Nigeria's Internet fraudsters target corporate e-mail
West Africa's infamous Internet scammers have evolved, dropping their impersonations of online love interests, princes and US soldiers in favour of hijacking corporate e-mails, costing businesses hundreds of millions of dollars a year.
ITWeb Security Summit 2018
Registration is open for ITWeb Security Summit 2018, which will feature cyber security guru Mikko Hypponen and other international infosec players as plenary speakers. Get involved in #SS18HACK and choose from two half-day workshops or a full-day Boot Camp plus five training courses. Click here for the agenda. For the first time, ITWeb Security Summit will also take place in Cape Town.
It is a much more lucrative venture that works by gaining access to corporate e-mail login details or passing off almost-identical addresses as the real deal, a scam known as business e-mail compromise (BEC), according to a report by cyber security firm CrowdStrike issued yesterday.
These Nigerian rackets now dwarf other types of online criminal theft, amounting to at least $5.3 billion of losses between October 2013 and the end of 2016, said CrowdStrike and the FBI's Internet Crime Complaint Centre (IC3).
"There's a disproportionate amount of criminal gains they get from it," Adam Meyers, vice-president of intelligence at California-based CrowdStrike, told Reuters. "The lion's share of ill-gotten, fraudulent money is around these business e-mail compromise attacks. It's a huge problem for our customer set."
Nigeria has become one of the hubs of BEC. Nigerian online fraudsters, known as "Yahoo boys", became notorious for trying to pass themselves off as people in financial need or Nigerian princes offering an outstanding return on an investment.
The capers became known as "419 scams" after the section of the national penal code that dealt, ineffectively, with fraud.
Yahoo boys even impersonated a US forces commander in Afghanistan to defraud people by asking for help in recovering the assets of deceased soldiers. It forced the commander to issue a Facebook statement saying he would never try to contact anyone asking for financial help.
Now the scammers have bigger fish to fry, with the potential gains amounting to hundreds of millions of dollars a year, according to CrowdStrike.
Behind the fraudsters is an organised crime network with its hands in human trafficking, drugs, prostitution, money laundering and e-mail fraud and cyber crime, the CrowdStrike report said. "The magnitude of this criminal threat has only recently begun to be understood."
The Black Axe gang sprang from Nigerian universities and now extends from Africa to North America, Europe and Asia. Its targets have ranged from semiconductor makers to schools in US states including Connecticut and Minnesota, passing themselves off as executives and lawyers to trick employees into wiring sometimes millions of dollars a day into bank accounts.
From there, the money is quickly laundered through a series of bank accounts that can be traced to Hong Kong and China, where the trail often goes cold because diverging regulations foil monitoring, Meyers said.
With that money, the Nigerian scammers are often enjoying the high life, said Meyers, noting social media accounts filled with pictures of them posing with luxury Mercedes cars, gold watches, jewellery and champagne.
"It's really hard to stop; you can't stop it with anti-virus or any kind of software, it's really kind of a human problem."