The new research documents the history of Nigerian cybercrime, the tactics being employed, and unique insights into how the threat has matured in size, scope, complexity and technical competence over the past 2 years.
A brief history
In the 1980s the ‘419 scams’ emerged in Nigeria.
This involved sending millions of paper letters to recipients all over the world, and followed the advance-fee type of scam in which recipients were enticed to transfer funds or send their financial information in exchange for generous returns or compensation.
The stories behind these paper letter scams continued to evolve through the 1980s, and with Laws of the Federation of Nigeria being passed under military decree in 1990, they soon became known as “419 scams” based on the section of criminal code that covered fraud.
This scam made the digital transition as by the mid-1990s Nigeria began offering internet services.
>See also: The evolving face of cybercrime
The availability of email allowed scammers to rapidly tailor their schemes based on current events, interact in near real-time with potential victims, and ultimately led to a significant increase in the magnitude of their distribution, according to the Unit 42 report.
It grew to such an extent that by 2008, the Federal Bureau of Investigation listed Nigeria as third in the world for conducting cybercriminal activity.
Over the years this position has changed but in 2015, in the same Internet Crime Report, the country regained the number 3 spot.
Given Unit 42’s findings, it suggests that ‘historical assessments concerning this threat warrant reassessment as these actors have now demonstrated that they pose a formidable threat to businesses and government organisations worldwide.’
Last week Unit 42 released a report, codenamed SilverTerrier, on the extent of cybercrime activity in Nigeria.
Applying advanced analytics to a dataset of 8,400 malware samples resulted in the attribution of over 500 domains supporting malware activity linked to roughly 100 unique actors or groups.
According to a post released by Unit 42, Nigerian actors have moved away from their traditional 419-style email scams:
Malware attacks have grown steadily over the past 2 years from fewer than 100 attacks in July 2014 to their current rate of 5,000–8,000 per month, said the report.
These attacks are largely victim-agnostic, spanning all major industry verticals and focusing more on businesses than individuals.
Having learned how to successfully employ commodity malware tools with precision, these actors have seen lucrative returns ranging from tens of thousands up to millions of dollars from victim organisations in the past year alone.
The report explores all aspects of the current state of cybercrime originating from Nigeria, but it focuses on 3 aspects in particular
1. Actor Profiles
The Unit 42 team said that attribution of these actors revealed that they are educated. Many have attended secondary schools and hold undergraduate degrees in technical fields.
These actors range in age from late teenage years to their mid-40s, representing a wide range of generations.
This results in a combination of older actors who were successful with traditional 419 scams and social engineering, working with younger actors who bring an understanding of malware to the table.
More importantly, these actors are becoming organised, using social media to communicate, coordinate and share tools and techniques.
2. Financial Losses
What is the cost? The Unit 42 team suggest these actors have had a significant impact on businesses worldwide.
In 2015, an annual report released by the FBI’s Internet Cyber Crime Centre identified 30,855 victims of traditional 419/Overpayment scams resulting in losses in excess of $49 million.
While this number is substantial, on August 1, 2016, Interpol announced the arrest of a Nigerian actor believed to be responsible for worldwide losses in excess of $60 million with over $15.4 million originating from just one victim organisation.
New, evolving techniques are being embraced by Nigerian cyber actors according to the Unit 42 team.
Business email compromise (BEC) and business email spoofing (BES) are 2 such techniques that have recently gained popularity among them.
To support these techniques, domains are designed to impersonate legitimate organisations, “crypters” are used to disguise commodity malware, and other methods are employed to gain access to a victim’s network.
Once inside, said the Unit 42 team, actors use social engineering to dupe victims into authorising electronic bank transfers.
The Nigerian cybercrime environment has evolved drastically since the days of the pre-internet 419 scams. There has been a clear growth of size and scale in attacks and it is important that businesses and individuals are aware of the threat.