Nigerian scammers: Then and now

The image that the expression “Nigerian scammer” conjures up in most people’s heads is still that of the confidence man behind the keyboard, convincing victims that they have the opportunity to get a hefty sum of money if they only send some first, or pretending to be a man or woman in love with the victim and needing money to get out of some difficulty or another.

But most modern Nigerian scammers have abandoned these approaches, and are now more interested in perpetrating business email compromise (BEC) scams, and are putting their faith in commodity malware to help them rake in money.

New approaches

A recently released report by Palo Alto Networks reveals that Nigerian cyber actors have become a formidable threat to businesses around the world.

“They have learned how to successfully apply simple malware tools with precision in order to create substantial losses ranging from tens of thousands up to millions of dollars for victim organizations, and they have broadened their scope well beyond targeting unsuspecting individuals,” the researchers noted.

The scammers have lately been mostly using the Predator Pain, ISR Stealer, Keybase, ISpySoftware and Pony malware families, to gain remote access to the victims’ system or to steal login credentials. But their main trick for bypassing AV defenses is to try out the latest crypters (packing software) available to obfuscate malicious code, and changing the crypter they are using every few weeks.

To prevent the malware from being quickly detected they are also avoiding massive email spam campaigns. They prefer a more targeted approach, and especially like targeting organizations in high technology, higher education and manufacturing.

They are known for creating sites for fake organizations such as financial institutions and charities to help then defraud victims, and for impersonating legitimate organizations (either by compromising company email accounts or spoofing them) in order to defraud them or their partners.

“Overall in 2015, there were 30,855 victims of 419/Overpayment scams, resulting in losses in excess of $49 million. While those numbers are significant, the gains achieved through current malware and BEC schemes appear to be far greater,” the researchers noted.

Modern Nigerian scammers

The number of people engaged in these scams has expectedly risen. They often boast about the results of their work on Facebook, while using Google+ to network with their criminal peers, potential collaborators, malicious tool sellers, etc.

Technically skilled individuals that know how to register the malware infrastructure, provide training on the tools, and so on, often gather teams of scammers around them. The latter ultimately do most of the work, but these team leaders naturally get a piece of the pie.

Nigerian scammers range in age from late teenage years to adults in their mid-40s, and are often well educated, with technical degrees from local universities.

They live comfortably, and aren’t worried too much about hiding what they do or who they are.

“The culture within Nigeria tends to provide a permissive environment for these types of illicit activities. Scams, fraud and corruption are viewed as a way of life, and as a result, the majority of these actors apply little effort toward maintaining anonymity,” the researchers pointed out. This is the reason why researchers often manage to discover their real-world identities without too much effort.