Research by: Mark Lechtik
Over the past 4 months, over 4,000 organizations globally have been targeted by cyber attacks which aim to infect their networks, steal data and commit fraud. Many of these companies are leading international names in industries such as oil & gas, manufacturing, banking and construction industries – and some have had their defenses breached by the attacks.
Companies that Check Point researchers confirmed were infected during the campaign include:
- A marine and energy solutions company in Croatia
- A transportation company in Abu Dhabi
- A mining company in Egypt
- A construction company in Dubai
- An oil & gas firm in Kuwait
- A construction organization in Germany
which highlights the breadth and scale of the campaign. So who is behind it? Successful attacks on this scale are usually attributed to expert gangs of cybercriminals – often backed by a nation state, with the aim of destabilizing economies. They couldn’t be the work of a relatively unskilled man in his mid-20s, operating from a location near the capital of Nigeria. Or could they?
Following extensive research into the campaign, Check Point’s researchers have revealed the identity of the criminal behind it. He is a Nigerian national, working on his own. On his social media accounts, he uses the motto: ‘get rich or die trying’.
His attack campaign uses fraudulent emails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies to trick them into revealing company bank details, or open the email’s malware-infected attachment.
The malware used is NetWire, a remote access Trojan which allows full control over infected machines, and Hawkeye, a keylogging program. The campaign has resulted in 14 successful infections, earning the criminal thousands of dollars in the process.
Unsophisticated attacks – but effective
It’s particularly striking that his techniques display a low level of cyber-skills. His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them. The titles of the emails are generic, and phrased as “Dear Sir/Ms.” The same mail is sent to numerous targets, all in blind carbon copy, urging victims to send back banking details, perhaps for future scams. The attacks were launched from the email addresses [email protected], and [email protected].
What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns.
The fact that the campaign was still effective, despite using only basic cyber-criminal techniques, highlights just how much of a problem these business email compromise (BEC) attacks have become.
They are big business: the FBI reported a 270% increase in victims since the start of 2016, costing organisations globally over US $3 billion from 2013 to 2016. The Bureau estimates that victims of BEC lose between US $25,000 and US $75,000 on average, per attack. But it also raises other serious questions about the vulnerability of certain organizations.
The bigger risks
In addition to the financial losses resulting from the attack, the malware used by the criminal to infect organizations gives remote control over infected machines, and can perform keylogging functions. This enables harvesting of a variety of information from infected machines, such as details on the companies’ operations, assets and intellectual property. These can have a value far greater than the thousands of dollars obtained by fraud. What happens when the hackers realize the real value of these assets and start to exploit them?
Further, some of the companies that were attacked include energy and infrastructure companies. Why was it so easy for an unsophisticated cybercriminal to attack these companies – companies which may deliver services which could be critical to our everyday lives? It is alarming that the attacker managed to breach the defenses of several large organizations, distribute his malware globally, and stay under the radar for a long while.
This highlights the need for all organizations to improve their security to protect against phishing and business email compromise scams, and to educate their employees to be cautious about opening emails, even from companies or individuals that they recognize.
Since uncovering the campaign and establishing its origins, Check Point’s research team has notified law enforcement authorities in Nigeria and internationally and shared its findings with them.
The Check Point Anti-Spam & Email Security Software Blade protects against falling victim to such scams. It provides highly accurate anti-spam coverage, and defends organizations from a wide variety of virus and malware threats delivered by email. In addition, SandBlast™ Agent with Zero Phishing™ technology protects organizations from new and unknown phishing sites, as well as from threats contained in documents and links contained in emails.