BUSTED: How spy service exposed thousands of Nigerian email scammers

A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored.

The login page for the BestRecovery online keylog service.

The login page for the BestRecovery online keylog service.

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right).

But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

Initially, I assumed my source had unearthed the data via an SQL injection attack or some other  database weakness. As it happens, the entire list of users is recoverable from the site using little more than a Web browser.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails ([email protected], for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

The seriously ghetto options page for BestRecovery web-based keylogger service.

The seriously ghetto options page for BestRecovery web-based keylogger service.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances. “While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

Oddly enough, a large percentage of the keylog data stored at BestRecovery indicates that many of those keylog victims are in fact Nigerian 419 scammers themselves. One explanation is that this is the result of scammer-on-scammer attacks. According to a study of 419ers published in the Dec. 2011 edition of Cyberpsychology, Behavior, and Social Networking(available from the Library of Congress here or via this site for a fee), much of the 419 activity takes place in cybercafes, where “bulk tickets are sold for sending spam emails and some systems are dedicated to fraudsters for hacking and spamming.”

The keylog records available for the entries marked "Yahoo Boys" show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

The keylog records available for the entries marked “Yahoo Boys” show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

Perhaps some enterprising Nigerian spammers simply infected a bunch of these cybercafe machines to save themselves some work. It is also possible that vigilante groups which target 419 scammers — such as Artists Against 419 and 419eater.com – were involved, although it’s difficult to believe those guys would bother with such a rudimentary service.

BestRecovery gives customers instructions on how to use a provided tool to create a custom Windows-based keylogger and then disguise it as a legitimate screensaver application. New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used). Interestingly, many of the victim PCs have a curious notation: “Yahoo Boys”.

Keylog data apparently collected from a Yahoo Boy.

Keylog data [partially redacted] that was apparently collected from a Yahoo Boy.

Black Hat or Black Magic?

As noted in the above-mentioned academic paper (“Understanding Cybercrime Perpetrators and the Strategies They Employ in Nigeria”), the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime.  According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

I had never heard that Nigerian 419 scammers relied on voodoo to increase their email mojo, and I must admit the next part of the study freaked me out a little bit.  According to the researchers, the use of voodoo and charms for spiritual protection and to charm potential victims is very common among Yahoo Boys in Nigeria, and is referred to as “Yahoo Plus.” But wait, there’s more. From the paper:

“Another level of this is referred to as ‘Yahoo Plus Plus,’ which…. involves the use of human parts and may need kidnapping other human beings for rituals, which is not necessary in ‘‘Yahoo Plus.’’ In Yahoo Plus Plus, the use of things such as their finger nails, rings, carrying of corpses, making incision on their body, sleeping in the cemetery, citing of incantation, using of their fingers for rituals, and having sex with ghosts are common. A few of the informants, however, denied that they use voodoo in the business, whereas others affirmed their use of voodoo.”

While many of the victims of this keylog service appear to be 419 scammers, I found that just as often an account was apparently being used to keep tabs on trusting Americans who were being duped into sending money overseas, either in pursuit of some stolen riches or — more often — in hopes of finally meeting someone they had only met online. Often when I reviewed logs chronicling some sad situation in which a woman or man in the United States was apparently the victim of a romance scam, the identifier in the “note” field of each keylog record was “picture.” It seems clear that these romance scammers are infecting their bogus sweethearts by disguising the keylogger as pictures of themselves.

The other pattern that became evident after reviewing all of this BestRecovery user data was that roughly ten percent of the user email addresses were tied to active Facebook accounts. As might be expected, a lot of those accounts used aliases — my personal favorites being “MoolahGroup Nigeria” and “Unscrupulous Buccaneer.”  Still other accounts that were tied to legitimate, personal Facebook pages. Nearly all of them who listed their location were users in Lagos, Nigeria or Kuala Lumpur, Malaysia (with the exception of accounts apparently set up to assist in dating scams).

YB-John-PC

I put together the following slideshow, which displays just some of the Facebook profiles used by the most active customers of this keylog service.  The music for this photo montage was taken from the 419 apologist video called, I Go Chop Your Dollar, which apparently is well-known in 419 scammer circles and explains that 419 scams are “just a game,” and that everyone plays them.

The lyrics to the song are, in part:

419 no be thief, it’s just a game
everybody dey play ‘em
If anybody fall mugu [fool]…
Ha! my brother, I go chop dem

Oyinbo [white] man, I go chop your dollar
I go take your money and disappear
419 is just a game
You are the loser, I am the winner

In any case, it’s likely there will be a whole line of Krebs-themed voodoo dolls somewhere in Lagos not long after this story runs. Stay tuned for the next piece in this series on 419 scams, which examines the connections between and among the 280 or so Nigerian users of this service who had Facebook accounts.

One final note: It took a crazy amount of time to pore through all this data and to do so many Facebook lookups. It would have taken an eternity, had it not been for the help of Damon McCoy, assistant professor of computer science at George Mason University (my alma mater). McCoy and his band of willing grad students agreed to help with the laborious work of conducting thousands of Facebook account lookups, and then finding new Facebook accounts to do more lookups when Facebook suspended accounts for conducting too many lookups (the threshold seems to be around 50 lookups before Facebook locks an account for 24 hours). I’d also like to recognize the work of KrebsOnSecurity reader Patrick Madigan, who helped with lookups and with some of the research that will feature in the next story in this series.

Read more: KrebsonSecurity

Leave a reply

Your email address will not be published. Required fields are marked *

cool good eh love2 cute confused notgood numb disgusting fail