Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / New
Stats: 3,143,312 members, 7,780,742 topics. Date: Thursday, 28 March 2024 at 09:06 PM

Wire Wire: A West African Cyber Threat - DELL - Programming - Nairaland

Nairaland Forum / Science/Technology / Programming / Wire Wire: A West African Cyber Threat - DELL (2240 Views)

Enhancing Cyber Threat Protection In Dallas: A Comprehensive Guide / Data Science Or Cyber Security? / Cyber Security Or Software Engineering? (2) (3) (4)

(1) (Reply) (Go Down)

Wire Wire: A West African Cyber Threat - DELL by SleakBuzzPR: 7:41am On May 14, 2018
Below is the summary of a report submitted to FBI and CIA by DELL Technologies in U.S.A


"Nigerian prince" and "419" scams have plagued victims for decades and transitioned to the Internet in the 1990s. There are many variations and names for these scams, which originated in Nigeria. The scammers refer to their trade using the terms "yahoo yahoo" or "G-work," calling themselves "yahoo-yahoo boys," "yahoo boiz," or "G-boys." However, the simple con man fraud practiced by many West African-based threat actors is being replaced by a new crime they refer to as "wire-wire," "waya-waya," or "the new G-work." These terms have not entered the mainstream lexicon as of this publication and are not well-defined, but SecureWorks® Counter Threat Unit™ (CTU) research indicates that they refer to the evolution of low-level con games into more sophisticated and conventional cybercrime that is compromising businesses around the world. The businesses range in size and span industries from machinery manufacturers to countertop material manufacturers to chemical companies. The cybercriminals use spearphishing and malware to gain direct access to organizations' computers to facilitate the theft of large sums of money without the victim's knowledge.

A Facebook search for "wire-wire" reveals numerous groups and users operating in the open. They advertise their services or offer training courses about wire-wire to would-be criminals. Multiple social media platforms have a wealth of information about individual threat actors, but meticulous research is necessary to understand how these thefts are being accomplished.

Business email compromise

The Internet security industry has been aware of the evolution of largely African-based threat actors for several years. Security companies such as Trend Micro, ThreatConnect, Palo Alto, and FireEye have detailed the rise of this activity. However, awareness about how these threat actors operate and how to spot their intrusions is still low among security professionals and the public. Because these actors operate differently than other cybercriminals, it is essential to understand how they conduct their schemes. Although some wire-wire activity is simple low-level credit card fraud, the largest threat to organizations is business email compromise. CTU™ researchers use the following terms to distinguish between wire-wire fraud types:

Business email compromise (BEC) — Hijacking an email account or an email server to intercept business transactions and redirect payments
Business email spoofing (BES) — Sending spoofed email from an external account pretending to be a company executive authorizing an irregular payment transaction

CTU researchers have encountered many reports that use "BEC" to refer to activities better categorized as "BES." BEC is much more devious and harder to detect than BES. If these terms are used interchangeably, a potential victim may assume that verifying requests with the named executive using established communication channels will sufficiently mitigate the threat. However, this defense cannot prevent BEC fraud.

How BEC works

In BEC, an attacker compromises a seller's email account to position himself as a "man-in-the-middle" between the seller and a buyer in existing business transactions. The threat actor then uses his control of the seller's account to passively monitor the transaction. When it is time for payment details to be relayed to the buyer via an invoice, the threat actor intercepts the seller's email and changes the destination bank account for the buyer's payment. If the payment account does not appear to be suspicious, the buyer will likely submit the payment to the attacker's account.

To completely and transparently control the communication between the buyer and seller, the attacker must be able to control and monitor the email chain between the two parties. The first step is to compromise a business's email account, which can be accomplished easily and inexpensively with various phishing kits and commodity malware. For approximately $30, a threat actor can send a large quantity of emails containing malicious attachments (referred to as "bombing"wink to a list of email addresses scraped from the target's web pages. Even if only a few recipients are compromised, the potential payoff for the attacker could be thousands to hundreds of thousands of dollars per email campaign.

From the seller's point of view, the transaction appears to be normal until the buyer does not pay for the invoiced goods. The only suspicious aspect the seller might detect is the change of email address between the request for a quote and the PO. The buyer will not notice a problem until the seller fails to ship the purchased goods. The seller's email address does not change because the attacker controls that email account. If the threat actor is skilled at document forgery and generates a seemingly legitimate invoice, the buyer will likely believe that the seller cheated them.

Not all wire-wire attackers are skilled. Many struggle to understand how their malware operates and how it is detected by antivirus software. CTU researchers have observed clumsily modified invoices, with payment details in a font that does not match the rest of the document and a bank account that is associated with an unrelated business name and is located in a different country than the seller. Regardless, BEC is effective against many targeted businesses.

Case study

When researching wire-wire activity, CTU researchers discovered that one of the most notable cyberheists had been executed by a Nigerian wire-wire group against an Indian chemical company and its U.S. customer. The customer, also a chemical company, sought to purchase a large quantity of chemicals from the Indian company. CTU researchers found that the wire-wire group had hijacked the email username and password of an employee at the Indian company. The company used a webmail application for its corporate email, and the employee login required only a username and password. Because employees did not have to provide another form of verification, the threat actors used the credentials to access and read the employee's emails.

The attackers identified an opportunity when the U.S. company sent a price quote request to purchase $400,000 in chemicals from the Indian company. The threat actors added a rule to the employee's email to redirect all future email from the U.S. company to the attacker's email account. The attackers intercepted the U.S. company's purchase order and resent it from another email address that closely resembled the submitter's actual email address. At this point, the attackers established their MITM position between the buyer and the seller.

The Indian company eventually sent an invoice that contained wire payment details. Because the invoice was sent to the attacker-generated email address, the threat actors modified the following information before forwarding it to the legitimate recipient at the U.S. company:

The bank account number or International Bank Account Number (IBAN) for the attacker-controlled account
The full name and address of the bank where the attackers' account was located
The SWIFT/BIC code of the attackers' bank

The U.S. chemical company unknowingly wired $400,000 into the attacker-controlled account. The threat actors then laundered the money through multiple accounts in different countries, making recovery impossible and the money trail difficult to trace.


SOURCE:
https://www.secureworks.com/research/wire-wire-a-west-african-cyber-threat

1 Like 1 Share

Re: Wire Wire: A West African Cyber Threat - DELL by IamaNigerianGuy(m): 9:48pm On May 15, 2018
SleakBuzzPR:
Below is the summary of a report submitted to FBI and CIA by DELL Technologies in U.S.A


"Nigerian prince" and "419" scams have plagued victims for decades and transitioned to the Internet in the 1990s. There are many variations and names for these scams, which originated in Nigeria. The scammers refer to their trade using the terms "yahoo yahoo" or "G-work," calling themselves "yahoo-yahoo boys," "yahoo boiz," or "G-boys." However, the simple con man fraud practiced by many West African-based threat actors is being replaced by a new crime they refer to as "wire-wire," "waya-waya," or "the new G-work." These terms have not entered the mainstream lexicon as of this publication and are not well-defined, but SecureWorks® Counter Threat Unit™ (CTU) research indicates that they refer to the evolution of low-level con games into more sophisticated and conventional cybercrime that is compromising businesses around the world. The businesses range in size and span industries from machinery manufacturers to countertop material manufacturers to chemical companies. The cybercriminals use spearphishing and malware to gain direct access to organizations' computers to facilitate the theft of large sums of money without the victim's knowledge.

A Facebook search for "wire-wire" reveals numerous groups and users operating in the open. They advertise their services or offer training courses about wire-wire to would-be criminals. Multiple social media platforms have a wealth of information about individual threat actors, but meticulous research is necessary to understand how these thefts are being accomplished.

Business email compromise

The Internet security industry has been aware of the evolution of largely African-based threat actors for several years. Security companies such as Trend Micro, ThreatConnect, Palo Alto, and FireEye have detailed the rise of this activity. However, awareness about how these threat actors operate and how to spot their intrusions is still low among security professionals and the public. Because these actors operate differently than other cybercriminals, it is essential to understand how they conduct their schemes. Although some wire-wire activity is simple low-level credit card fraud, the largest threat to organizations is business email compromise. CTU™ researchers use the following terms to distinguish between wire-wire fraud types:

Business email compromise (BEC) — Hijacking an email account or an email server to intercept business transactions and redirect payments
Business email spoofing (BES) — Sending spoofed email from an external account pretending to be a company executive authorizing an irregular payment transaction

CTU researchers have encountered many reports that use "BEC" to refer to activities better categorized as "BES." BEC is much more devious and harder to detect than BES. If these terms are used interchangeably, a potential victim may assume that verifying requests with the named executive using established communication channels will sufficiently mitigate the threat. However, this defense cannot prevent BEC fraud.

How BEC works

In BEC, an attacker compromises a seller's email account to position himself as a "man-in-the-middle" between the seller and a buyer in existing business transactions. The threat actor then uses his control of the seller's account to passively monitor the transaction. When it is time for payment details to be relayed to the buyer via an invoice, the threat actor intercepts the seller's email and changes the destination bank account for the buyer's payment. If the payment account does not appear to be suspicious, the buyer will likely submit the payment to the attacker's account.

To completely and transparently control the communication between the buyer and seller, the attacker must be able to control and monitor the email chain between the two parties. The first step is to compromise a business's email account, which can be accomplished easily and inexpensively with various phishing kits and commodity malware. For approximately $30, a threat actor can send a large quantity of emails containing malicious attachments (referred to as "bombing"wink to a list of email addresses scraped from the target's web pages. Even if only a few recipients are compromised, the potential payoff for the attacker could be thousands to hundreds of thousands of dollars per email campaign.

From the seller's point of view, the transaction appears to be normal until the buyer does not pay for the invoiced goods. The only suspicious aspect the seller might detect is the change of email address between the request for a quote and the PO. The buyer will not notice a problem until the seller fails to ship the purchased goods. The seller's email address does not change because the attacker controls that email account. If the threat actor is skilled at document forgery and generates a seemingly legitimate invoice, the buyer will likely believe that the seller cheated them.

Not all wire-wire attackers are skilled. Many struggle to understand how their malware operates and how it is detected by antivirus software. CTU researchers have observed clumsily modified invoices, with payment details in a font that does not match the rest of the document and a bank account that is associated with an unrelated business name and is located in a different country than the seller. Regardless, BEC is effective against many targeted businesses.

Case study

When researching wire-wire activity, CTU researchers discovered that one of the most notable cyberheists had been executed by a Nigerian wire-wire group against an Indian chemical company and its U.S. customer. The customer, also a chemical company, sought to purchase a large quantity of chemicals from the Indian company. CTU researchers found that the wire-wire group had hijacked the email username and password of an employee at the Indian company. The company used a webmail application for its corporate email, and the employee login required only a username and password. Because employees did not have to provide another form of verification, the threat actors used the credentials to access and read the employee's emails.

The attackers identified an opportunity when the U.S. company sent a price quote request to purchase $400,000 in chemicals from the Indian company. The threat actors added a rule to the employee's email to redirect all future email from the U.S. company to the attacker's email account. The attackers intercepted the U.S. company's purchase order and resent it from another email address that closely resembled the submitter's actual email address. At this point, the attackers established their MITM position between the buyer and the seller.

The Indian company eventually sent an invoice that contained wire payment details. Because the invoice was sent to the attacker-generated email address, the threat actors modified the following information before forwarding it to the legitimate recipient at the U.S. company:

The bank account number or International Bank Account Number (IBAN) for the attacker-controlled account
The full name and address of the bank where the attackers' account was located
The SWIFT/BIC code of the attackers' bank

The U.S. chemical company unknowingly wired $400,000 into the attacker-controlled account. The threat actors then laundered the money through multiple accounts in different countries, making recovery impossible and the money trail difficult to trace.


SOURCE:
https://www.secureworks.com/research/wire-wire-a-west-african-cyber-threat

Wow.
Very detailed and enlightening. These boys aren't kidding around.

1 Like

Re: Wire Wire: A West African Cyber Threat - DELL by Dalexicographer(m): 12:01pm On May 16, 2018
Maybe i we still do sev... undecided
$400,000 shocked
Re: Wire Wire: A West African Cyber Threat - DELL by micki1: 1:03pm On May 17, 2018
These are the types of threads that should grace Nairaland front page

2 Likes

Re: Wire Wire: A West African Cyber Threat - DELL by akigbemaru: 9:57pm On Jun 12, 2020
SleakBuzzPR:
Below is the summary of a report submitted to FBI and CIA by DELL Technologies in U.S.A


"Nigerian prince" and "419" scams have plagued victims for decades and transitioned to the Internet in the 1990s. There are many variations and names for these scams, which originated in Nigeria. The scammers refer to their trade using the terms "yahoo yahoo" or "G-work," calling themselves "yahoo-yahoo boys," "yahoo boiz," or "G-boys." However, the simple con man fraud practiced by many West African-based threat actors is being replaced by a new crime they refer to as "wire-wire," "waya-waya," or "the new G-work." These terms have not entered the mainstream lexicon as of this publication and are not well-defined, but SecureWorks® Counter Threat Unit™ (CTU) research indicates that they refer to the evolution of low-level con games into more sophisticated and conventional cybercrime that is compromising businesses around the world. The businesses range in size and span industries from machinery manufacturers to countertop material manufacturers to chemical companies. The cybercriminals use spearphishing and malware to gain direct access to organizations' computers to facilitate the theft of large sums of money without the victim's knowledge.

A Facebook search for "wire-wire" reveals numerous groups and users operating in the open. They advertise their services or offer training courses about wire-wire to would-be criminals. Multiple social media platforms have a wealth of information about individual threat actors, but meticulous research is necessary to understand how these thefts are being accomplished.

Business email compromise

The Internet security industry has been aware of the evolution of largely African-based threat actors for several years. Security companies such as Trend Micro, ThreatConnect, Palo Alto, and FireEye have detailed the rise of this activity. However, awareness about how these threat actors operate and how to spot their intrusions is still low among security professionals and the public. Because these actors operate differently than other cybercriminals, it is essential to understand how they conduct their schemes. Although some wire-wire activity is simple low-level credit card fraud, the largest threat to organizations is business email compromise. CTU™ researchers use the following terms to distinguish between wire-wire fraud types:

Business email compromise (BEC) — Hijacking an email account or an email server to intercept business transactions and redirect payments
Business email spoofing (BES) — Sending spoofed email from an external account pretending to be a company executive authorizing an irregular payment transaction

CTU researchers have encountered many reports that use "BEC" to refer to activities better categorized as "BES." BEC is much more devious and harder to detect than BES. If these terms are used interchangeably, a potential victim may assume that verifying requests with the named executive using established communication channels will sufficiently mitigate the threat. However, this defense cannot prevent BEC fraud.

How BEC works

In BEC, an attacker compromises a seller's email account to position himself as a "man-in-the-middle" between the seller and a buyer in existing business transactions. The threat actor then uses his control of the seller's account to passively monitor the transaction. When it is time for payment details to be relayed to the buyer via an invoice, the threat actor intercepts the seller's email and changes the destination bank account for the buyer's payment. If the payment account does not appear to be suspicious, the buyer will likely submit the payment to the attacker's account.

To completely and transparently control the communication between the buyer and seller, the attacker must be able to control and monitor the email chain between the two parties. The first step is to compromise a business's email account, which can be accomplished easily and inexpensively with various phishing kits and commodity malware. For approximately $30, a threat actor can send a large quantity of emails containing malicious attachments (referred to as "bombing"wink to a list of email addresses scraped from the target's web pages. Even if only a few recipients are compromised, the potential payoff for the attacker could be thousands to hundreds of thousands of dollars per email campaign.

From the seller's point of view, the transaction appears to be normal until the buyer does not pay for the invoiced goods. The only suspicious aspect the seller might detect is the change of email address between the request for a quote and the PO. The buyer will not notice a problem until the seller fails to ship the purchased goods. The seller's email address does not change because the attacker controls that email account. If the threat actor is skilled at document forgery and generates a seemingly legitimate invoice, the buyer will likely believe that the seller cheated them.

Not all wire-wire attackers are skilled. Many struggle to understand how their malware operates and how it is detected by antivirus software. CTU researchers have observed clumsily modified invoices, with payment details in a font that does not match the rest of the document and a bank account that is associated with an unrelated business name and is located in a different country than the seller. Regardless, BEC is effective against many targeted businesses.

Case study

When researching wire-wire activity, CTU researchers discovered that one of the most notable cyberheists had been executed by a Nigerian wire-wire group against an Indian chemical company and its U.S. customer. The customer, also a chemical company, sought to purchase a large quantity of chemicals from the Indian company. CTU researchers found that the wire-wire group had hijacked the email username and password of an employee at the Indian company. The company used a webmail application for its corporate email, and the employee login required only a username and password. Because employees did not have to provide another form of verification, the threat actors used the credentials to access and read the employee's emails.

The attackers identified an opportunity when the U.S. company sent a price quote request to purchase $400,000 in chemicals from the Indian company. The threat actors added a rule to the employee's email to redirect all future email from the U.S. company to the attacker's email account. The attackers intercepted the U.S. company's purchase order and resent it from another email address that closely resembled the submitter's actual email address. At this point, the attackers established their MITM position between the buyer and the seller.

The Indian company eventually sent an invoice that contained wire payment details. Because the invoice was sent to the attacker-generated email address, the threat actors modified the following information before forwarding it to the legitimate recipient at the U.S. company:

The bank account number or International Bank Account Number (IBAN) for the attacker-controlled account
The full name and address of the bank where the attackers' account was located
The SWIFT/BIC code of the attackers' bank

The U.S. chemical company unknowingly wired $400,000 into the attacker-controlled account. The threat actors then laundered the money through multiple accounts in different countries, making recovery impossible and the money trail difficult to trace.


SOURCE:
https://www.secureworks.com/research/wire-wire-a-west-african-cyber-threat

(1) (Reply)

Data Science / Things I Wish Someone Had Told Me When I Was Learning How To Code / Is This Possible With C# Asp.net Mvc, And How?

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 56
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.