That Nigerian Prince Has Evolved His Game

By and

Category: Malware, Reports, Unit 42

Tags: , , ,

This post is also available in: 日本語 (Japanese)

Today Unit 42 published its latest paper focused on Nigerian cybercrime. Applying advanced analytics to a dataset of 8,400 malware samples resulted in the attribution of over 500 domains supporting malware activity linked to roughly 100 unique actors or groups. The breadth and depth of this research has enabled a modern, comprehensive assessment focused on the collective threat rather than individual actors.

As a whole we have observed that Nigerian actors have graduated from their traditional 419-style email scams. Malware attacks have grown steadily over the past two years from fewer than 100 attacks in July 2014 to their current rate of 5,000–8,000 per month. These attacks are largely victim-agnostic, spanning all major industry verticals and focusing more on businesses than individuals. Having learned how to successfully employ commodity malware tools with precision, these actors have seen lucrative returns ranging from tens of thousands up to millions of dollars from victim organizations in the past year alone. Given our findings, we believe that historical assessments concerning this threat warrant reassessment as these actors have now demonstrated that they pose a formidable threat to businesses and government organizations worldwide.

The paper we released today details the history of Nigerian cybercrime, the tactics being employed, and unique insights into how the threat has matured in size, scope, complexity and technical competence over the past two years. Additionally, it provides a detailed look at the following:

Actor Profiles

Attribution of these actors revealed that, first and foremost, they are educated. Many have attended secondary schools and hold undergraduate degrees in technical fields. These actors range in age from late teenage years to their mid-40s, representing a wide range of generations. This results in a combination of older actors who were successful with traditional 419 scams and social engineering, working with younger actors who bring an understanding of malware to the table. More importantly, these actors are becoming organized, using social media to communicate, coordinate and share tools and techniques.

Financial Losses

The losses inflicted by these actors have significant impacts to businesses worldwide. In 2015, an annual report released by the FBI’s Internet Cyber Crime Center identified 30,855 victims of traditional 419/Overpayment scams resulting in losses in excess of $49 million. While that number is substantial, on August 1, 2016, Interpol announced the arrest of a Nigerian actor believed to be responsible for worldwide losses in excess of $60 million with over $15.4 million originating from just one victim organization.


Business Email Compromise (BEC) and Business Email Spoofing (BES) are two techniques that have recently gained popularity among these actors. To support these techniques, domains designed to impersonate legitimate organizations, “crypters” used to disguise commodity malware, and other methods are employed to gain a foothold within a victim network. Once inside, social engineering is used to fool victims into authorizing electronic bank transfers.

Download your copy of “SilverTerrier: The Next Evolution in Nigerian Cybercrime” to learn more about this threat.