[ad_1]
KrebsOnSecurity lately heard from a reader whose boss’s electronic mail account obtained phished and was used to trick one of many firm’s prospects into sending a big cost to scammers. An investigation into the attacker’s infrastructure factors to a long-running Nigerian cybercrime ring that’s actively concentrating on established corporations within the transportation and aviation industries.
Image: Shutterstock, Mr. Teerapon Tiuekhom.
A reader who works within the transportation business despatched a tip a few latest profitable phishing marketing campaign that tricked an government on the firm into getting into their credentials at a pretend Microsoft 365 login web page. From there, the attackers shortly mined the chief’s inbox for previous communications about invoices, copying and modifying a few of these messages with new bill calls for that have been despatched to a number of the firm’s prospects and companions.
Speaking on situation of anonymity, the reader stated the ensuing phishing emails to prospects got here from a newly registered area title that was remarkably just like their employer’s area, and that no less than one in every of their prospects fell for the ruse and paid a phony bill. They stated the attackers had spun up a look-alike area only a few hours after the chief’s inbox credentials have been phished, and that the rip-off resulted in a buyer struggling a six-figure monetary loss.
The reader additionally shared that the e-mail addresses within the registration information for the imposter area — roomservice801@gmail.com — is tied to many such phishing domains. Indeed, a search on this electronic mail handle at DomainTools.com finds it’s related to no less than 240 domains registered in 2024 or 2025. Virtually all of them mimic official domains for corporations within the aerospace and transportation industries worldwide.
An Internet seek for this electronic mail handle reveals a humorous weblog submit from 2020 on the Russian discussion board hackware[.]ru, which discovered roomservice801@gmail.com was tied to a phishing assault that used the lure of phony invoices to trick the recipient into logging in at a pretend Microsoft login web page. We’ll come again to this analysis in a second.
JUSTY JOHN
DomainTools exhibits that a number of the early domains registered to roomservice801@gmail.com in 2016 embrace different helpful info. For instance, the WHOIS information for alhhomaidhicentre[.]biz reference the technical contact of “Justy John” and the e-mail handle justyjohn50@yahoo.com.
A search at DomainTools discovered justyjohn50@yahoo.com has been registering one-off phishing domains since no less than 2012. At this level, I used to be satisfied that some safety firm absolutely had already revealed an evaluation of this explicit menace group, however I didn’t but have sufficient info to attract any strong conclusions.
DomainTools says the Justy John electronic mail handle is tied to greater than two dozen domains registered since 2012, however we are able to discover a whole lot extra phishing domains and associated electronic mail addresses just by pivoting on particulars within the registration information for these Justy John domains. For instance, the road handle utilized by the Justy John area axisupdate[.]web — 7902 Pelleaux Road in Knoxville, TN — additionally seems within the registration information for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one level included the e-mail handle rsmith60646@gmail.com.
That Rsmith Gmail handle is related to the 2012 phishing area alibala[.]biz (one character off of the Chinese e-commerce large alibaba.com, with a distinct top-level area of .biz). A search in DomainTools on the telephone quantity in these area information — 1.7736491613 — reveals much more phishing domains in addition to the Nigerian telephone quantity “2348062918302” and the e-mail handle michsmith59@gmail.com.
DomainTools exhibits michsmith59@gmail.com seems within the registration information for the area seltrock[.]com, which was used within the phishing assault documented in the 2020 Russian weblog submit talked about earlier. At this level, we’re simply two steps away from figuring out the menace actor group.
The identical Nigerian telephone quantity exhibits up in dozens of area registrations that reference the e-mail handle sebastinekelly69@gmail.com, together with 26i3[.]web, costamere[.]com, danagruop[.]us, and dividrilling[.]com. A Web search on any of these domains finds they have been listed in an “indicator of compromise” checklist on GitHub maintained by Palo Alto Networks‘ Unit 42 analysis staff.
SILVERTERRIER
According to Unit 42, the domains are the handiwork of an enormous cybercrime group primarily based in Nigeria that it dubbed “SilverTerrier” again in 2014. In an October 2021 report, Palo Alto stated SilverTerrier excels at so-called “business e-mail compromise” or BEC scams, which goal official enterprise electronic mail accounts by means of social engineering or pc intrusion actions. BEC criminals use that entry to provoke or redirect the switch of enterprise funds for private achieve.
Palo Alto says SilverTerrier encompasses a whole lot of BEC fraudsters, a few of whom have been arrested in varied worldwide regulation enforcement operations by Interpol. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, together with a distinguished SilverTerrier chief who’d been flaunting his wealth on social media for years. Unfortunately, the lure of simple cash, endemic poverty and corruption, and low limitations to entry for cybercrime in Nigeria conspire to supply a relentless stream of latest recruits.
BEC scams have been the seventh most reported crime tracked by the FBI’s Internet Crime Complaint Center (IC3) in 2024, producing greater than 21,000 complaints. However, BEC scams have been the second most expensive type of cybercrime reported to the feds final 12 months, with almost $2.8 billion in claimed losses. In its 2025 Fraud and Control Survey Report, the Association for Financial Professionals discovered 63 % of organizations skilled a BEC final 12 months.
Poking at a number of the electronic mail addresses that spool out from this analysis reveals quite a few Facebook accounts for individuals residing in Nigeria or within the United Arab Emirates, lots of whom don’t seem to have tried to masks their real-life identities. Palo Alto’s Unit 42 researchers reached an identical conclusion, noting that though a small subset of those crooks went to nice lengths to hide their identities, it was often easy to study their identities on social media accounts and the foremost messaging providers.
Palo Alto stated BEC actors have grow to be way more organized over time, and that whereas it stays simple to seek out actors working as a bunch, the observe of utilizing one telephone quantity, electronic mail handle or alias to register malicious infrastructure in help of a number of actors has made it way more time consuming (however not not possible) for cybersecurity and regulation enforcement organizations to type out which actors dedicated particular crimes.
“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.
FINANCIAL FRAUD KILL CHAIN
Palo Alto has revealed a helpful checklist of suggestions that organizations can undertake to reduce the incidence and impression of BEC assaults. Many of these ideas are prophylactic, comparable to conducting common worker safety coaching and reviewing community safety insurance policies.
But one suggestion — getting aware of a course of referred to as the “financial fraud kill chain” or FFKC — bears particular point out as a result of it affords the only finest hope for BEC victims who’re searching for to claw again funds made to fraudsters, and but far too many victims don’t understand it exists till it’s too late.
Image: ic3.gov.
As defined in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal regulation enforcement and monetary entities whose goal is to freeze fraudulent funds wired by victims. According to the FBI, viable sufferer complaints filed with ic3.gov promptly after a fraudulent switch (typically lower than 72 hours) shall be routinely triaged by the Financial Crimes Enforcement Network (FinCEN).
The FBI famous in its IC3 annual report (PDF) that the FFKC had a 66 % success price in 2024. Viable ic3.gov complaints contain losses of no less than $50,000, and embrace all information from the sufferer or sufferer financial institution, in addition to a accomplished FFKC type (supplied by FinCEN) containing sufferer info, recipient info, financial institution names, account numbers, location, SWIFT, and any extra info.