You would think that after decades of analyzing and fighting email spam, there’d be a fix by now for the internet’s oldest hustle—the Nigerian Prince scam. There’s generally more awareness that a West African noble demanding $1,000 in order to send you millions is a scam, but the underlying logic of these “pay a little, get a lot” schemes, also known as 419 fraud, still ensnares a ton of people. In fact, groups of fraudsters in Nigeria continue to make millions off of these classic cons. And they haven’t just refined the techniques and expanded their targets—they’ve gained minor celebrity status for doing it.
On Thursday, the security firm Crowdstrike published detailed findings on Nigerian confraternities, cultish gangs that engage in various criminal activities and have steadily evolved email fraud into a reliable cash cow. The groups, like the notorious Black Axe syndicate, have mastered the creation of compelling and credible-looking fraud emails. Crowdstrike notes that the groups aren’t very regimented or technically sophisticated, but flexibility and camaraderie still allow them to develop powerful scams.
“These guys are more like a crew from the mafia back in the day,” says Adam Meyers, Crowdstrike’s vice president of intelligence. “Once you’re in an organization and are initiated, then you have a new name that’s assigned to you. They’ve got their own music, their own language even. And there are pictures on social media where they’re flaunting what they’re doing. The whole idea is why invest hundreds of thousands of dollars to build your own malware when you can just convince someone to do something stupid?”
Young Nigerian scammers have often been called “Yahoo Boys,” because many of their hustles used to target users on Yahoo services. And they’ve embraced this identity. In the rap song “Yahooze”—which has more than 3 million views on YouTube—Nigerian singer Olu Maintain glamorizes the lifestyle of email scammers.
‘They spend months sifting through inboxes. They’re quiet and methodical.’
James Bettke, Secureworks
Advanced Nigerian groups have lately increased the amounts they make off with in each attack by targeting not just individuals but small businesses. The FBI estimates that between October 2013 and December 2016 more than 40,000 “business email compromise” incidents worldwide resulted in $5.3 billion in losses. With so many many third parties, clients, languages, time zones, and web domains involved in daily business, it can be difficult for a company with limited resources to separate out suspicious activity from the expected chaos.
Nigerian scammers will send tailored phishing emails to a company to get someone to click a link and infect their computer with malware. From there, the attackers are in no hurry. They do reconnaissance for days or weeks, using key loggers and other surveillance tools to steal credentials to all sorts of accounts, figure out how a company works, and understand who handles purchasing and other transactions.
Eventually the scammers will settle on a tactic; they may impersonate someone within the company and attempt to initiate a payment, or they might pretend to be a company the victim contracts with and send the target an innocuous-looking invoice to pay. If they’ve gained enough control of a system, attackers will even set up email redirects, receive a legitimate invoice, doctor it to change the banking information to their own, and then allow the email to reach its intended recipient. And the scammers rely on this sort of man-in-the-middle email attack for all sorts of manipulations.
Even though the attackers generally use cheap commodity malware, the groups tend to remain inconspicuous on victim networks, and have shown a willingness to abandon ideas quickly if they’re not working. One technique called “domain tasting” involves registering domains that look legitimate, trying to send phishing emails from them, and then moving on to a new domain if the phishes aren’t working.
“It’s malware and phishing combined with clever social engineering and account takeovers,” says James Bettke, a counter threat unit researcher at Secureworks, which has tracked Nigerian email scammers for years. “They’re not very technically sophisticated, they can’t code, they don’t do a lot of automation, but their strengths are social engineering and creating agile scams. They spend months sifting through inboxes. They’re quiet and methodical.”
In one case, Bettke says, scammers used their position impersonating an employee at a company to brazenly ask their target for the organization’s official letterhead template. In other situations, scammers will make Skype video calls to legitimize transaction requests, and use a still from a video they find of the employee they are impersonating to make it seem like the person is genuinely calling and the video is just lagging behind the audio. After victims wire their money away, the scammers often route it through China and other Asian countries before moving it a few more hops and landing it in Nigeria.
“It’s a simple approach and it works,” Crowdstrike’s Meyers says. “They target organizations’ payroll, accounts payable, they’ll claim to be a vendor. And then they do a phone call or something else to the victim to increase the credibility of the scam.”
The groups often aren’t very careful about covering their tracks They’ll brag on social media under Confraternity pseudonyms about their crimes, trade tips on Facebook groups that can be infiltrated, or purchase flawed malware that ends up exposing their movements. Often, even if they make an effort to delete signs of their intrusion on a network, analysts will still be able to trace malicious traffic back to Nigerian IP addresses, and the scammers generally don’t have proxying protections in place.
Law enforcement groups around the world, including the FBI, Interpol, and Canadian and Italian agencies, have successfully indicted and arrest various kingpin scammers. But extensive jurisdictional issues make it an especially difficult problem for law enforcement. And many victims have little recourse once their money is gone.
“When a small business gets scammed out of $200,000 or $500,00 they’re just done, they’re no longer in business,” says FBI agent Michael Sohn of the Los Angeles Cyber Division. “So we’re working with banks to recover funds when possible, and also with private sector companies and security companies to share intelligence. For victims it’s heartbreaking, it’s just absolutely devastating.”
‘These guys are more like a crew from the mafia back in the day.’
Adam Meyers, Crowdstrike
While Nigerian email scammers take a different tack than hacking groups in Eastern Europe and Russia, researchers say they still pose a genuine threat. “What stands out about this community of criminals is their willingness to learn from each other, and a near myopic focus on social engineering scams,” notes Mark Nunnikhoven, the vice president of cloud research at TrendMicro, which collaborates with Interpol and other law enforcement agencies on tracking Nigerian email scammers. “These two traits have led to a rapid increase in sophistication of the criminal schemes.”
Researchers say that businesses should try to protect themselves with basic steps like updating software and adding two-factor authentication, so even if scammers steal account credentials they can’t wreak instant havoc. Adding administrative controls to limit the types of emails and attachments employees can receive can also screen out some phishes, and adding an indication when messages come from outside the company’s own email domain can help flag malicious emails pretending to be from a colleague on a similar-looking server.
Crowdstrike’s Meyers also suggests that small businesses set requirements that multiple people sign off on large transactions. “It’s like in nuclear missile silos where two people bring the keys,” he says. “It’s possible for one person to get duped but harder for two.” Still, when hackers know everything about who you are and how you work, there’s only so much you can do to stop them.