SMBs and their staff are still falling prey to social engineering attacks.
In Trend Micro’s latest report “Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide”, the security company showed how Hawkeye, a simple keylogger that costs around USD35 was used by two Nigerian hackers to infiltrate SMBs around the globe through holiday themed social engineering techniques—with notable success.
Hawkeye shares ties to Predator Pain and Limitless which were keyloggers used in campaigns that also targeted SMBs in 2014.
Most of the companies targeted by HawkEye are companies from developing countries such as India, Egypt, and Iran, due to their abundance of SMBs. Hong Kong accounts for 5% of the victims, suggesting its continued vulnerability to be a target since cybercriminals that used Limitless and Predator Pain attacks had previously netted up to USD75 million US dollars in the first half of 2014. In the case of the operations run independently by the two Nigerian cybercriminals dubbed as “Uche” and “Okiki,”, the attack consisted of the following actions:
1. They employed the use of Hawkeye to steal email and website credentials, as well as logging keystrokes.
2. These particular hackers were patient and built a level of rapport with their victims through a series of emails prior to delivering the malware-infested attachment.
3. The attachment was also disguised by cryptors so the victim remained unaware of the attack on their system.
4. They covered their tracks by using exfiltration via SMTP, as well as multiple email accounts, in 90 percent of the campaigns.
1. This sophisticated methodology is a departure for Nigerian scammers who usually use simpler attack vectors such as generic spamming, possibly introducing a new breed of hackers from the Asia Pacific region as well.
Trend Micro says the series of malware attacks launched by the duo dispels the notion that only very large enterprises are vulnerable to cybercrime attacks. SMBs are also at risk, smaller regional offices may be exploited as a means to reach the global office.
Remedies include blocking emails sent even before they reach the target from solutions able to identify the malicious attachment, link, and even the social engineering techniques used. The solutions can also block the malicious traffic triggered by the communication between the HawkEye variants and the cybercriminals. Other remedies include those who with multiple layers of protection from the endpoint level such as detecting the HawkEye variants and blocking all related IPs and URLs.