia, wire fraud directed at Western corporations is viewed by many as viable economic activity. Some even consider it a form of justified payback for the sins of past colonial rulers.
The Nigerian ring members monitored by SecureWorks, for instance, all belong to the same Christian church. They’re led by a central figure referred to as Mr. x, who appears to take pride in training underlings.
Mr. X collects training fees and expense reimbursements from other ring members, who are not given to boasting about their ill-gotten wealth on social media. “They appear to be well-respected family men looked up to by others,” Stewart says.
With a low entry barrier, comparatively low risk of getting caught and high monetary gain, what the Nigerians refer to as “wire-wire” fraud is definitely scaling up. Doubtless, more copycat rings will get into the game.
Big takeaway
For SMBs it should be obvious: If you rely on email to carry out high-dollar wire transfers, the bad guys are very likely watching, if not already closing in for the kill.
Due diligence of the highest order is called for.
Start with a thorough assessment of how your organization uses Web email. Move quickly to institute two-factor authentication for your employees to log into any company system.
This step alone will significantly deter ‘wire-wire’ theft in its current form.
