In the early 2000s, Africa gained notoriety due to the 419 “Nigerian” scam. This scam involved making payments in exchange for a reward for helping so-called high-ranking Nigerian officials and their families. While all the scams may not have necessarily originated from Africa, the use of Nigerian officials was imprinted upon the public consciousness, thereby forever associating this scam with the continent.
Web Defacement as a Popular Form of Protest
The 419 scam isn’t the only cybercrime activity in the area. Web defacement is a major cybercrime activity among hackers in North Africa, with several groups from Morocco, Algeria, Tunisia, and Egypt leading the region. These groups aim to deface sites based in the United States, Europe, and pretty much any country with poor security. Their messages are often related to current events or some cause. These North African groups also use defacement as some form of competition. It’s not rare to see one group deface another country’s sites when a political event occurs.
In 2013, we discussed website defacement, which occurred during April Fools’ Day. A group of Algerian hackers, known as “Algeria to the core,” defaced websites including German and Australian ones. Web defacement is an old hacking technique that consists of breaking into websites with weak security and replacing the content with customized messages.
Hackers have used defacement as a form of protest or to send a message for a particular cause. Defacement has also been used as an act of cyber warfare among hacker groups from different countries.
Attacks in a Larger Scale: Botnets, RATs, and Targeted Attack Techniques
Cybercriminals in the region are moving from web defacement to more lucrative forms of cybercrime that involve the use of botnets, remote access Trojans (RATs), and banking/finance-related malware.
In November 2013, we found that several Ice IX servers were tied to a group of individuals located in Nigeria. Ice IX is a banking Trojan, used with the better-known ZeuS/ZBOT malware. These malware are used to steal online banking credentials, email addresses, and information related to social media accounts. Earlier this year, an arrest involving the SpyEye banking malware showed that one of the key players was an Algerian cybercriminal who went by the alias bx1. Bx1 was also known for a history of defacing websites.
Figure 1: Web defacement by Algerian cybercriminal “bx1”
Apart from banking/finance-related malware, cybercriminals have begun operating botnets using RATs, such as in the case of the Blackshades RAT. Sold as a toolkit, Blackshades can steal passwords, log keystrokes, launch denial-of-service (DoS) attacks, and download and run malware onto affected systems. Several Blackshades infections may then form a botnet for distributed denial-of-service (DDoS) attacks or sell the stolen information and documents.
We are also seeing a shift toward the use of targeted attack techniques for malware campaigns. One methodology is the use of malicious email attachments and exploits for known vulnerabilities, such as CVE-2012-0158, to deliver malware like ZeuS/ZBOT. They are also using RATs, like the aforementioned Blackshades, in targeted attack-like campaigns.
Africa isn’t the only region experiencing this type of cybercriminal expansion. We are seeing the same indicators in India, which may possibly mean that more and more people are turning to cybercrime as a lucrative business. The adoption of such methodologies could be traced back to the society these cybercriminals live in, wherein some of them are highly educated but without any employment prospects. With a lot of time on their hands, they can easily pick up the skills for cybercrime and earn money. Moreover, the shortage of laws related to cybercrime—and the lack of enforcement for existing laws—in these countries make it difficult to catch and apprehend these criminals.
These developments show that cybercriminals will always adopt to new trends and situations whether in the use of new malware or targeted attacks techniques to continue their attacks. However, only time will tell if these cybercriminals will shift yet again—this time, to being major players in targeted attack groups.