West African Threat Actors

Published by:
John
Published on:
January 27, 2017

Last year saw a plethora of sophisticated cyber attacks including the infiltration of Oracle’s MICROS point of sale customer portal, the string of multi-million dollar thefts that leveraged the SWIFT banking network, and the US election hacks.

Meanwhile in West Africa, cyber criminals continue their ongoing operations. The difference is that these actors are not concerned with investing large amounts of resources in to developing complex malware, persistence techniques, or exploit code. Their focus is money. The vector is social engineering. The target is rich westerners.

In Ghana, Sakawa is the practice of conducting internet-based fraud, empowered by spiritual beliefs or black magic. Those that practice it are known as Sakawa boys. One of their specialities is romance fraud, where they build a relationship with their victim over time before convincing them to transfer money to the Sakawa operator’s alter ego.

Sakawa’s popularity amongst West African cybercriminals has increased for a number of reasons. Ghana has one of the highest internet penetration rates in Africa, whilst having a faltering economy and high amounts of youth unemployment. Ghana is also home to some of the largest electronic waste centres in the world, providing fraudsters with a constant flow of sensitive data that foreign companies negligently fail to wipe.

How great a threat does this pose, you may ask? Well, it’s important to note that many of these so-called Sakawa boys will begin to seek greater profits over time, often upskilling by working with more seasoned cybercriminals to increase their earning potential. Companies that currently believe they are invulnerable to this type of threat actor may soon find themselves in the Sakawa crosshairs, and possibly react too late.

For those that are sceptical of the above, I refer you to the 2016 arrest of “Mike”, the alleged ringleader of a Nigerian organised crime group (OCG) which scammed companies around the world into handing over $60 million. Interpol investigations revealed that the group compromised email accounts of small and medium-sized businesses around the world, in countries including the United States, Australia and South Africa.   In one instance, Mike and his team conned a corporate victim into paying out $15.4m.

Ghana and Nigeria: a comparison

Ghana and Nigeria have numerous cultural and historical similarities. Many of the schemes of the Sakawa boys were conducted by Nigerian fraudsters in the 90s and 00s. The Nigerian OCGs of that era were known as “Yahoo-Yahoo boys”.  Nigerian singer Olu Maintain even released the 2007 hit song ‘Yahoozee’ about the lifestyle of these groups.

The main difference between Nigerian and Ghanaian OCGs is that the Nigerian OCGs are further ahead on the criminal pathway. Nigerian OCGs have started to incorporate malware in their operations – often in business email compromise (BEC) scams.

BEC scams

In a BEC scam, the attacker positions themselves between a buyer and seller within a chain of business emails, and then redirects payment to accounts that they control by altering invoices and other payment instructions.  The attacker gains access to email account credentials by sending their victims phishing emails that contain malware with information stealing capabilities.

Once the account is compromised, email settings can be configured to redirect correspondence from the trade partner to the attacker’s email. The attacker also registers domains and creates email addresses that look similar to those used in the email chain.  The attacker is then able to masquerade as the seller to the buyer, and vice versa.

Nigerian OCGs, however, are equally happy to make money without the use of BEC or malware.  In CEO fraud for example, Nigerian OCGs will spoof a high-ranking officer’s email address, to deceive an employee in to sending a wire transfer to a criminal account. Skilled in social engineering, Nigerian OCGs use a range of ploys to achieve their end goal.

When Nigerian OCGs do use malware, it tends to be popular commodity tools such as the HawkEye keylogger and DarkComet remote access tool. Such tools can easily be purchased on underground forums and require minimal supporting infrastructure. In many cases this reflects the low technical competence of these actors, but in others, such tools are chosen intentionally to support easy scalability among a distributed criminal network.

Greater awareness is needed of West African OCGs. They operate differently to other cybercriminals, and their methods are still not fully understood within the security community. West African OCGs have grown significantly in size, scope and capability over recent years. With losses to victim organisations moving into millions of dollars, these actors now pose a credible threat to businesses worldwide.

Hacktivists

So far, I have focussed on the criminal elements. But what about the hacktivists?  Well, Anonymous have an African branch, with African born members. Nigeria also has a number of hacktivist groups including Naija Hackers and the Nigerian Cyber Army.  However, the focus for these groups tends to be on political and social issues within the region, hence attacks have been committed against their governments and some Nigerian banks.

But how long will it be before these groups turn their attention to Western companies?  If terms like DDOS, Doxxing and hacktivism were commonplace in Nigeria during the height of the Niger Delta conflict for instance, consider how that would have translated into risk for multinational oil companies operating in the region.

Find out more about our cyber intelligence services: