Incident Response, Malware, TDR

With RATs at their disposal, 419 scammers target businesses

Nigeria's 419 scammers are working to modernize their schemes, taking up remote access trojans (RATs) to target businesses in Taiwan and South Korea, according to a new report.

On Tuesday, Palo Alto Networks released its “419 Evolution” report (PDF), detailing how fraudsters in the country brazenly (or sloppily) spread malware purchased on hacker forums, and, along the way, expose IP addresses tied to their malicious activities.

By “shining light” on the campaign, dubbed “Silver Spaniel,” attackers may be forced to change their tactics – and work harder to deceive new targets, the report said.

“Specific individuals within this attack group have demonstrated either an extreme lack of understanding of operational security, or simply believe they stand no chance of being caught and prosecuted,” the report continued.

In the operation, Nigerian scammers turned to underground forums to purchase RATs like NetWire, which gives them remote control of Windows, Mac and Linux platforms, or DataScrambler, which can evade most AV solutions and “maintains persistent operation through system restarts” spreading to other users via applications like Facebook and Skype, Palo Alto revealed.

The firm found that, in one attack in early May, attackers tried to infect a Palo Alto client by way of an malicious email attachment – indicating an evolution of long-used 419 scams, which also employ social engineering to dupe users into handing over sensitive data.

419 scams are named after the relevant section of the Nigerian penal code where many of the scams originated, and entail spam luring recipients into claiming large sums of money – only after they divulge private information or pay a fee to initiate the money transfer.

In a Wednesday interview with, Rick Howard, CSO of Palo Alto Networks, said that the main takeaway regarding scammers' malware exploits, was that 419 fraudsters had shifted their aims from at-home users, to higher income accounts of businesses using data-stealing RATs.

"419 scammers are typically pretty low-end and tend to go after the typical consumer, not the businesses,” Howard said. Using its malware detection technology, Palo Alto researchers started “noticing more and more of these attacks [targeting] the business world,” Howard added.

The Palo Alto report includes a list of malicious domains that have been linked with the Silver Spaniel campaign. In addition, the firm advised administrators to block all executable attachments in emails, and analyze zip and rar archive files to thwart infections. Enterprises can also work to prevent attacks by blocking or investigating unknown
transmission control protocol (TCP) traffic leaving their networks to identify its purpose and origin, the report said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.