Social engineering is emerging as one of the most prolific and effective methods that cybercriminals use to deceive victims, and now it’s being leveraged by scammers, traditionally reliant on basic spamming emails, who are evolving to more sophisticated methods.
In Trend Micro’s latest report “Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide”, Hawkeye, a simple keylogger that costs around USD35 which shares ties to Predator Pain and Limitless (keyloggers used in campaigns that also targeted SMBs in 2014) was used by two Nigerian hackers to infiltrate SMBs around the globe through holiday themed social engineering techniques—with notable success. Most of the companies targeted by HawkEye are companies from developing countries such as India, Egypt, and Iran, due to their abundance of SMBs. Hong Kong accounts for 5% of the victims, suggesting its continued vulnerability to be a target since cybercriminals that used Limitless and Predator Pain attacks had previously netted up to USD75 million US dollars in the first half of 2014.
In the case of the operations run independently by the two Nigerian cybercriminals dubbed as “Uche” and “Okiki,”, the attack consisted of the following actions:
1. They employed the use of Hawkeye to steal email and website credentials, as well as logging keystrokes.
2. These particular hackers were patient and built a level of rapport with their victims through a series of emails prior to delivering the malware-infested attachment.
3. The attachment was also disguised by cryptors so the victim remained unaware of the attack on their system.
4. They covered their tracks by using exfiltration via SMTP, as well as multiple email accounts, in 90 percent of the campaigns.
1. This sophisticated methodology is a departure for Nigerian scammers who usually use simpler attack vectors such as generic spamming, possibly introducing a new breed of hackers from the Asia Pacific region as well.
It doesn’t take an advanced malware to disrupt a business operation. In fact, even a simple keylogger is enough to do it. The series of malware attacks launched by the duo dispels the notion that only very large enterprises are vulnerable to cybercrime attacks. SMBs are also at risk, smaller regional offices may be exploited as a means to reach the global office.
More details about this operation and the perpetrators behind it can be found in the report and respective blog postshere and here.