Unit 42, part of Palo Alto Networks, has been tracking the rise of Business Email Compromise attacks from Nigeria for several years. It has monitored the evolution of the old fashioned 419 attack into a sophisticated cyber attack. Two years ago it identified a group known as SilverTerrier who were using malware to help improve the effectiveness of their attacks.
Its latest report is titled SilverTerrier: The Rise of Nigerian Business Email Compromise (no registration required). It is now able to attribute more than 30,000 samples of malware to 300 unique actors as part of this expanded group. It is seeing them launch an average of 17,600 attacks per month, a 45% increase on two years ago.
SilverTerrier organised and increasingly professional
This is not just a group of random attackers. The report states: “Despite continued increases in both attacks and malware production, we found the number of active threat actors during a given month has begun to stabilize, suggesting improvements in terms of efficiency.
“Additionally, we have observed that these actors continue to demonstrate increased organization. The social connections between these actors have become more robust and complex through leveraging social media platforms to promote their networking efforts.”
This analysis is important. BEC attacks often start with a spear phishing campaign backed by robust intelligence gathered by the attackers. The sharing of data between attackers increases the chances of success. Meanwhile, defenders inside organisations are isolated. They do not share data and often rely on users to spot attacks.
BEC attacks continue to rise
What should send alarms bells ringing inside IT security teams is the increase in these attacks. Both the monthly average (17,600) and the surge peaks (41,000) show a growth of over 45% on two years ago. Unit 42 acknowledges that these numbers only come from attacks it has observed against its customer base.
It is easy to dismiss this as simplistic email attacks. That is a mistake. Unit 42 analysts say: “Their capacity to launch and manage the attacks has increased. Sending malicious e-mails does not require a significant amount of resources, but monetizing these infections requires time and attention from the actors.”
The bottom line is that the better they get at monetising the attacks, the more attacks they will launch. The last two years have already seen several CEOs lose their jobs for falling foul of BEC attacks.
Malware and tools being used
One of the big highlights of this report is the number of tools that are in use. Two years ago, Unit 42 identified five commodity malware families being used. That has now expanded to 16 and includes information stealers and remote administration tools (RATs).The list of tools is as follows:
- Information stealers:Predator Pain, Pony, KeyBase, ISpySoftware, ISR Stealer, Agent Tesla, LokiBot, Zeus and Atmos
- RATs:NetWire, DarkComet, NanoCore, LuminosityLink, Remcos and Imminent Monitor
The attackers cycle through the tools to reduce the risk of detection. This allows them to maintain attack rates without creating a major response to their attacks.
Any alerts that are seen by IT security teams for these malware families should result in more than just a cleaning of the affected machine. By tracing the attacks and identifying the emails associated with them IT security teams can begin to understand the attacks. It also provides data to help educate users by showing them what to look for in an attack.
This approach is rarely done in many organisations. They rely on the security software to detect and clean the attack. This means that a lot of threat intelligence data is lost. It also leads to missed opportunities to harden security through targeted education.
SilverTerrier are brazen and almost eschew anonymity
One of the surprise sections of this report looks at who SilverTerrier is. The report states: “…these actors take little to no care to remain anonymous. The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google®, Facebook®, MySpace®, Instagram®, and various dating and blogging sites.”
The report does nothing to help Facebook who is reeling from a string of bad publicity. It names the WIREWIRE.COM group on Facebook as being used by SilverTerrier. This is not a hidden or secret group by a public one. Unit 42 claims that members use it to exchange contact information and solicit help for their attacks. The downside of a public group is that it also acts as a resource for cyber security analysts. It has allowed them to identify relationships between different members. It will be interesting to see if Facebook responds to this report by shutting this group down.
Of interest is the demographic data. Most security teams see this type of attack as coming from groups of teenagers. This report shows that for SilverTerrier, it is not the case. “Specifically, the accounts reveal that SilverTerrier actors are mostly mature adults, not children or teenagers. They range in age from their 20s to 40s with few exceptions, and the vast majority are estimated to be in their 30s.
“Many of the actors are married with children and have held a variety of legitimate jobs throughout their careers. Further, these actors are also allegedly educated, with more than 55 percent of attributed actors listing colleges and universities on their profiles and one actor claiming to be a lecturer at a local university.”
What does this mean
There will be concerns that Nigeria is continuing to fail in its international responsibility to deal with this crime. 419 is named after the Nigerian legal code that makes it a crime. The country has also come under sustained pressure to introduce and enforce laws to stop it being a nexus of cyber crime. However, the report states: “Despite the passage of laws prohibiting fraud, scams and other illicit activity, the culture in Nigeria remains permissive of cybercrime, and widespread enforcement of the laws has yet to be observed.”
The growth of BEC emails is also a major concern. Attacks are targeted at those capable of releasing large sums of money inside organisations. Anyone falling prey to this type of attack is unlikely to recover the money through their bank. They may be able to get it back through cyber insurance but that will depend on the details of the policy.
It shows that cyber criminals are increasingly organised. They have better social networks and data exchanges than those they target. Even among cyber security vendors, data sharing is not a given. There are numerous groups that do share data but only with partners. Commercial organisations are often left out of the threat intelligence sharing and miss out on information such as that contained in this report.
For organisations who want to lower the risk of falling prey to a BEC attack they need to upgrade their cyber security tools. They should also use alerts to improve education across their user base.