Three prolific Nigerian hackers have been arrested in Nigeria for carrying out extensive Business Email Compromise scams, phishing campaigns, and malware attacks to compromise government and private sector companies in more than 150 countries since 2017.
The Nigerian hackers were arrested following a joint investigation by Interpol’s Cybercrime Directorate, Group-IB’s APAC Cyber Investigations Team, and the Nigerian Police Force into the use of extensive Business Email Compromise scams and phishing campaigns by organised cyber crime groups to target over 50,000 victims worldwide.
According to Interpol, the criminals set up a large number of phishing links and domains and shared them via mass mailing campaigns to targeted organisations by impersonating representatives of organisations. Via these emails, the criminals also disseminate 26 malware programmes, spyware, remote access tools such as AgentTesla, Loki, Azorult, and Spartan as well as Remote Access Trojans such as Remcos and nanocore.
Once the recipients clicked on the phishing links or visited malicious domains set up by the cyber criminals, the latter used remote access tools, spyware, and remote access trojans to infiltrate and monitor the systems of victim organisations and individuals before launching scams and siphoning funds. Since 2017, the cyber criminals compromised at least 500,000 government and private sector companies in more than 150 countries.
According to security firm Group-IB which supported the investigation dubbed Operation Falcon, the arrested Nigerian hackers are members of a large and organised cyber crime group called TMT, a number of whose prominent members are still at large.
The hackers used Gammadyne Mailer and Turbo-Mailer to send out phishing emails, used MailChimp to track if a recipient opened a message, sent out emails in English, Russian, Spanish, and other languages depending on target lists, and used earlier compromised email accounts to push a new round of phishing attempts.
To avoid detection and tracking by traditional security tools, members of the TMT cyber gang used public crypters, communicated with deployed malware via SMTP, FTP, HTTP protocols, and made extensive use of publicly available Spyware and Remote Access Trojans (RATs), such as AgentTesla, Loky, AzoRult, Pony, NetWire, etc.
"The goal of their attacks is to steal authentication data from browsers, email, and FTP clients. Over the course of their operations, the gang managed to infect organisations around the world, including in the US, the UK, Singapore, Japan, and even back home in Nigeria.
"While the monetisation methods of this gang are still being investigated, it’s not uncommon for cybercriminals to sell account access as well as sensitive data extracted from emails could to the highest bidder in the underground markets," the firm said.
“This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation,” said Craig Jones, Interpol’s Cybercrime Director.
Image Source: Interpol