Nigerian scammers known for grammatically challenged email promising riches in return for a small up-front payment are moving into the business of launching malware attacks against companies.
The criminals have graduated from the so-called "419 scams" to using the same tools criminal groups deploy to steal passwords and other sensitive data from businesses, researchers with security company Palo Alto Networks, reported Tuesday.
The easily recognizable 419 scams, one of the most common confidence tricks, targets the Web's most gullible in an attempt to collect credit-card details or personal information.
Over the last few years, the Nigeria-based criminals have expanded their skillset to target businesses with remote administration tools (RATs) available on underground forums, Palo Alto reported.
RATs used by the Nigerian groups include NetWire, which provides attackers complete control over an infected system. Criminals in Eastern Europe often use such tools.
The attackers have managed to configure the malware to evade standard security tools, such as anti-virus software. As a result, Palo Alto has spotted the RAT on corporate networks, Rick Howard, chief security officer for the company, said.
"These guys have typically been on the low end of the attack spectrum and didn't normally go against businesses," Howard said. "But this research shows these kinds of attacks are showing up inside the business networks."
Because the scammers are using off-the-shelf software, signature updates to AV software and intrusion preventions systems will catch most of the malware.
However, the criminals are worth monitoring, because they are expected to grow more sophisticated in time.
"That will be the trend, but I don't expect it to happen tomorrow," Howard said. "But then again, many of us did not expect these kinds of hackers to move into this layer of attack capabilities."
The scammers distribute the malware via email as attachments with the names Quatation [sic] For Iran May Order.exe, Samples Photos Oct Order.exe and New Samples Required.exe.
The malware does not exploit any software vulnerabilities, but rely instead on social engineering to trick recipients into installing the malicious applications.
Traffic between the malware and its command-and-control server is sent over a virtual private network service called NVPN.net, which routes traffic through an IP address different from the one provided by the attackers' Internet service provider (ISP).
"This both hides the traffic from their local ISP and allows them to route the TCP port their RAT uses to their system," the Palo Alto paper on the attackers said. "In the case of NetWire, the default port is 3360, but may be changed by the operator."
The criminals' objectives appear to be stealing data they can use to further compromise the victim, Palo Alto said. Researchers had not seen any secondary payloads installed or lateral move between systems on a corporate network.
Sign up for CIO Asia eNewsletters.