Page 34 - index
P. 34
Unconventional Fraud
Luis Corrons, Technical Director of PandaLabs
The current malware environment is sophisticated and widespread. Long gone are the days
when traditional attacks occurred by just clicking on a malicious link. Internet fraud and
cybercriminal activity have become so much more insidious and undetected, but has evolved
around the same intent of stealing money and personal information.
One major fraud campaign has been evolving over the course of decades and really
demonstrates how far cybercriminal activity has progressed.
Operation Oil Tanker
Typically when we think of the oil industry, the Middle East immediately comes to mind, but
there are many countries that are major oil producers. There is a region in Nigeria called Bonny,
well-known for its production of highly-valued Bonny Light Oil. It has very low sulfur content,
which translates into low corrosion in refineries, causing for high demand worldwide.
Whenever there is a high demand for a product and a lot of money in an industry, there is a high
probability for fraud. There is an old scam in the oil industry of Nigeria that typically involves
promising the victim a significant share of oil, and requiring a small up-front payment to obtain.
The fraudster offers false certificates for proof of product and if a victim makes the payment, the
fraudster disappears. The article of the Nigerian Criminal Code that refers to this type of fraud is
number 419. Although this con had been used with traditional mail in the oil industry, it has been
given new life with advancements of the Internet.
First Sighting
In January 2014, a new threat was detected in the network of a leading shipping company in the
UK. Malware experts started studying the threat, and saw it was prepared to steal emails and
browsers’ saved credentials, and planned to send them to an external FTP site. The experts
gained access to that FTP and looked for stolen credentials in case their computers were not
properly protected. They discovered that the FTP did house approximately 80,000 text files with
stolen credentials, 90MB of user names and passwords. Due to the large amount of information,
it wasn’t immediately identified as a targeted attack, but the experts determined that some of the
data had been stolen more than six months prior. Upon further investigation, experts found that
this fraudulent activity originated from the oil industry, linking it back to this history of oil fraud
and confirming it was a targeted attack.
The Process
As mentioned earlier, the scammers need certificates in order to scam the oil buyer. They can
make up those documents, but by doing so, risk to be discovered. However, if they get access
to real companies and create certificates with actual information, the buyer trusts the seller to
complete the business transaction.
34 Cyber Warnings E-Magazine – November 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
