A fraudster accidentally infected his computer with his own malware

    Thanks to the criminal’s negligence, SecureWorks specialists revealed a new fraud scheme




    SecureWorks security specialists did a great job and completely revealed the business email fraud scheme. The scheme is quite simple and, as it turned out, very effective.

    The so-called "Nigerian" scammers massively sent spam with links to the web pages where the exploit pack was launched, or attached a trojan in the attachment to the letter. Their goal was to get hold of a computer with a corporate email box of some senior manager. The goal was achieved in several stages. For example, at the first stage, it is enough to infect the computer of a lower-level manager or secretary, who has a higher-ranking employee in his email contacts. And so on up the stairs.

    When the scammers managed to install the trojan on the computer of a high-ranking manager (“seller” in the diagram), the following scheme came into effect.


    Illustration: SecureWorks

    The essence of fraud called Wire Wire is shown in the infographic. Duplicate the steps again, for clarity:

    1. Compromise of a seller’s mailbox using phishing or malware. As already mentioned, goals can be achieved through downstream employees.

    2. An attacker examines the seller’s mailbox in search of expensive contracts that are at a preliminary stage (for example, the buyer has requested a price).

    3. An attacker installs a redirect in the seller’s mailbox in order to fake future mail from the buyer.

    4. The buyer sends the seller an order for the supply of goods, and the document is redirected to the attacker.

    5. The attacker “clones” the buyer's mailing address (using a similar domain) and redirects the document to the seller from this address, thereby establishing a communication channel through himself (MiTM attack).

    6. The seller answers the “buyer” (to the cloned address, which is controlled by the attacker) with an invoice containing payment instructions.

    7. The attacker changes the bank details in the invoice and redirects the changed document to the buyer.

    8. The buyer transfers the money to a bank account, which is under the control of the attacker.

    Interestingly, a detailed study of the new scheme was helped by the fact that one fraudster accidentally infected his computer with his own RAT Trojan, which he used in his work (they say this happens surprisingly often). Screenshots of its screen and keystroke logs were constantly uploaded to an open folder on the web server. Actually, the investigators discovered this folder at the beginning of their investigation. Screenshots and logs have become a valuable source of information about the activities of a group of about 30 scammers, for whom this person (he was named Mr. X) was a key figure. Then, screenshots and logs from infected PCs of four more scammers were found.

    For several months, specialists studied screenshots of screens and all keystrokes. During this time, I managed to find out many interesting details.

    For example, not all scammers in the Wire Wire community were experienced. Some had difficulty understanding how the malware works and how it is recognized by antiviruses. Mr. X provided technical assistance and infrastructure that allowed the group to work effectively.

    Researchers saw ineptly modified invoices, where the font of fake details is very different from the original, and the bank account belongs to a completely foreign business and is located in a different country, not in the same seller. Nevertheless, the attack with the compromise of business mail turned out to be quite effective in many cases.

    For example, in the case of the largest fraud, experts observed how attackers compromised the mail of an employee of an Indian chemical company. He used the web interface, so only a username and password were required to enter the mailbox. Attackers saw a business opportunity when an Indian company received an offer to buy chemicals worth $ 400,000 from an American company, also from the chemical industry. Having received an invoice from the seller, the fraudsters modified the IBAN (account number), name and address of the bank, SWIFT / BIC code of the bank - and sent the invoice to the buyer. The American company unknowingly transferred $ 400,000 to scammers.

    Researchers say the group did not have a clear hierarchy. Instead, everyone paid Mr. X for training and service, and also paid him a percentage of their income. Most members of the group live in the same region of Nigeria and know each other personally.

    The authors of the report also note that members of the Wire Wire group are different from typical scammers from West Africa. Typical scammers are usually young guys under the age of 29 who hang out in computer clubs, behave extravagantly and post photos with bundles of bills and fancy cars on social networks. A good profile for these guys (Yahoo Boys) at the time was Brian Krebs .

    Unlike the “golden boys” of Yahoo Boys, Wire Wire members are older than 40 years old, prefer to work from home, look respectable on social networks, but never show bundles of bills or fancy cars, as well as almost all very devout people who attend church. A study of their profiles on social networks also showed that they are often family, respected people with a high reputation. They feel obligated to help relatives, which often means involving Wire Wire in the scheme, because there are no other ways to earn decent money in the country.

    The study of invoices and orders for the supply of goods showed that members of the criminal group received an average income of $ 3 million for the year of their activity. Researchers saw fake invoices ranging from $ 5,000 to $ 250,000, although the average loss for companies ranged from $ 30,000 to $ 60,000.

    SecureWorks experts shared their findings at a Black Hat hacker conference . I must say, they were lucky. If the fraudster had not infected his RAT computer, then it would be very difficult to find criminals. The buyer waited a long time for the goods, and then usually came to the conclusion that the seller deceived him.

    Specialists James Bettke and Joe Stewart informed on the results of their work.The Nigeria Economic and Financial Crimes Commission , and their report has already led to at least one investigation.

    Bettke and Stewart also posted pdfxpose on GitHub , which detects suspicious modifications to PDF files to prevent email compromises.

    Also popular now: