Check Point outs Nigerian hacker

Security researchers at Check Point claim they have identified a Nigerian national responsible for a large number of successful cyber-attacks. The claim is made in a blog published two days ago but doesn’t actually name the hacker. They also claim he can be identified by the use of the phrase “get rich or die trying” on social media. However, as the title of a successful song by 50 cent, it’s a commonly used phrase. We emailed Check Point to ask for his name or Twitter handle and have had no response so far.

Organised cybercrime group or rogue individual?

The report states that over the last 4 months, 4,000 organisations globally have been targeted in cyber-attacks. The companies are spread over a number of industries and several of the attacks have been successful. The breadth and scale of the attack suggests that this is a sophisticated operation.

This is not the case according to Check Point researchers. Instead they claim the cyber-attacks are relatively unsophisticated. They also say the whole operation is run by a: “relatively unskilled man in his mid-20s, operating from a location near the capital of Nigeria.”

The hacker is sending emails claiming to be from oil producer Saudi Aramco. These emails are apparently crude and unsophisticated. They are not highly crafted phishing emails but the sort of generic spam seen every day. The emails are easy enough for IT departments to block as they currently come from just two address. These have been identified as: “sale.cement_till_tw@yahoo(dot)com, and cciticarinternational@yahoo(dot)com.”

What do the attacks do?

There are two parts to the attack that Check Point has identified. The first is a request for banking details. The second is a link in the email which, if clicked, downloads two pieces of malware. Check Points identifies these as: “NetWire, a remote access Trojan which allows full control over infected machines, and HawkEye, a keylogging program.”

The researchers say that they have identified at least 14 separate successful attacks. While avoiding putting a number of success, they say it has earned: “the criminal thousands of dollars in the process.”

These attacks can be classified as basic business email compromise (BEC) attacks. This is a group of attacks that security vendor Proofpoint claims are on the rise. Check Point points to an FBI report showing the scale of the attacks. Such attacks have already claimed the jobs of a number of CEOs around the world.

Check Point warning that BEC is not the only threat

While the BEC threat is real and earning money for this attack, Check Point is warning that it could be just the icing on the cake. The two pieces of malware that are dropped onto infected machines can give the attacker control over the machines. It also enables them to harvest security credentials for different systems.

The attacker can send emails from inside the enterprise targeting other employees or customers. As they are internal emails they are more likely to be opened by staff. This increases the chance of malware getting installed and higher level security credentials being stolen. There is also a risk of intellectual property and data being stolen. Both of these can be sold online for significant sums.

What does this mean?

As the researchers point out, these are not attacks against SMB companies. Instead they are against large enterprises who should have better security. They should also have better staff training to watch for this type of email. The fact that staff are sending banking details/clicking on attachment from unverified contacts is worrying.

There is also concern that the two pieces of malware, NetWire and HawkEye are not being detected. Both are old enough that they should be identified by anti-malware software on endpoint devices. They should also be detected by security software on the email servers. The success of these attacks implies that there is a significant security failure inside the IT departments of the victim companies.

This also shows that an attacker doesn’t have to be a nation state, state sponsored actor or master cybercriminal. If users and companies cannot do the basics right then they are at risk.


Please enter your comment!
Please enter your name here