Inside a scam factory: Gray hat hacker offers peek at how Nigerian 419ers work
Keylogging tools to steal personal information from victims are available as a “service” from a site known as PrivateRecovery, which offers the tools for just $25 to $33 a month, according to a list of leaked records seen by researcher Brian Krebs.
Keylogging tools to steal personal and financial information from victims are available as a “service” from a site known as PrivateRecovery, which offers the tools for just $25 to $33 a month, according to a list of leaked records which offers an insight into the black market for keyloggers.
PrivateRecovery’s keylogger is often sent to victims disguised as a screensaver, but site users attempt to scam victims into opening it via methods including online dating scams, where the malware is delivered as a “picture” of their beloved, after a long online courtship.
Many users of PrivateRecovery appear to be “Nigerian 419 scammers”, according to security expert Brian Krebs, who was forwarded a list of around 3,000 users of the site by an unnamed contact he described as a Gray Hat hacker.
“The site was so poorly locked down that it also exposed the keylog records that customers kept on the service,” Krebs said. “Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.”
Site users even appeared to be targeting one another, according to Information Week. Krebs speculated that this might be in-fighting, or caused by the fact that such scammers often share the same internet cafes – which might have infected machines. Krebs said that many of the email addresses revealed on the list had previously been used in dating, confidence scams and lottery scams.
Krebs said that the site allowed users to track their victims. “New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used).”
Krebs also said that the service appeared to be being used in online dating scams – with some scammers disguising the keylogger software as pictures of themselves.
“While many of the victims of this keylog service appear to be 419 scammers, I found that just as often an account was apparently being used to keep tabs on trusting Americans who were being duped into sending money overseas, either in pursuit of some stolen riches or — more often — in hopes of finally meeting someone they had only met online,” Krebs wrote. “Often when I reviewed logs chronicling some sad situation in which a woman or man in the United States was apparently the victim of a romance scam, the identifier in the “note” field of each keylog record was “picture.” It seems clear that these romance scammers are infecting their bogus sweethearts by disguising the keylogger as pictures of themselves.”