From: The Boys from Lagos,
Somewhere entirely different to where they claim,

Dear Sir,

I am writting to you in respect of your recent attempt to settle the modalities concerning your quatation for Iran May Order (see attachment).

As you will know doubt see, there has been a problem with the Randam Access Tables (RAT) in the document.

please verify the integrity of the details, including full name and notional insureance number and reply immediately so that we may continue your Order and release the payment of 20 million dollars US (twenty million united states dollars) to the account of your choice with the utmost speediness.

Awaits your reply.

The Reverend Netwire,
DataScrambler,
Nigeria.

Advance fee fraud via email – we’ve all seen it many hundreds of times before and, with a few exceptions, we’ve all deleted those messages post haste.

Unfortunately, however, a few people around the world do actually fall victim to this kind of scam, sending large sums of money oversees, not knowing that they will never get it back.

Even so, in a world where people are becoming more aware and better educated towards this type of trick , the perpetrators persist, though a new report shows that the tactics may be changing a bit.

The report, from Palo Alto Networks, shows that Nigerian cybercriminals have started to employ remote access tools (RATs) in order to gain access to victims’ devices:

“The paper shows that these individuals’ tactics have evolved as they’ve begun using Remote Administration Tools (RAT) and other malware tools as part of their attacks. While these actors are not nearly as sophisticated as the top cyber crime and espionage groups in the world, we believe they represent an emerging threat to businesses.”

The RAT in this case – Netwire – is typically hidden in an email attachment which the sender will try to get the victim to open via a call to action in the accompanying email. A second piece of malware – DataScrambler – is also be included in order to aid avoid detection by security software.

The Santa Clara-based security firm is not sure how the attackers pick their victims but did note that the targets were all businesses operating in South Korea and Taiwan. Palo Alto Networks was able to confirm that the attacks originated from Nigeria though, as not all of the orchestrators had proven sufficiently adept at hiding their true IP addresses:

“Specific individuals within this attack group have demonstrated either an extreme lack of understanding of operational security, or simply believe they stand no chance of being caught and prosecuted. It is likely that shining light on this activity will cause these actors to change their tactics and begin tightening their security procedures.”

The company highlighted how the attackers were unable, or unwilling, to use software vulnerabilities to get their payloads onto  target computers, relying instead upon social engineering, a common threat posed to all businesses which can be countered through the adoption of a good security awareness program.

The report concludes that the motives for such an attack surround the snaffling of passwords and other data which can then be used to fuel further attacks. “Thus far,” the report says, “we have not observed any secondary payloads installed or any lateral movement between systems, but cannot rule out this activity.”