A pair of security researchers recently uncovered a Nigerian scammer ring that they say operates a new kind of attack called “wire-wire” after a few of its members accidentally infected themselves with their own malware. Over the past several months, they’ve watched from a virtual front row seat as members used this technique to steal hundreds of thousands of dollars from small and medium-sized businesses worldwide.

“We've gotten unprecedented insight into the very nitty-gritty mechanics of their entire operation,” says James Bettke, a researcher at SecureWorks, a subsidiary of Dell Inc. focused on cybersecurity. Bettke and Joe Stewart, who directs malware research for SecureWorks, are presenting the details of their findings this week at the annual Black Hat security conference in Las Vegas.

This new type of attack is a twist on an old favorite. For years, rings of scammers in West Africa have stolen money from companies through a technique known as "Business Email Compromise," or BEC, in which they use internal corporate email accounts to execute fraudulent financial transactions. Or, in another approach known as “spoofing,” scammers have impersonated a CEO’s email from an external account to persuade an employee to send a wire transfer to their own bank account.

The SecureWorks experts say wire-wire, which is how criminals refer to the new type of attack, represents a more sophisticated approach to BEC that is harder to detect. Bettke and Stewart discovered the ring in February when five of the scammers self-infected their own computers with the same malware they were using to steal from others. Such errors are a surprisingly common way for security researchers to get an inside look at scammers’ operations.

For months, the malware automatically loaded screenshots and keystrokes from compromised computers to an open web database. One of the infected scammers also frequently trained new scammers, which revealed even more details about their techniques. The SecureWorks team initially found the database by using the virus scanning tool VirusTotal to search for suspicious email attachments.

The wire-wire scammers begin by using a simple marketing tool to scrape the email addresses of businesses and employees from corporate websites. Then, they blast these addresses with messages containing keylogger software or other malware in a process called “bombing.” Employees who click on a malicious link or open an infected attachment might be prompted to log in, providing scammers with the password to their email accounts.

Once they’re in, the scammers allow the employee to continue with business as usual and discreetly monitor the account for potential financial transactions. As soon as they see that the employee is sending an invoice to a customer, they reroute it through their own email account and physically alter the account number and routing number before forwarding it on to the customer. The email address they use is often very similar to the original email address, so it’s easy to miss. Unlike spoofing, BEC techniques such as wire-wire rely on earning internal account access rather than externally impersonating a company account.

Since February, the SecureWorks team has witnessed the thieves deploy this method to reroute transactions averaging between US $30,000 and $60,000 from mostly small and medium-sized businesses making international deals. In one case, the attackers rerouted a $400,000 payment from a U.S. chemical company to its Indian supplier.

Bettke and Stewart estimate the group they studied has at least 30 members and is likely earning a total of about $3 million a year from the thefts. The scammers appear to be "family men" in their late 20s to 40s who are well-respected, church-going figures in their communities. “They're increasing the economic potential of the region they're living in by doing this, and I think they feel somewhat of a duty to do this,” Stewart says.

After the fact, it can take awhile before the customer and seller realize they’ve been scammed—often, neither buyer or seller realizes that something is amiss until the shipment or payment is overdue. Given their vantage point, Stewart and Bettke have tried to alert some businesses to the scam before the fraudulent transactions are complete, but they sometimes have a hard time persuading employees that they aren’t scammers themselves.

The SecureWorks team has notified Nigeria’s Economic and Financial Crimes Commission and their description of wire-wire scamming has led to at least one active investigation. They say the easiest way for business owners to prevent such attacks is to require two-step verification for employee logins. Stewart and Bettke have also uploaded a program to GitHub that detects digital artifacts that remain on an altered invoice to tip employees off to suspicious activity.




http://spectrum.ieee.org/tech-talk/telecom/security/nigerian-scammers-infect-themselves-with-own-malware-revealing-new-wirewire-fraud-scheme

Very educating information, scamming at a different dimension.

Business organisations should take note.

Wire wire boys in the house, your yansh don dey open oooo. But even at these revelations, it doesnt stop scam operations................................

Guys must eat...

i saw this 'wire-wire' 419 scammer on an online news site:zdnet.com.i was amazed by a comment by one of thw white commenters.
he said:
'nigerian scammers have always been a lot creative.T's a pity that their talents arent directed towards problem solving and honest pursuits'


i just shook my head and almost shed tears.

Summary Pls

Hmmm.. People dey vex ni. See 'legit' scam. No contact at all.

If only they could channel all that focus and energy into something positively productive, their lives would have been better off. Most of them just need fast money so they can impress some dirty-ass girl, typical dumb-ass mentality, they never see the bigger picture. This country has been damaged beyond repair.

Am coming......

Nigerian scammers again ''' all d evil in dis world ''just summarize 4 Nigeria

Nigerians and scamming

Nigerians are fantastically corrupt... PMB 2016

Was here to check names but was disappointed. But my guess won't be far from d truth.

Ugandans

I've only come to read to it actually works.
Seem impressive

summary please

How does this affect my signature?

you have to commend these scammers for going through so much brainstorming

Wire-wire kò
Tire-tire ni
Wetin concern me.

Lemme read first

WWBs

Hmm

chai !!

babyfaceafrica:
Nothing new!!

maryjan8:
Hmm

BoboFashion:

WWBs

johnstar:

Peacetemi:
.

DesChyko:
Hmmm.. People dey vex ni. See 'legit' scam. No contact at all.

gen2briz:
Summary Pls

Sunofgod:
Guys must eat...

labamo07:
k

herbie27:
Ok.

Umargarr:
chai
!!

NCAN/Space bookers association of nairaland..........







.

WTF!
This is too long!

If one door close another opens sha!

Nothing new!!

Those wey no know no go know!LoL...thank God for Computer Scientists

Wire wire boys... I respect una o

Wow

Lol, funny dumb-asses.

Watch-
https://www.youtube.com/watch?v=9b525mH5hpw

herbie27:
Very educating information.

Cooperate organisations should take note.