Phishing scams have been around for decades, and they’re still going strong in 2017. And while the classic Nigerian prince (or 419) scams haven’t made the rounds in quite some time there are definitely still active phishing campaigns being run from Nigeria. Fortunately, there are skilled security professionals working to protect the public… and they’re taking some creative approaches to combating cybercrime.
At the 2017 RSA conference, researchers Joe Stewart and James Bettke from Dell SecureWorks shared a tale about a particularly interesting Nigerian phishing operation they were tasked with investigating. What made it interesting wasn’t the phishing attacks themselves — it was how SecureWorks responded.
SecureWorks got involved after some of its customers fell victim to the targeted attacks. The scammers went after high-level executives at oil companies, health care providers, and several other big businesses. They sought to gain the executives’ trust in order to secure wire transfers for huge amounts of cash.
Fighting back against phishing scams often involves taking down websites and domains with the help of ISPs, domain name registars, and law enforcement agencies. Stewart and Bettke decided to take things a bit further. They turned the tables on the individual behind the attacks.
The first step: responding to a phishing email with one of their own. They attached a malicious PDF document. When it was opened, they gained valuable information about the attacker. Stewart and Bettke then used a second second phishing technique to trick their target into revealing even more critical information — including a phone number that they were able to link to a Facebook profile.
Along the way, they were also able to freeze multiple bank accounts that were used to receive money transfers from phishing victims. They also successfully locked their target out of numerous email accounts that had been used in other phishing attacks.
Stewart and Bettke switched things up again by striking up a conversation and posing as a second scammer who had also gained access to one of the Nigerian attacker’s victims. Under the guise of coordinating their efforts, they tricked him again — which resulted in the installation of a RAT (remote access toolkit) on the computer he was using to run the phishing campaign. They captured numerous incriminating emails and a treasure trove of personal information.
While they managed to make things very, very difficult on this one attacker there are countless others that need to be dealt with. To make real progress against phishing scams, Stewart says that security firms and banks need to better coordinate their efforts. He’d like to see one point of contact set up for reporting incidents and believes that “there needs to be someone leading[…]the charge.”