BEC scams evolve from ‘Nigerian Prince’ to sophisticated malware

News by Chandu Gopalakrishnan

Nigeria continues to be a hotspot for this particular threat (BEC scams), with SilverTerrier growing into a sophisticated threat group

US$ 1.77 billion (£1.4 billion). This is the amount of damage BEC attacks caused in 2019 in the US alone, said the FBI. The global amount is estimated threefold. Nigeria continues to be a hotspot for this particular threat, with SilverTerrier growing into a sophisticated threat group, shows research by Unit 42 of Palo Alto Networks. 

“Many still think of Nigerian cyber-crime as being easy-to-spot 419/Advance Fee/"Nigerian Prince" schemes. However, the truth is that SilverTerrier actors have evolved at a rapid rate over the past five years. They are now producing a significant volume of malware, are achieving significant financial gains from their BEC attacks, and are arguably the largest/most common threat faced by network administrators across all industry verticals,” Pete Renals, principal research for Unit 42 at Palo Alto Networks, told SC Media UK.

There was a 172 percent increase in BEC attacks. The rise is 1,163 percent when it comes to attacks against the professional and legal industry, said the Unit 42 report. 

“The high-tech industry received the greatest number of attacks, nearly doubling from 164K in 2018 to 313K in 2019. Close behind with 248K attacks, the professional and legal services industry advanced from being the fifth-most targeted industry in 2018 to the second-most targeted industry in 2019,” said the report. 

Unit 42 attributes this jump to better targeting practices amongst SilverTerrier actors. BEC attacks have evolved over the years in mainly three ways, explained Renals. 

“The most common attack method -- email lure -- was oriented around the topics of invoices, shipping documents, and requests for quotes. However, over the years we have seen the actors tailor their campaigns. The number of lures that incorporate translation, industry specific terms, and current events continues to increase.”

Another notable change in the operation of SilverTerrier actors was ditching simple commodity information stealing malware that was widely available across the internet. 

“Over the years, these actors gained technical experience and as the effectiveness of information stealers was reduced by the cyber-security industry, they adopted tools to obfuscate their malware, moved to more advanced remote administration tools, and most recently we witnessed at least one actor attempting to develop his own malware.”

“Concurrently, the cyber-security industry has historically characterised Nigerian malware actors as an emerging, rather than an established threat. As the analysis of this threat group turns five years old, we believe it is now pivotal to recognise that in many aspects, SilverTerrier actors have evolved to a point where they are demonstrating signs of maturity consistent with established threat groups in their delivery techniques, malware packaging, and technical abilities,” said the report.

The most noticeable change is ditching the "Nigerian Prince" schemes for targeted BEC activities, noted Renals.

“The former targeted individuals with limited funds while the latter focused on businesses that could be exploited for much greater gain. Adapting to this shift, these actors initially focused their efforts on large, very profitable businesses in order to increase their profits,” he said.

“However, in doing so, those businesses demonstrated on several occasions that they were willing to commit significant resources for internal investigations and more importantly, engage law enforcement to pursue the actors and stolen funds. As a result, over the years we have seen increased targeting of small to medium size businesses.”

The sophistication of phishing in general has grown significantly, Hugo van den Toorn, manager, offensive security, Outpost24, told SC Media UK.

“No longer can the ‘Nigerian princes’ be recognised by their poor quality emails or content. We have seen phishing in perfect English, Swedish and Dutch -- whichever language their target speaks,” van den Toorn said.

“On a technical level, BEC scams have evolved as well. The used infrastructure is no longer a simple burner Gmail or Hotmail address, but rather a complex net of compromised hosts, email accounts and dedicated infrastructure per target. They will buy domains that are similar to their target, with minor spelling mistakes and pinpoint their targets within the organisation.”

Not a single organisation is immune to this threat, asserted Renals.

“While our research breaks down the top five targeted industries, our data shows that customers in every industry witnessed attacks in 2019. That said, I would offer two recommendations for industries looking to reduce risk: 

“Ensure employees understand that email by itself should not be considered a trusted mechanism to initiate a wire transfer, regardless of who sends the email (CEO/CFO/etc). Tailor network security controls and training for employees who routinely receive and process files from outside sources (billing / sales / customer service departments),” he said.

Unit 42 researchers observe that C-Suite and IT teams understand the risks posed by BEC schemes, but the average employee remains dismissive or uninformed of the threat. 

They attribute it to two factors: A misplaced confidence that, given how popular Nigerian Prince schemes were, another Nigerian BEC threat would be easily recognisable; and over-reliance on antivirus solutions to protect their systems. Unit 42 data shows that SilverTerrier malware goes undetected by more than 40 percent of legacy antivirus solutions.

“The cyber-security training packages used across most industries focus on basic phishing techniques, but lack any training focused on BEC schemes and what to look for in terms of malicious attachments and wire transfer requests,” said Renals.

Any request via emails should be treated with suspicion, the more sensitive the request the greater your suspicions should be, said van den Toorn. 

“Always be vigilant and wonder what the sender is trying to coax you into. Transferring money, buying items or sharing information are key indicators that something is wrong. If you did not expect an email: verify with the sender through known communication channels such as; by telephone or face to face,” he told SC Media UK.

“Many organisations are missing the fact that what for them is perceived as a “highly targeted phishing attack” is for these scammers just a newly registered domain, scraped LinkedIn profile and a made-up story.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews