'Nigerian scammer' busted after he infected himself with malware The ancient-in-internet-years “Nigerian email” scam remains popular and profitable for its operators ... when they don't shoot themselves in the foot. Some scam operators infected themselves with their own malware, and SecureWorks has been discussing the outcome of that: the massive own goal meant researchers like Joe Stewart …
Once again the lack of proper procedures are the linchpin through which scum can ply their trade. Taking account details from an email means that you do not have a proper client db with the reliable data already inserted.
Which in turn means that your payment transfer system is probably a mess (no check on account number for an existing supplier ?) and errors like this will slip through unnoticed until you get an invoice unpaid letter and start wondering why - which is never the right reason to check your accounting procedures, but better late than never.
This is the kind of pain that will prompt more attention to detail. It is unfortunately a costly lesson, but there is a portion of the population that only learn by costly lessons (backups, anyone ?).
I know a financial controller who had this happen to, it does require a degree of uncertainty within the business to work BUT i can say that this level exists everywhere.
If they can see your emails, they can see when people are away on holiday, they can access and change the name tags on email addresses (in the example i found they managed to access the email server) so that 'payme@yoursuppplierr.com' (note the double 'r') still shows as 'Your supplier' in emails
So, they've waited for the moment when someone is away, prevented payment (by intercepting emails and not sending on) to a vital supplier and allowed a 'Pay or no shipment of your urgent goods' to get from the supplier to the company.. next step is 'BTW we have changed banks, please pay here.
Yep, combination of pressure and hitting the weak point meant 280k (not actual value but close) went out to a bank account not of the suppliers.
THANKFULLY Interpol saved the day (yep, i know, bloody amazing) and contacted the bank and had funds frozen, the bank didn't let the cash fly as they were a bit wary of cash coming in to the system going out so fast (crims had actually contacted the target company for further documentation to prove that they should be able to withdraw, AFTER they realised what had happened, by pretending to be police!!!)
please note that if the company had lost this cash, at that time, it would have essentially stunted the company for years to come, as it was for high-season items (ordered JIT), and a large chunk of cash for the company..
Oh, and the spyware was on the bosses laptop, that's how they managed to connect and harvest all the data.
They monitored the operation for several months. According to another report they did attempt to contact at least some of the victims to warn them (and were themselves suspected of being scammers) but essentially the let the scam run rather than blowing the whistle PDQ. So why are they not being treated as accessories?
Full analysis takes time, and you also need many "runs" so that you can trace the paths.
If they had blown the whistle PDQ, they could have gotten a fraction of the people running the scam, by letting it run for 2-3 months (and presumably logging the transactions, frauds, and scams) they nabbed the whole "company" and have records that could cause the victims to claim restitution.
Also, if watching, investigating, and gather evidence counted as accessory, then every LEO ever would also be guilty.
'they nabbed the whole "company" and have records that could cause the victims to claim restitution.'
Claiming is one thing, getting is another. I doubt any company who has lost money during the monitoring period would have consider the eventual outcome to have been worth the cost of their losses.
There's always a trade-off between gathering information and allowing harm to continue. It will always seem easier to err on the former side when it's someone else's harm; allowance should be made for that.
I get at least one of those a week (oh and lieutenant Ferrara is still alive and well), but I only see them if I hit up the spam folder on my gmail looking for a lost _real_ receipt or something - Google invariably intercepts them as they come...
EDIT: derp, just noticed the _SNAIL_ part - oops! That's indeed something... :)
I've got one of these (and scanned it for posterity) if El Reg would like to run an expose on it...
It ticked all the boxes:
1) Shiny company name
2) Shiny company address (Geneva) - which, if Streetviewed, is a cinema and hairdressers....(presumably a unit above it)
3) Webmail email address
4) "Phone" number that points to a REGUS FAX number
5) Offer of lots of good investments
The headline started an interesting train of thought about the more traditional Nigerian-style email scammers.
Do these scammers have rock-solid malware protection? I've seen sites devoted to stories of stringing these guys along, and sometimes even getting money out of them. It would be so much better to disable the systems they work on by replying to them with infected attachments.
The company I work for is pretty strict about email security.
All email to/from new domains is quarantined until someone from the admin teams Okays it. A new domain for what seems like an existing contact would set off alarm bells.
We deal with investment data so our clients are very picky about security,
> They were able to monitor the ringleader of this particular operation for “several months”.
> Bettke explained that “we saw who he contacted, his instant messages, the tools he was using, his victims, the amounts of money transferred – how the whole thing worked.”
How is that not illegal? Even if it were the police they'd not have permission to access someone's computer and get their personal information anymore than they can walk into someone's house without a warrant and rummage around just because the door was unlocked.
Not quite a definitive solution, but just enable strict SPF / DKIM and mark all external mail by amending its subject, or something like that.
No technology (except completely disconnecting someone / something) can be foolproof, so this still requires the end users to have a tiny little itty bitty smidge of sense and not do things blindly without being a little careful...
Not quite a definitive solution, but just enable strict SPF / DKIM and mark all external mail by amending its subject, or something like that.
That requires the domain owner not to be a dork; many of them fail badly at that hurdle.
I went through a phase a while back where I was seeing loads of domains with "+all" at the end of their SPF records. I cannot see a single instance where that can be anything but harmful, so my SPF milter now treats "+all" as if it were "-all". That helps...
Vic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
