Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs

Hawkeye View Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide

In a typical cybercrime scheme, perpetrators sell gathered information from their victims in the cybercriminal underground and move on to launch attacks on new targets. However, in the case of the operations run independently by two Nigerian cybercriminals dubbed as “Uche” and “Okiki,” they used a simple keylogger, "Hawkeye," to scout more and bigger targets. Instead of selling the confidential data they acquired from their victims, these cybercriminals took their time to gather more knowledge about their victim’s business contacts, affiliates, and partners in order to launch scams.  The tool played a crucial role in change of supplier fraud.  In the said scheme, cybercriminals monitor compromised business emails and hijack transactions by sending an alternative payment details, routing the payments straight to the cybercriminals’ pockets.

[Read more about keyloggers and how they are used for cyberspying purposes in From Cybercrime to Cyberspying: Using Limitless Keylogger and Predator Pain]

This Trend Micro research paper highlights how cybercriminals are able to use unsophisticated software to execute high-impact attacks.

Stepping stones for bigger prey

The impact of an attack can depend on how cybercriminals use the data stolen from their target victims.  For instance, information stolen through Hawkeye enabled the cybercriminals to expand their targets to include those who’ve done business with their original victim. In our monitoring of the victims, we observed that these companies were either related to one another or were in the same industry, most of which aresmall and medium-sized businesses located in India, Egypt, and Iran. 

Apart from scouting more targets, Hawkeye was used to move laterally across large organizations. Based on our investigation, a regional office was initially targeted as a stepping stone used to get to bigger prey—the company’s global office.  This goes to show that the cybercriminals employed their access to these smaller, regional offices in order to gain entry to the global office.

[Read more about Lateral Movement in targeted attacks in Lateral Movement: How Do Threat Actors Move Deeper Into Your Network?]

Covering one’s bases

The series of malware attacks launched by Uche and Okiki dispels the notion that only very large enterprises are vulnerable to cybercrime attacks.  Nowadays, the size of the company doesn't matter. Everyone is a potential target.  SMBs that may have a smaller budget allotted to security technology face the same security challenges and threats that enterprises encounter. As these operations proved, the security gaps within smaller companies were leveraged to jump to bigger enterprise targets.

For more details about this operation and the perpetrators behind it, read our full paper, Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.