Wire Wire: Save Your Business From Nigerian Email Criminals

email

Wire Wire is a criminal syndicate with Nigerian origin has finally being demystified. However, their adept use of digital media and hacking skills to steal at least USD5 million from companies and individuals yearly, make them one of the most dangerous criminal elements in the cyberspace.

PageOne’s Tech Team came across this useful report from SecureWorks. We hope it will be useful to you and educate you on how to protect you and your business from being ruined by cyber criminals.

Secureworks, a cyber security company, said these gangs have devised various means to hijack email accounts of employees and individuals, they then go ahead to initiate and complete bank transfers, mostly without the knowledge of their victims.

SecureWorks said the genesis of the fraudulent gang can be traced to famous ‘scammers’ who ‘refer to their trade using the terms “yahoo yahoo” or “G-work,” calling themselves “yahoo-yahoo boys,” “yahoo boiz,” or “G-boys’.

The criminal syndicate has further evolved into a larger monster- ‘the simple con man fraud practiced by many West African-based threat actors is being replaced by a new crime they refer to as “wire-wire’ “waya-waya,” or “the new G-work., SecureWorks said.

There are two approaches devised by Nigerian email criminals-

    • Business email compromise (BEC) — Hijacking an email account or an email server to intercept business transactions and redirect payments
    • Business email spoofing (BES) — Sending spoofed email from an external account pretending to be a company executive authorizing an irregular payment transaction

This  is how a BEC is perpetrated:

An attacker compromises a seller’s email account to position himself as a “man-in-the-middle” between the seller and a buyer in existing business transactions. The threat actor then uses his control of the seller’s account to passively monitor the transaction. When it is time for payment details to be relayed to the buyer via an invoice, the threat actor intercepts the seller’s email and changes the destination bank account for the buyer’s payment. If the payment account does not appear to be suspicious, the buyer will likely submit the payment to the attacker’s account.

To completely and transparently control the communication between the buyer and seller, the attacker must be able to control and monitor the email chain between the two parties. The first step is to compromise a business’s email account, which can be accomplished easily and inexpensively with various phishing kits and commodity malware. For approximately USD30, a threat actor can send a large quantity of emails containing malicious attachments (referred to as “bombing”) to a list of email addresses scraped from the target’s web pages. Even if only a few recipients are compromised, the potential payoff for the attacker could be thousands to hundreds of thousands of dollars per email campaign. BECs follow a typical chain of events (see Figure 1), which may vary based on the details of the transaction.

Wire Wire
Typical BEC process. Source: SecureWorks

One of the most classic case sighted by SecureWorks was ‘one of the most notable ‘cyberheists’ had been executed by a Nigerian wire-wire group against an Indian chemical company and its U.S. customer’.

The customer, also a chemical company, sought to purchase a large quantity of chemicals from the Indian company. CTU researchers found that the wire-wire group had hijacked the email username and password of an employee at the Indian company. The company used a webmail application for its corporate email, and the employee login required only a username and password. Because employees did not have to provide another form of verification, the threat actors used the credentials to access and read the employee’s emails.

The attackers identified an opportunity when the U.S. company sent a price quote request to purchase $400,000 in chemicals from the Indian company. The threat actors added a rule to the employee’s email to redirect all future email from the U.S. company to the attacker’s email account. The attackers intercepted the U.S. company’s purchase order and resent it from another email address that closely resembled the submitter’s actual email address. At this point, the attackers established their MITM position between the buyer and the seller.

The Indian company eventually sent an invoice that contained wire payment details. Because the invoice was sent to the attacker-generated email address, the threat actors modified the following information before forwarding it to the legitimate recipient at the U.S. company:

  • The bank account number or International Bank Account Number (IBAN) for the attacker-controlled account
  • The full name and address of the bank where the attackers’ account was located
  • The SWIFT/BIC code of the attackers’ bank.

The U.S. chemical company unknowingly wired $400,000 into the attacker-controlled account. The threat actors then laundered the money through multiple accounts in different countries, making recovery impossible and the money trail difficult to trace.

In order to mitigate against the risk of BEC (aka Wire Wire), SecureWorks advised that:

  • Implement 2FA for corporate and personal email. Small and medium-sized businesses (SMBs) are popular targets for wire-wire groups because SMBs typically have little or no budget for security tools beyond AV. SMBs also tend to use the least-expensive option for hosting websites and email, which is usually a cloud hosting provider. Most threat actors rely on easy access to a company’s email via a commodity webmail program, so 2FA would deter all but the most sophisticated attackers.
  • Inspect the corporate email control panel for suspicious redirect rules. An unexplained redirect rule that sends incoming email from specific addresses to third-party systems could indicate compromise and should trigger an organization’s incident response process.
  • Carefully review wire transfer information in suppliers’ email requests to identify any suspicious details.
  • Always confirm wire transfer instructions with designated suppliers using a previously established non-email mode of communication, such as a fax number or phone number. Establish this communication channel using a method other than email.
  • Require multiple approvals for wire transfers, and ensure this procedure is difficult for cybercriminals to discover.
  • Question any changes to typical business practices and designated wire transfer activity (e.g., a business contact suddenly asking to be contacted via their personal email address or a change to an organization’s designated bank account information).
  • Be suspicious of pressure to take action quickly and of promises to apply large price discounts on future orders if payment is made immediately.
  • Thoroughly check email addresses for accuracy and watch for small changes that mimic legitimate addresses, such as the addition, removal, substitution, or duplication of single characters in the address or hostname (e.g., username@example.com versus userrname@example.com, or username@example.com versus username@ examp1e.com).
  • For organizations that use intrusion detection and intrusion prevention systems (IDS/IPS), create rules that flag emails with extensions that are similar to company email extensions (e.g., abc_company versus abc-company).
  • Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details.
  • Consider adopting the Financial Industry Regulatory Authority (FINRA) standards to deter money laundering and fraudulent wire transfers.
  • Consider using the free pdfxpose tool that CTU researchers developed to help detect wire-wire fraud. CTU analysis of WWG1 activity revealed that the threat actors edited PDF invoice files by redacting the original payment details with a white opaque rectangle and then overlaying it with the money mule account information. This tool searches for sub-page-sized opaque rectangles with text overlays and adjusts the opacity and color to reveal potentially suspicious edits.

 

Disclaimer
Content on this site, including news, quotes, data and other information, is sourced by PageOne.ng from official and public sources and other third party content providers for your personal information only, and is not intended for trading purposes. Content on this site is not appropriate for the purposes of making a decision to carry out a transaction or trade. Nor does it provide any form of advice (investment, tax, legal) amounting to investment advice, or make any recommendations regarding particular financial instruments, investments or products.