As the global digital economy grows exponentially, online ecommerce platforms continue to spring up offering opportunities for micro-entreprenuers from countries such as ours, to create considerable wealth for themselves. Clearly, if we are to make any headway in developing an entrepreneurial culture amongst our nation's younger generarations, it is vital that we end Ghana's days as a global superpower in online fraud - to enable us burnish our global digital reputation as a reliable and harworking people the world can do business with safely and profitably online, in win-win fashion.
Whiles it rolls out its policy initiatives aimed at creating opportunities for unemployed young Ghanaians to bootstrap their own individual successes, the government must also empower the cybersecurity units of the Ghana Police Service and the other security agencies, to enable them thwart attacks on our system and to apprehend the many cyber-criminals ruining our nation's reputation globally, by engaging in egregious online fraud.
The more responsible sections of the Ghanaian media ought to pressurise Ghana's Parliament to pass tough new laws prescribing long mandatory jail sentences - and consfication of the proceeds of online fraud - to deter the social misfits who engage in cybercrime. As an example of how cyber-criminals can ruin a nation's reputation, if they are not dealt with ruthlessly enough by national authorities, we have culled an article from Wired.com, by Lily Hay Newman, entitled: " Nigerian Email Scammers Are More Effective Than Ever".
The article speaks for itself - and ought to be food for thought for our nation's current leaders: the African free trade area must not be allowed to be used by the continent's cyber-criminals as a new opportunity to scam the world from Ghana.
Please read on:
"Wired.com
Author: Lily Hay Newman
security
05.03.18
08:00 am
Nigerian Email Scammers Are More Effective Than Ever
Klaus Vedfelt/Getty Images
Share
You would think that after decades of analyzing and fighting email spam, there'd be a fix by now for the internet's oldest hustle—the Nigerian Prince scam. There's generally more awareness that a West African noble demanding $1,000 in order to send you millions is a scam, but the underlying logic of these “pay a little, get a lot” schemes, also known as 419 fraud, still ensnares a ton of people. In fact, groups of fraudsters in Nigeria continue to make millions off of these classic cons. And they haven't just refined the techniques and expanded their targets—they've gained minor celebrity status for doing it.
On Thursday, the security firm Crowdstrike published detailed findings on Nigerian confraternities, cultish gangs that engage in various criminal activities and have steadily evolved email fraud into a reliable cash cow. The groups, like the notorious Black Axe syndicate, have mastered the creation of compelling and credible-looking fraud emails. Crowdstrike notes that the groups aren’t very regimented or technically sophisticated, but flexibility and camaraderie still allow them to develop powerful scams.
“These guys are more like a crew from the mafia back in the day,” says Adam Meyers, Crowdstrike's vice president of intelligence. “Once you’re in an organization and are initiated, then you have a new name that’s assigned to you. They’ve got their own music, their own language even. And there are pictures on social media where they’re flaunting what they’re doing. The whole idea is why invest hundreds of thousands of dollars to build your own malware when you can just convince someone to do something stupid?”
Yahoo Boys
Young Nigerian scammers have often been called “Yahoo Boys,” because many of their hustles used to target users on Yahoo services. And they've embraced this identity. In the rap song “Yahooze”—which has more than 3 million views on YouTube—Nigerian singer Olu Maintain glamorizes the lifestyle of email scammers.
'They spend months sifting through inboxes. They’re quiet and methodical.'
James Bettke, Secureworks
Advanced Nigerian groups have lately increased the amounts they make off with in each attack by targeting not just individuals but small businesses. The FBI estimates that between October 2013 and December 2016 more than 40,000 "business email compromise" incidents worldwide resulted in $5.3 billion in losses. With so many many third parties, clients, languages, time zones, and web domains involved in daily business, it can be difficult for a company with limited resources to separate out suspicious activity from the expected chaos.
Nigerian scammers will send tailored phishing emails to a company to get someone to click a link and infect their computer with malware. From there, the attackers are in no hurry. They do reconnaissance for days or weeks, using key loggers and other surveillance tools to steal credentials to all sorts of accounts, figure out how a company works, and understand who handles purchasing and other transactions.
Eventually the scammers will settle on a tactic; they may impersonate someone within the company and attempt to initiate a payment, or they might pretend to be a company the victim contracts with and send the target an innocuous-looking invoice to pay. If they’ve gained enough control of a system, attackers will even set up email redirects, receive a legitimate invoice, doctor it to change the banking information to their own, and then allow the email to reach its intended recipient. And the scammers rely on this sort of man-in-the-middle email attack for all sorts of manipulations.
Even though the attackers generally use cheap commodity malware, the groups tend to remain inconspicuous on victim networks, and have shown a willingness to abandon ideas quickly if they’re not working. One technique called “domain tasting” involves registering domains that look legitimate, trying to send phishing emails from them, and then moving on to a new domain if the phishes aren’t working.
“It’s malware and phishing combined with clever social engineering and account takeovers,” says James Bettke, a counter threat unit researcher at Secureworks, which has tracked Nigerian email scammers for years. “They’re not very technically sophisticated, they can’t code, they don’t do a lot of automation, but their strengths are social engineering and creating agile scams. They spend months sifting through inboxes. They’re quiet and methodical.”
In one case, Bettke says, scammers used their position impersonating an employee at a company to brazenly ask their target for the organization’s official letterhead template. In other situations, scammers will make Skype video calls to legitimize transaction requests, and use a still from a video they find of the employee they are impersonating to make it seem like the person is genuinely calling and the video is just lagging behind the audio. After victims wire their money away, the scammers often route it through China and other Asian countries before moving it a few more hops and landing it in Nigeria.
“It’s a simple approach and it works,” Crowdstrike’s Meyers says. “They target organizations’ payroll, accounts payable, they’ll claim to be a vendor. And then they do a phone call or something else to the victim to increase the credibility of the scam.”
Social Engineers
The groups often aren’t very careful about covering their tracks They'll brag on social media under Confraternity pseudonyms about their crimes, trade tips on Facebook groups that can be infiltrated, or purchase flawed malware that ends up exposing their movements. Often, even if they make an effort to delete signs of their intrusion on a network, analysts will still be able to trace malicious traffic back to Nigerian IP addresses, and the scammers generally don’t have proxying protections in place.
Law enforcement groups around the world, including the FBI, Interpol, and Canadian and Italian agencies, have successfully indicted and arrest various kingpin scammers. But extensive jurisdictional issues make it an especially difficult problem for law enforcement. And many victims have little recourse once their money is gone.
“When a small business gets scammed out of $200,000 or $500,00 they’re just done, they’re no longer in business,” says FBI agent Michael Sohn of the Los Angeles Cyber Division. “So we’re working with banks to recover funds when possible, and also with private sector companies and security companies to share intelligence. For victims it’s heartbreaking, it’s just absolutely devastating.”
'These guys are more like a crew from the mafia back in the day.'
Adam Meyers, Crowdstrike
While Nigerian email scammers take a different tack than hacking groups in Eastern Europe and Russia, researchers say they still pose a genuine threat. “What stands out about this community of criminals is their willingness to learn from each other, and a near myopic focus on social engineering scams,” notes Mark Nunnikhoven, the vice president of cloud research at TrendMicro, which collaborates with Interpol and other law enforcement agencies on tracking Nigerian email scammers. “These two traits have led to a rapid increase in sophistication of the criminal schemes.”
Researchers say that businesses should try to protect themselves with basic steps like updating software and adding two-factor authentication, so even if scammers steal account credentials they can't wreak instant havoc. Adding administrative controls to limit the types of emails and attachments employees can receive can also screen out some phishes, and adding an indication when messages come from outside the company's own email domain can help flag malicious emails pretending to be from a colleague on a similar-looking server.
Crowdstrike's Meyers also suggests that small businesses set requirements that multiple people sign off on large transactions. "It's like in nuclear missile silos where two people bring the keys," he says. "It's possible for one person to get duped but harder for two." Still, when hackers know everything about who you are and how you work, there's only so much you can do to stop them.
Phishing Hole
What to avoid getting phished? Follow these three simple rules
For a case study in what an effective phishing email looks like, check out this Netflix scam
And if you're still paranoid, check out the most secure account on the internet
Related Video
Security
Phishing Scams Aren't Just for Gullible Grandparents Anymore
Phishing scams are getting more and more sophisticated, to the point where they’re fooling even security experts. Here's how to avoid them.
#email#phishing#crime
View Comments
Sponsored Stories
Lily Hay Newman
Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare
Louise Matsakis
Why So Many People Make Their Password 'Dragon'
Lily Hay Newman
Security News This Week: A Google Fix Breaks Anti-Censorships Tools
Brian Barrett
DNC Lawsuit Reveals Key Details About Devastating 2016 Hack
Christopher Raleigh Bousquet
Why Police Should Monitor Social Media to Prevent Crime
More security
goofs
Change Your Twitter Password Right Now
Author: Lily Hay NewmanLily Hay Newman
rowhammer
Hack Hijacks Android Phones Via Electric Leaks in Memory
Author: Andy GreenbergAndy Greenberg
data
Cambridge Analytica Shuts Down in Wake of Facebook Crisis
Author: Issie LapowskyIssie Lapowsky
trump
Robert Mueller Likely Knows How This All Ends
Author: Garrett M. GraffGarrett M. Graff
machine learning
AI Can Help Cybersecurity—If It Can Overcome the Hype
Author: Lily Hay NewmanLily Hay Newman
security roundup
The Biggest DDoS For Hire Site Goes Down
Author: Brian BarrettBrian Barrett
Get Our Newsletter
WIRED’s biggest stories delivered to your inbox.
submit
SubscribeAdvertiseSite MapPress CenterFAQAccessibility HelpCustomer CareContact UsSecuredropT-Shirt CollectionNewsletterWired StaffJobsRSS
CNMN Collection
Use of this site constitutes acceptance of our user agreement (effective 3/21/12) and privacy policy (effective 3/21/12). Affiliate link policy. Your California privacy rights. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast."
End of culled content from Wired.com.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment