Thursday, September 12, 2013

Do You Know Anyone in This Video? BestRecovery Hack Exposes Nigerian ‘Yahoo Boys’

Posted in: , , ,

So a Tech Security Blogger and his friends were able to hack into a Keylogging service called BestRecovery. This service allows its users to spy on the systems of those they are able to infect with a malware. As it turns out, a lot of the users of this spying service were Nigerians based either in Lagos or in Kuala Lumpur. You may know them as Yahoo-Yahoo Boys.

Fortunately for victims of these criminals, the blogger and his friends were able to obtain the email addresses of BestRecovery users and as it turns out, the same emails were connected to open Facebook accounts. Doing some time consuming lookups and screen grabs, they were able to make this very helpful video.


An excerpt from Krebsonsecurity blog on the exposed Yahoo Yahoo Boys with helpful information on how to avoid being spied on is below. I know some RML readers are dating online, please beware of online suitors sending you links to install a screen saver on your system, or to open their picture, or who refuse to video skype. Read on...

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy ...But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails (dittoswiss@yahoo.com, for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances.

“While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

.... the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime. According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

I had never heard that Nigerian 419 scammers relied on voodoo to increase their email mojo, and I must admit the next part of the study freaked me out a little bit. According to the researchers, the use of voodoo and charms for spiritual protection and to charm potential victims is very common among Yahoo Boys in Nigeria, and is referred to as “Yahoo Plus.” But wait, there’s more. From the paper:

“Another level of this is referred to as ‘Yahoo Plus Plus,’ which…. involves the use of human parts and may need kidnapping other human beings for rituals, which is not necessary in ‘‘Yahoo Plus.’’ In Yahoo Plus Plus, the use of things such as their finger nails, rings, carrying of corpses, making incision on their body, sleeping in the cemetery, citing of incantation, using of their fingers for rituals, and having sex with ghosts are common. A few of the informants, however, denied that they use voodoo in the business, whereas others affirmed their use of voodoo.”

While many of the victims of this keylog service appear to be 419 scammers, I found that just as often an account was apparently being used to keep tabs on trusting Americans who were being duped into sending money overseas, either in pursuit of some stolen riches or — more often — in hopes of finally meeting someone they had only met online. Often when I reviewed logs chronicling some sad situation in which a woman or man in the United States was apparently the victim of a romance scam, the identifier in the “note” field of each keylog record was “picture.” It seems clear that these romance scammers are infecting their bogus sweethearts by disguising the keylogger as pictures of themselves.




3 comments:

  1. Naija is always falling my hand. Why now?

    ReplyDelete
  2. Myne, I'm surprised you've not heard of "Yahoo Plus Plus". It's a really sad and depressing situation. God help us all.

    ReplyDelete
  3. More on BestRecovery:

    http://protectyournet.blogspot.com/2013/09/inside-bestrecovery-mybestrecovery.html

    ReplyDelete

Click Post a Comment to share your thoughts, I'll love to hear from you. Thanks!

*Comments on old posts are moderated and may take sometime to be shown. That's just because I want to see them and respond to you if necessary.