Beware! A Nigerian group targeting Indian firms in payment scam
According to the security firm, 45 percent of the group’s victims observed are from India.
FireEye has discovered an active online payment-diversion campaign which targets small and medium businesses in non-English-speaking countries, including India.
The intent of the scam is to divert payments from ongoing, legitimate business transactions conducted by the victim to their own accounts.
A Nigeria-based loosely organised group is behind the operation, which is a modern twist on 419 scams.
According to the security firm, 45 percent of the group’s victims observed are from India. While many others are from Indonesia and Vietnam.
In a single transaction that FireEye observed, the scammer was slated to collect over $1 million.
Scammers often target those who don’t speak English as a first language. FireEye saw that the scammers used Google to search for email listings from which they could extract email addresses. To expand their victim pool further, scammers sometimes send infected documents to their victims’ contacts.
“Cyber attacks are creating big challenges for large organisations in India. Unfortunately, smaller firms aren’t immune from these attacks. As firms move online to do business, they become exposed to a wide array of attackers,” said Ramsunder Papineni, regional director for India at FireEye. “This report shows cyber security isn’t only a technology problem; organisations are also up against people who will act on intelligence to achieve their objectives.”
In one instance, scammers used Alibaba to find potential victims. The service allows scammers to filter supplier by country, which can allow scammers to only target countries where they have bank accounts. By masquerading as a potential customer when emailing a business, scammers are able to increase the chances their email attachment is opened.
Unlike more sophisticated cyber criminal groups, these scammers rely on third-party providers for documentation, tutorials and malicious software to create their exploits. These tools allow the group to gain access on the victim’s computer to download and install malware and to track their operations from a simple, easy-to-use management console.
The scammers monitor activity on infected computers for information about purchase transactions. Once the scammers identify an interesting victim, they log into the victim’s accounts using the stolen credentials and study the different transactions in which the victims are involved. Next, they look for legitimate transactions to hijack, such as emails related to payment details, refunds or new purchase orders.
The scammers execute the hijacking process using a spoofing attack in which they buy domains and create email accounts that look very similar to both the buyer’s and the seller’s. They then copy the ongoing thread using the newly created email accounts and continue the respective conversations.
Once the scammers have insight into both sides of the conversation, they provide the buyer with “updated” bank details for a bank account the scammer controls. When the payment has been completed, the scammers contact their accomplice – a ‘money mule’ in whose name the scammer’s bank account has been opened – to alert them of the new transaction.
To avoid being a victim of these scams, FireEye recommends the following:
-- Use two-factor authentication for any sensitive accounts, including email accounts. If cybercriminals somehow obtain your password, they still would need access to your one-time tokens.
-- Never open an attachment from an unknown source.
-- Pay close attention during business transactions and be skeptical of sudden changes such as updated bank account information.
-- Contact the other party directly (such as via phone) to validate transaction details.
-- Pay attention to email addresses and not just names displayed on the email, as scammers can establish email accounts that look very similar to legitimate ones.
After Facebook, data of 500 million LinkedIn users appears online; company says 'not a LinkedIn data breach'
LinkedIn members’ full names, email addresses, phone numbers, genders, and more were visible in the leaked set of data.
The value of Kremlin protection isn’t lost on the cybercriminals themselves. Earlier this year, a Russian-language dark-web forum lit up with criticism of a ransomware purveyor known only as 'Bugatti', whose gang had been caught in a rare US-Europol sting.