back to article 'Nigerian scammer' busted after he infected himself with malware

The ancient-in-internet-years “Nigerian email” scam remains popular and profitable for its operators ... when they don't shoot themselves in the foot. Some scam operators infected themselves with their own malware, and SecureWorks has been discussing the outcome of that: the massive own goal meant researchers like Joe Stewart …

  1. Hans 1


    If you can re-route k's or m's of $ to your offshore bank account, really ultra cool, however, as usual, greed will be your downfall ...

  2. Pascal Monett Silver badge

    The dangers of convenience

    Once again the lack of proper procedures are the linchpin through which scum can ply their trade. Taking account details from an email means that you do not have a proper client db with the reliable data already inserted.

    Which in turn means that your payment transfer system is probably a mess (no check on account number for an existing supplier ?) and errors like this will slip through unnoticed until you get an invoice unpaid letter and start wondering why - which is never the right reason to check your accounting procedures, but better late than never.

    This is the kind of pain that will prompt more attention to detail. It is unfortunately a costly lesson, but there is a portion of the population that only learn by costly lessons (backups, anyone ?).

    1. Anonymous Coward
      Anonymous Coward

      Re: The dangers of convenience

      I know a financial controller who had this happen to, it does require a degree of uncertainty within the business to work BUT i can say that this level exists everywhere.

      If they can see your emails, they can see when people are away on holiday, they can access and change the name tags on email addresses (in the example i found they managed to access the email server) so that '' (note the double 'r') still shows as 'Your supplier' in emails

      So, they've waited for the moment when someone is away, prevented payment (by intercepting emails and not sending on) to a vital supplier and allowed a 'Pay or no shipment of your urgent goods' to get from the supplier to the company.. next step is 'BTW we have changed banks, please pay here.

      Yep, combination of pressure and hitting the weak point meant 280k (not actual value but close) went out to a bank account not of the suppliers.

      THANKFULLY Interpol saved the day (yep, i know, bloody amazing) and contacted the bank and had funds frozen, the bank didn't let the cash fly as they were a bit wary of cash coming in to the system going out so fast (crims had actually contacted the target company for further documentation to prove that they should be able to withdraw, AFTER they realised what had happened, by pretending to be police!!!)

      please note that if the company had lost this cash, at that time, it would have essentially stunted the company for years to come, as it was for high-season items (ordered JIT), and a large chunk of cash for the company..

      Oh, and the spyware was on the bosses laptop, that's how they managed to connect and harvest all the data.

  3. Doctor Syntax Silver badge

    They monitored the operation for several months. According to another report they did attempt to contact at least some of the victims to warn them (and were themselves suspected of being scammers) but essentially the let the scam run rather than blowing the whistle PDQ. So why are they not being treated as accessories?

    1. Swarthy Silver badge

      Re: why are they not being treated as accessories?

      Full analysis takes time, and you also need many "runs" so that you can trace the paths.

      If they had blown the whistle PDQ, they could have gotten a fraction of the people running the scam, by letting it run for 2-3 months (and presumably logging the transactions, frauds, and scams) they nabbed the whole "company" and have records that could cause the victims to claim restitution.

      Also, if watching, investigating, and gather evidence counted as accessory, then every LEO ever would also be guilty.

      1. Doctor Syntax Silver badge

        Re: why are they not being treated as accessories?

        'they nabbed the whole "company" and have records that could cause the victims to claim restitution.'

        Claiming is one thing, getting is another. I doubt any company who has lost money during the monitoring period would have consider the eventual outcome to have been worth the cost of their losses.

        There's always a trade-off between gathering information and allowing harm to continue. It will always seem easier to err on the former side when it's someone else's harm; allowance should be made for that.

  4. Schlimnitz


    My wife got a snail-mail Nigerian-style scam letter the other day.

    I binned it but now wonder if I should have framed it.

    1. DropBear

      Re: Amazingly

      I get at least one of those a week (oh and lieutenant Ferrara is still alive and well), but I only see them if I hit up the spam folder on my gmail looking for a lost _real_ receipt or something - Google invariably intercepts them as they come...

      EDIT: derp, just noticed the _SNAIL_ part - oops! That's indeed something... :)

      1. Blacklight

        Re: Amazingly

        I've got one of these (and scanned it for posterity) if El Reg would like to run an expose on it...

        It ticked all the boxes:

        1) Shiny company name

        2) Shiny company address (Geneva) - which, if Streetviewed, is a cinema and hairdressers....(presumably a unit above it)

        3) Webmail email address

        4) "Phone" number that points to a REGUS FAX number

        5) Offer of lots of good investments

  5. Kubla Cant

    The headline started an interesting train of thought about the more traditional Nigerian-style email scammers.

    Do these scammers have rock-solid malware protection? I've seen sites devoted to stories of stringing these guys along, and sometimes even getting money out of them. It would be so much better to disable the systems they work on by replying to them with infected attachments.

    1. MrZoolook

      I think it would be better to gouge out their eyes, or something else that will make it hard for them to actually continue doing this shit.

  6. Smitty

    Easyily fixed

    The company I work for is pretty strict about email security.

    All email to/from new domains is quarantined until someone from the admin teams Okays it. A new domain for what seems like an existing contact would set off alarm bells.

    We deal with investment data so our clients are very picky about security,

  7. SimonC

    > They were able to monitor the ringleader of this particular operation for “several months”.

    > Bettke explained that “we saw who he contacted, his instant messages, the tools he was using, his victims, the amounts of money transferred – how the whole thing worked.”

    How is that not illegal? Even if it were the police they'd not have permission to access someone's computer and get their personal information anymore than they can walk into someone's house without a warrant and rummage around just because the door was unlocked.

    1. Doctor Syntax Silver badge

      "How is that not illegal?"

      The burglar is in a poor position to complain about being burgled, especially when his own tools were used.

    2. RPF

      In the public interest, surely?

  8. Sergiu Panaite


    Not quite a definitive solution, but just enable strict SPF / DKIM and mark all external mail by amending its subject, or something like that.

    No technology (except completely disconnecting someone / something) can be foolproof, so this still requires the end users to have a tiny little itty bitty smidge of sense and not do things blindly without being a little careful...

    1. Vic

      Re: Simples!

      Not quite a definitive solution, but just enable strict SPF / DKIM and mark all external mail by amending its subject, or something like that.

      That requires the domain owner not to be a dork; many of them fail badly at that hurdle.

      I went through a phase a while back where I was seeing loads of domains with "+all" at the end of their SPF records. I cannot see a single instance where that can be anything but harmful, so my SPF milter now treats "+all" as if it were "-all". That helps...


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like