A fraudster accidentally infected his computer with his own malware.

Thanks to the negligence of the offender, SecureWorks experts uncovered a new fraud scheme

Security professionals at SecureWorks did a great job and completely uncovered a fraud scheme against business email compromise. The scheme is quite simple and, as it turned out, very effective.

The so-called “Nigerian” scammers massively sent spam with links to the web pages where the exploit pack was launched, or they applied a Trojan in the attachment to the letter. Their goal was to get hold of a computer with a high-level manager’s corporate email box. The goal was achieved in several stages. For example, at the first stage, it is enough to infect the computer of a lower-level manager or secretary who has a higher-level employee in the e-mail contacts. And so on up the stairs.

When the scammers managed to install the Trojan on a high-level manager’s computer (the “seller” in the diagram), the following scheme came into effect.
')

Illustration: SecureWorks

The essence of fraud called Wire Wire is shown in infographics. Duplicate the stages again for clarity:

1. Compromise of the seller's mailbox using phishing or malware. As already mentioned, the goal can be achieved through downstream staff.
   
   
2. The attacker examines the seller's mailbox in search of expensive contracts that are at a preliminary stage (for example, the buyer has requested a price).
   
   
3. The attacker installs a redirect in the seller's mailbox to forge future email messages from the buyer.
   
   
4. The buyer sends a purchase order to the seller, and the document is redirected to the attacker.
   
   
5. The attacker “clones” the buyer's email address (using a similar domain) and redirects the document to the seller already from this address, thus establishing a communication channel through himself (MiTM attack).
   
   
6. The seller responds to the “buyer” (to the cloned address that is controlled by the attacker) with an invoice containing payment instructions.
   
   
7. The attacker changes the bank details in the invoice and redirects the modified document to the buyer.
   
   
8. The buyer transfers the money to a bank account that is under the control of the attacker.

What is interesting is that the fact that one scammer accidentally infected his computer with his own RAT Trojan, which he used in his work (it is said, this happens surprisingly often), helped to study in detail. Screenshots of his screen and keystroke logs were constantly uploaded to an open folder on a web server. Actually, this folder and found the investigators at the beginning of his investigation. Screenshots and logs have become a valuable source of information about the activities of a group of about 30 scammers, for whom this man (he was called Mr. X) was a key figure. Then screenshots and logs were found from infected PCs of four more scammers.

For several months, experts have studied screenshots of screens and all keystrokes. During this time, I managed to find out many interesting details.

For example, not all scammers in the Wire Wire community were experienced. Some people hardly understood how a malware works and how it is recognized by antivirus software. Mr. X provided technical assistance and provided the infrastructure that allowed the group to work efficiently.

Researchers have seen ineptly modified invoices, where the font of fake requisites is very different from the original, and the bank account belongs to a completely foreign business and is located in another country, not the one that the seller. Nevertheless, the attack with the compromise of business mail was quite effective in many cases.

For example, in the case of the largest fraud, specialists observed how attackers compromised mail of an employee of an Indian chemical company. He used the web interface, so only a login and password were required to log into the mailbox. The attackers saw a business opportunity when an Indian company received an offer to purchase chemicals worth $ 400,000 from an American company, also from the chemical industry. Having received the invoice from the seller, the fraudsters modified the IBAN (account number), the name and address of the bank, the bank’s SWIFT / BIC code - and forwarded the invoice to the buyer. The American company unknowingly transferred to fraudsters $ 400,000.

Researchers say that the group did not have a clear hierarchy. Instead, everyone paid Mr. X for training and service, and also paid him a percentage of their income. Most of the band members live in the same area of ​​Nigeria and know each other personally.

The authors of the report also note that members of the Wire Wire group are different from typical fraudsters from West Africa. Typical scammers are usually young guys under the age of 29 years old who hang out in computer clubs, behave extravagantly and publish photos with bundles of bills and fancy cars on social networks. A good profile on these guys (Yahoo Boys) at one time made up Brian Krebs .

In contrast to the “golden boys” of Yahoo Boys, members of the Wire Wire group belong to older people under 40 years old, prefer to work from home, look respectable on social networks, but never show bundles of bills or fancy cars, and almost all are very devout people who attend church. The study of their profiles in social networks also showed that they are often family, respected people with a high reputation. They feel obligated to help their relatives, which often means involving Wire Wire in the scheme, because there are no other ways to earn a decent income in the country.

The study of invoices and orders for the supply of goods showed that the members of the criminal group received an average income of $ 3 million per year of their activities. Researchers have seen fake invoices ranging from $ 5,000 to $ 250,000, although the average amount of losses for companies ranged from $ 30,000 to $ 60,000.

SecureWorks experts shared their observations at the Black Hat hacker conference. I must say they were lucky. If the fraudster did not infect his computer RAT, then it would be very difficult to find the criminals. The buyer waited a long time for the goods, and then usually came to the conclusion that the seller had deceived him.

Experts James Bettke and Joe Stewart informed the Nigeria Economic and Financial Crimes Commission about the results of their work, and their report has already led to at least one investigation.

Bettke and Stuart also posted on GitHub the pdfxpose program, which identifies suspicious modifications in PDF files to prevent an attack with email compromise.