Almost all users know about the Nigerian 419 scams. These started with the traditional mail and later evolved to fax and are currently using emails to scam victims. Nigerian 419 are scamming/fraud scams which typically involves promising the victim a significant share of a large sum of money, which the fraudster requires a small up-front payment to obtain. If a victim makes the payment, the fraudster either invents a series of further fees for the victim, or simply disappears. There are many variations on this type of scam, including advance-fee fraud, Fifo's Fraud, Spanish Prisoner Scam, the black money scam, and the Detroit-Buffalo scam. The number "419" refers to the article of the Nigerian Criminal Code dealing with fraud.
However up until now this scam was used only for scaming and frauds. This is now going to change to a very severe crime. Experts at Palo Alto Networks uncovered a new Nigeria 419 scam scheme which is specifically targeting businesses in a malicous campaign dubbed Silver Spaniel. This is the first time a Nigeria 419 shema has been used by cyber criminals to distribute remote access trojans (RATs).
A report published by the Palo Alto Networks firm titled “419 Evolution” revealed that scammers are targeting businesses in Taiwan and South Korea with a malware purchased on hacker forums. The new campaign called “Silver Spaniel” is explained by them as follows :
“Our team is tracking this activity under the code name Silver Spaniel. These attacks have deployed commodity tools that can be purchased for small fees on underground forums and deployed by any individual with a laptop and an e-mail address. Two specific tools were used in multiple attacks that gave the actors the ability to take control of a system without being detected by antivirus programs. Despite the effectiveness of these tools, some of these actors showed remarkably poor operational security that revealed their infrastructure and real world identities. ” They further added that, “This sample is a variant of the NetWire RAT crypted with a tool named DataScrambler to avoid AV detection”
The experts said that their research into this scam started in May 2014 after some customers of Palo Alto Networks detected a malicious phishing campaign, which used e-mail attachment named “Quatation For Iran May Order.exe”, “Samples Photos Oct Order.exe” and “New Samples Required.exe”
The Palo Alto experts noted that Silver Spanier did not build or author any malware, instead the operators behind the campaign purchased malware from the Tor underground forums where this kind of malwares are usually sold.
The experts believe the operators of Silver Spaniel may just be ordinary criminals without the sophisticated knowhow because they are relying entirely on social engineering to trick victims into installing malware.
“The tactics, techniques and procedures deployed by Silver Spaniel actors indicate their sophistication level is low compared to that of nation-state sponsored actors and advanced cyber criminals. While many actors use commodity RATs like NetWire, running an operation from a PC and not being careful to avoid exposing one’s actual IP address shows a lack of concern for or knowledge of operational security. “
This findings by the experts at Palo Alto are just a precursor to the larger things to come. The Nigeria 419 scam is used massively in the cyberworld to fool victims and if very cyber criminal uses a similar trick to deliver malicious payload to the victims, the day will not be far when high risk trojans and worms are delivered to the victims.