The Nigerian Price Scam is a staple of the cybersecurity world. Essentially, someone claims to be in a position of influence or notoriety and needs to get a large sum of money out of their country. They can only do it with your assistance. In return, you’ll get a large piece of the pie.
This remains an incredibly popular scam, garnering over $700,000 a year.
Though these emails are easy to pull off from threat actors, they require a back and forth between the sender and recipient.
Starting in March 2022, Avanan researchers have found a new twist on this classic scam, whereby threat actors are posing as Russian dissidents and asking for financial assistance both for the sender and for Ukraine as a whole. In this attack brief, Avanan will analyze how threat actors are behind the latest in the news to fit a classic scam.
Attack
In this attack, hackers are applying the Nigerian Prince scam format and applying current events by posing as Russian Opposition Leader, Alexei Navalny, who has been poisoned and imprisoned with potential for another 15 years. In this scam, Alexei is asking for help withdrawing money from a Turkish bank account. According to the email, 25% of the money will go to the email recipient; 75% will go to help displaced Ukrainians.
- Vector: Email
- Type: Impersonation
- Techniques: Nigerian Prince Scam, Social Engineering, BCC Stuffing
- Target: Any end-user
In this attack, threat actors are posing as Alexei Navalny, hoping for assistance withdrawing money.
Email Example #1
This email tries to start a dialogue between the sender and recipient. The links included in the email are legit and go to the media sources seen in the URL.
Email Example #2
The email chain bounced around the world, starting in Japan, taking a detour through Shanghai, flying over to Seattle before landing in the Midwest:
Techniques
In this attack, hackers are posing as Russian dissidents–in this case the most famous opposition leader, Alexei Navalny– to extract money from users.
In this twist on the Nigerian Prince scam, the hackers are playing off current events by having the sender come from Russia and the money “going” to displaced Ukrainians.
To get into the inbox, the hackers sent the email to a legitimate address based out of Shanghai. Doing so satisfies minimal requirements for SMTP, improving the chance of acceptance by all recipients. The rest of the emails are BCC’d. By placing intended victims in the BCC field, this becomes a fairly easy mass phishing campaign.
Like all social engineering scams, the malicious party will continue to email until they get what they want. In this case, that could be a number of things. Likely, they will continue to work their funnel, continuing to act authoritatively. At the end of the rope, there will likely be instructions at the end with wiring information, a Bitcoin address or some form of payment that–once sent–cannot be revoked.
There are no malicious links in the email; the sender is banking on the fact that the recipient will respond. Like all Nigerian Prince Scams, the sender acts as an authoritative voice–in this case the most outspoken Russian opposition leader.
Despite their ubiquitousness, Nigerian Prince Scams still fool users. The hope of this particular attack is that the appeal to help Ukrainians will move users to act. Notably, the attacker will fully and willingly engage in dialogue with the recipient to increase the odds of success.
The hackers are exploiting the war to get what they want, part of a long trend of threat actors twisting current events for their own purposes. In this case, they are attempting to establish credibility with legitimate sources who, they hope, can help.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Remind users of the basics of the Nigerian Prince Scam
- Encourage users to Google basic information in the email, which would reveal that Navalny is in prison with limited access to the outside world
- Remind users to never give banking or other personal information over email
