Nigerian BEC Scammers Increase Proficiency: ReportOne Gang Responsible for 2.1 Million Attacks, Researchers Say
Nigerian cybercriminal gangs have become even more proficient in waging business email compromise attacks, according to an analysis from Palo Alto Network's Unit 42.
Unit 42 researchers determined that last year, cybercriminal gangs operating out of Nigeria averaged a combined total of over 92,000 business email compromise attacks each month, a 172 percent increase from the previous year.
The analysis also found that one group, which Unit 42 refers to as SilverTerrier, was responsible for the bulk of these attacks. This gang is believed to be responsible for 2.1 million BEC attacks in 2019, according to the report.
And while groups such as SilverTerrier continue to rely on a vast array of commodity tools, such as information stealers and remote access Trojans, or RATs, the Unit 42 analysis found that these cybercriminals have become much more sophisticated in how they deploy this malware.
"SilverTerrier is really good at retiring old tools and adopting new ones," Pete Renals, principal researcher for Unit 42, tells Information Security Media Group. "The factors they take into consideration on which tools to use include popularity, effectiveness, detection rates, availability and various other market factors. This helps keep their attack delivery methods fresh and effective."
BEC on the Rise
The increasing proficiency of these Nigerian cybercriminal gangs comes at a time when BEC attacks are increasing globally. These scams typically involve fraudsters compromising the email accounts of executives in order to trick lower-level employees into transferring money to bank accounts controlled by the attackers.
The FBI's Internet Crime Report revealed that the agency received nearly 24,000 complaints about BEC scams in 2019, with losses to victims in the U.S. totalling $1.7 billion, (see: FBI: BEC Losses Totalled $1.7 Billion in 2019)
In September 2019, the U.S. Department of Justice announced that 281 people, including 167 Nigerians, were arrested as part of a coordinated effort to disrupt BEC scheme (see: Business Email Compromise Crackdown: 281 Suspects Busted).
The bulk of the Unit 42 analysis focuses on SilverTerrier, which has been active since at least 2014 and acts as an umbrella organization for about 480 individuals. Over the course of 2019, the group produced more than 81,300 malware samples - snippets of malicious code that analysts can reverse engineer - as part of their activity, according to the report.
And over time, the SilverTerrier gang has deployed a number of commodity tools to assist their BEC scams. This includes information stealers, such as AgentTesla, AzoRult, Lokibot, Pony and PredatorPain, which are used to capture screenshots, passwords and other sensitive files on an infected system, according to the report.
In addition, the group uses a combination of 13 commodity RATs for modifying systems, accessing network resources and sending out emails and other messages from compromised devices, according to Unit 42. In many cases, the developers working for the gang used obfuscation techniques within the malware, which are designed to deceive signature-based anti-virus programs, the report notes.
"As SilverTerrier continues growing its technical abilities, combined with the effectiveness of these tools in enabling fraudulent schemes, we anticipate seeing an increasing number of actors adopting these tools in 2020," Renals says.
Over the last year, Unit 42 found that SilverTerrier has focused more of their efforts on tech companies, legal offices and law firms as well as other professional services industries.
Role of Malware Developer
The Unit 42 researchers say SilverTerrier has sought the help of individual malware tool developers to increase its capabilities.
"Actor X," a SilverTerrier member whose identity was not disclosed by the Unit 42 researchers, registered more than 480 domains using 90 email address over the last year. This developer produced over 4,000 malware samples that targeted more than 93 local, state and federal government agencies, according to the report.
In March, Check Point Research released a similar report that profiled one Nigerian scammer who collected over $100,000 in a seven-year period by engineering various scams (see: The Evolution of a Nigerian Scammer).
Managing Editor Scott Ferguson contributed to this report.