• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Cybercriminal Sharpshooters: Nigerian Scammers Use HawkEye to Attack Small Businesses

Cybercriminal Sharpshooters: Nigerian Scammers Use HawkEye to Attack Small Businesses

  • Posted on:June 16, 2015 at 8:54 am
  • Posted in:Malware, Targeted Attacks
  • Author:
    Ryan Flores (Threat Research Manager)
0

It doesn’t take an advanced malware to disrupt a business operation. In fact, even a simple backdoor is enough to do it.

Earlier this year the Trend Micro Forward-Looking Threat Research Team closely monitored the operations of two Nigerian cybercriminals — identified through aliases Uche and Okiki — who attacked small businesses from developing countries to steal information and intercept transactions with their targets’ partners. All this was done through HawkEye, a simple backdoor that costs around $35.

While the malware used is simple, the cybercriminal operation itself is not. The operations run by Uche and Okiki, the cybercriminals we investigated on, move away from what we normally see in one-man operations where stolen information is simply sold off to others. Uche and Okiki made use of the information they captured in looking for more opportunities to steal from their victims.

Taking their Time

Unlike in typically-seen operations where cybercriminals prefer the “smash and grab” technique — where they send out spam emails with a malware attachment and bank on the chance that the victim runs it — Uche and Okiki took their sweet time engaging with their victims. Specifically targeting company mailboxes meant to receive inquiries from external parties, the cybercriminals sent emails to their targets that didn’t come with any malicious attachment or agenda, and actively communicated with them.


Figure 1. Sample of actual email sent out by Okiki to his targets

Once they have gained their targets’ trust, they then used the context of their communication to send HawkEye, ensuring infection and system compromise.

Bigger Payout

Instead of aiming to steal information like online banking or social networking credentials, Uche’s and Okiki’s schemes had a different target: the company webmail account. This difference in strategy created more opportunities for these cybercriminals, as getting access to the target’s company email gave them visibility of correspondences between the target and their partners and customers, their transactions and all other information.

With access to their victims’ transactions, Uche and Okiki used this visibility to launch more schemes which varied from targeting the victims’ affiliates, performing lateral movement to their targets’ bigger offices, to conducting “change of supplier” fraud.

The “change of supplier” fraud scheme is one that we think brought bigger payouts for Uche and Okiki, since it involves intercepting communications between a supplier and their customers in terms of payment details. What the cybercriminals do is send an email to the customer using the victim’s account (in this case, the supplier) to wrongly inform them that the account details to where they can send in their payment has changed. What is then provided is not an account owned by the supplier, but by the cybercriminal himself. “Change of supplier” schemes ran using Predator Pain and Limitless in the past netted attackers up to $75 million US dollars.

Big Threat to Small Businesses

Our findings on these operations show how clever cybercriminals can get in using the tools and information they have in order to steal as much as they can from their targets. This level of focus from cybercriminals, combined with the challenges small businesses face in building a solid security strategy for their network, make up a scenario that is strongly in favor of the bad guys.

Our full documentation of Uche’s and Okiki’s operations and technical analysis of HawkEye are all in our research paper, Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: backdoorcybercrimehawkeyelimitlesspredator pain

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.