The phishing emails portray a hacker with limited skills and little understanding of using social media to further his campaigns.
The phishing emails portray a hacker with limited skills and little understanding of using social media to further his campaigns.

A lone Nigerian cybercriminal has been on a crime spree so broad and wide ranging that it puts Bonnie and Clyde's Depression-era interstate crime wave to shame.

The Check Point Research Team's investigation of the unnamed one-man criminal gang discovered that over a four-month span he attacked 4,000 energy, mining, and construction organizations in countries that include Croatia, Abu Dhabi, Egypt, Kuwait and Germany. In each case the Nigerian national used crudely written emails containing little or no social engineering to infect their networks, steal data and commit fraud. Check Point noted that attacks of this scale or often handled by experienced gangs backed by a nation state, but not in this case.

“Following extensive research into the campaign, Check Point's researchers have revealed the identity of the criminal behind it.  He is a Nigerian national, working on his own,” they wrote, adding he uses the 50 Cent saying “Get Rich or Die Tryin'” as his social media motto.

The company has contacted and shared their evidence with Nigerian law enforcement officials.

The attacks themselves are simple using phishing emails that emulate those sent from the Saudi Arabian oil giant Saudi Aramco. He uses these emails to target financial sources inside the victim companies to trick them into divulging banking details or to simply deposit malware when the email is opened.

“The malware used is NetWire, a remote access Trojan which allows full control over infected machines, and Hawkeye, a keylogging program. The campaign has resulted in 14 successful infections, earning the criminal thousands of dollars in the process,” Check Point wrote.

The phishing emails portray a hacker with limited skills and little understanding of using social media to further his campaigns. The Netwire malware is considered old, but can be found online and he obtains his email addresses using a freeware scraping tool.

Instead of doing a bit of research to find specific people to target he usually just uses a simple Sir/Ms. opener and sends the same email to multiple people within the same organization. Each asks the recipients to send back their organization's banking credentials.

 However, these actions have not negatively impacted his success rate. Check Point did not state how much was money was stolen or what type of damage was done.

The fact that he is gaining access to some relatively sophisticated entities proves just how vulnerable many companies are to business email compromise attacks, Check Point said.