A cybercriminal gang based in Nigeria has been setting up phishing and 419 scam campaigns as well as delivering information-stealing malware to targets around the world, say Trend Micro researchers, who have managed to tie three individuals to it.
“They are part of a larger group […], which only represents a small portion of the whole underground community in Africa involved in this type of business. Several smaller 419 groups also engaged in this lucrative business,” they shared in a whitepaper. “These individuals appear to be unconcerned with regard to covering their tracks because they think it would be hard for authorities to arrest them.”
The gang, dubbed “Ice 419” by the researchers, has been using the Ice IX banking Trojan to gather victim’s email addresses, bank account and credit card numbers, webmail and social median account credentials, and personally identifiable information (PII). The Trojan is capable of injecting pop up messages that ask for the users’ credentials when the malware detects the user visiting his or her online banking site.
The researchers have managed to locate some of the group’s C&C servers. Some where on owned domains, and other on hijacked. It’s interesting to note that the criminals would connect to them via infected machines in Nigeria, possibly because they believe that would cover their tracks. But that was obviously not enough, as the researchers had other tricks up their sleeve and have tracked them to the real IP addresses used by their devices.
Part of the group is involved in phishing, and targets mostly customers of American discount retail brokerage firm Scottrade.com, Korean search engine site Daum.net, and dating site Match.com.
The 419 scams they are involved in consist of predictable offers, and are executed with the intention of making people reply with information such as their bank account details and copies of their IDs – which some of them unfortunately do.
The fraudulent emails are sent out via spamming tool “PHP mailer”, and the researchers managed to take a peek at some of the mailing lists the criminals used in this endeavor. They contained around half a million email addresses from US and Canadian users.