Krebsonsecurity recently heard from a reader, whose boss’s email account was fish and was used to trick one of the company’s customers to send a large payment to scammers. An investigation into the infrastructure of the attacker indicates a long -running Nigerian cyber crime ring that is actively targeting companies established in transport and aviation industries.
Image: Shutrstock, Sri Terpon Tivekhom.
A reader working in the transport industry recently sent a tip about the successful fishing campaign, which cheated an executive in the company to enter his credentials on a fake Microsoft 365 login page. From there, the attackers quickly mined the inbox of the executive for previous communication about the invoice, some of the messages copied and amended with new challans demands that were sent to some customers and partners of the company.
Speaking on the condition of anonymity, Pathak said that the resulting fishing emails for customers came under the name a newly registered domain that was remarkable as his employer’s domain, and that at least one of their customers fell for ruse and paid a Phony challan. He said that the attackers demonstrated a look-alik domain a few hours after the inbox credentials of the executive, and the scam suffered a customer from six-fisher financial loss.
Pathak also shared that the email address in the registration record for the Imposter Domain – Roomservice801@gmail.com – Many such fishing is tied to the domain. In fact, on a discovery on this email address Domantools.com It suggests that it is linked to at least 240 domains registered in 2024 or 2025. All of them mimic a valid domains for companies in aerospace and transport industries worldwide.
An internet search shows for this email address A humble blog post from 2020 The Russian Forum Hackware (.) On RU, which was found to roomservice801@gmail.com, tied with a fishing attack, using fake challan greed to trick the recipient in logging on a fake microsoft login page. We will return to this research in a moment.
Justice John
Domantols suggest that some initial domains registered at Roomservice801@gmail.com in 2016 include other useful information. For example, record for whois Alhomadhysentra (.) Biz Referring to technical contact of “Justice John“And email address justyjohn50@yahoo.com,
A discovery by domantols found that justyjohn50@yahoo.com has been entering a one-clotting domain since at least 2012. At this point, I was sure that some security company had certainly published analysis of this particular danger group, but I had not yet had enough information to have any concrete conclusions.
Damenols says that Justice John Email Address is tied to more than two dozen domains registered since 2012, but we can get hundreds of and fishing domains and related email addresses by pivying on details in the registration records for these Justice John Domains. For example, the road address used by Justice John Domain axisupdate (.) Net – 7902 pelleaux road in NOXVela, TN – AccountAuthenticate (.) Com, ACCTLOGIN (.) BIZ, and Loginaccount (.) Registration for the business also appears in the records, all of which included all the email addresses at one point rsmith60646@gmail.com,
This RSMIth Gmail Address 2012 Fishing Domain Alibala (.) Biz (Chinese e-commerce giant Alibaba.com is associated with a character with a separate top-level domain of .Biz). A discovery in domentol on the phone number in those domain records – 1.7736491613 – Nigerian phone number “2348062918302” and email addresses with even more fishing domains. MICHSMIH59@gmail.com,
Domentols shows that the registration for the domain is seen in the MICSMIH59@gmail.com Celtrock (.) ComFashioned attack 2020 Russian Blog Post It has been mentioned earlier. At this point, we are just two steps away from identifying the danger actor group.
The same Nigerian phone number shows in dozens of domain registrations that refer to email addresses sebastinekelly69@gmail.comInvolved 26i3 (.) Net, Costamere (.) Com, Danagruop (.) WeAnd Divieling (.) ComOn any of those domains found in a web search that they were indexed A “Indicator of Agreement” list on GITHUB maintained by Palo Alto Network, Unit 42 research team.
Silver
According to Unit 42, the domain is the handiwork of a huge cybercrime group located in Nigeria, which is said to be “dubbed”SilverBack in 2014. October 2021 report,Business email agreement” Or BEC Scams, which target valid business email accounts through social engineering or computer infiltration activities. BEC criminals are used to start or redirect the transfer of business funds for individual benefits.
Palo Alto says InterpolIn 2022, Interpol and Nigeria Police Force 11 members of alleged silver arrestedInvolved A major silver leader Those who had been inciting their money on social media for years. Unfortunately, the greed for easy wealth, spatial poverty and corruption, and less obstacles to enter Nigeria to provide a continuous stream of new recruitments to enter the cyber crime.
The 7th most reported crime tracked by the BEC scam FBI was Internet crime complaint center (IC3) In 2024, there are more than 21,000 complaints. However, the BEC scam was the second most expensive form of cyber crime, which informed Feds last year. About $ 2.8 billion in claimed lossesIn its 2025 fraud and control survey reports, Union for financial professionals Found 63 percent of the organizations experienced BEC last year.
Attacking some email addresses out of this research, many Facebook accounts are revealed for people living in Nigeria or in the United Arab Emirates, many of which have not tried to mask their real life identity. Palo Alto’s Unit 42 researchers came to a similar conclusion, given that although a small the most of these miscreants went into large lengths to hide their identity, it was usually easy to learn their identity on social media accounts and major messaging services.
Palo Alto said that the BEC actors have become more organized over time, and when it is easy to find actors working as a group, the practice of using a phone number, email address or nickname to register a malicious infrastructure in support of many actors has committed cybercity and law enforcement organizations (but not much time), which has not done much time, which has not taken much time) Are committed to reduce.
Researchers wrote, “We continue to find out that actor of silverter, regardless of the geographical location, is often connected through a few degrees of isolation on social media platforms.”
Financial fraud
Palo Alto has published A useful list of recommendations This organization can adopt to reduce the events and impact of BEC attacks. Many of those tips are anti -immunities, such as conducting regular staff safety training and reviewing network safety policies.
But a recommendation – being familiar with a process “Financial fraud“Or FFKC – specific mention because it offers single -best hope for BEC victims that are trying to return the payment made to the fraudsters, and so far a lot of victims do not know that it is present until it is too late.
Picture: IC3.gov.
As explained This FBI primerThe International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial institutions, which aims to free the fraud -tired funds by the victims. According to FBI, viable victims Complaints filed with IC3.Gov After a fraudulent transfer immediately (usually less than 72 hours) will be automatically tried by Financial crime enforcement network (Finned).
FBI mentioned about it IC3 annual report ,
