Love live the Nigerian Prince scheme? While 419 advance-fee scams still do exist, some of the cybercriminals behind them have moved on to targeted malware campaigns.
Love live the Nigerian Prince scheme? While 419 advance-fee scams still do exist, some of the cybercriminals behind them have moved on to targeted malware campaigns.

The Nigerian Prince is growing up fast, and becoming quite the royal pain.

According to a research report and accompanying blog post by Palo Alto Networks' Unit 42 threat research team, the Nigerian cybercriminals traditionally known for their 419 advance-fee scams have evolved from silly spray-and-pray email spam campaigns to more refined con games that target large business organizations with malware and fetch princely sums totaling millions of dollars.

“Nigerian actors have demonstrated a clear growth in size, scope, complexity and capability over the past two years and as a direct result, they should now be regarded as a formidable threat to businesses worldwide,” warned the company in its research paper Thursday, referring to the latest cybercriminal activity by the code name SilverTerrier.

Unit 42 researchers analyzed over 8,400 malware samples originating from Nigerian scam emails from July 2014 to June 2016, pinpointing roughly 100 individual actors or groups behind these campaigns. The researchers also found that the frequency of malware attacks jumped wildly in this time, from fewer than 100 attacks in July 2014 to a range of 5,000 to 8,000 per month – peaking in May 2016 with nearly 19,000 incidents.

And yet, Nigerian scammers still seem to be the Rodney Dangerfield of the cybercriminal world – in part, notes Palo Alto, because they have a reputation of using cheap commodity malware tools that are readily available in the underground market. However, this does not reflect a lack of Internet-savvy. Rather, “They have learned how to successfully apply simple malware tools with precision in order to create substantial losses ranging from tens of thousands up to millions of dollars for victim organizations, and they have broadened their scope well beyond targeting unsuspecting individuals,” the blog post reads.

Palo Alto identified five of the scammers' most popular malware tools as Predator Pain, ISR Stealer, Keybase, ISpySoftware and Pony, each of which enables attackers to remotely access or steal credentials from infected machines. Relying on inexpensive commodity tools actually affords the scammers a key advantage: they can instead allocate the bulk of their budget toward the latest, state-of-the-art cryptors that obfuscate the malware in order to evade antivirus solutions, the report explains.

And just because commodity malware is inexpensive doesn't mean it's not effective at what it does. In fact, “If you were to compare that tool to something built by a very sophisticated… nation-state, that tool is probably more sophisticated,” particularly from a development perspective, said Ryan Olson, intelligence director at Palo Alto Networks, in an interview with SC Media.

Tactically, the Nigerian scammers have also shifted from carpet bombing random individuals with spam

to coordinating surgical spear-phishing strikes against specific business targets. Instead of relying on bizarre tales of political intrigue and lost fortunes to tempt recipients with improbable get-rich-quick schemes, these scammers now carefully craft emails that offer credible value propositions to their targets. Many of these emails rely on Business Email Compromise and Business Email Spoofing techniques to make the emails appear as if they are originating from a trusted and plausible source, the report continues.

In the samples Palo Alto studied, malware attacks most frequently targeted the high-tech, higher education and manufacturing industries. In addition to using email, the Nigerian scammers also propagate their malware through fraudulent websites that sometimes impersonate the sites of legitimate companies and organizations.

Palo Alto also took a closer look at the individuals and entities behind these campaigns, leveraging threat intelligence and advanced analytics to link threat actors' domain registration details with their Facebook and Google+ social media profiles. In doing so, the researchers found that many of the perpetrators live comfortably, are well educated (often owning technical degrees) and primarily range in age from late teens to mid-40s.

Perhaps of most concern, they are becoming more organized, connecting with each other as well as international criminal groups via social networking in order to conduct business or share information.

By mapping out this Nigerian social network, Unit 42 was able to link Nigerian actors to additional malware tools, including the NanoCore remote access trojan, HawkEye keylogger, Aegis crypter and Orway crypter. Moreover researchers were able to identify a select few individuals who “appear to serve as the connective tissue between various subsets of Nigerian actors and the tools they use.” These key links could potentially be suppliers of malware tools or perhaps even cybercriminal bosses.

Regardless, the lesson is clear: It appears “A lot of individuals in these networks are essentially learning from each other,” said Olson.