KrebsOnSecurity lately heard from a reader whose boss\u2019s electronic mail account received phished and was used to trick one of many firm\u2019s prospects into sending a big fee to scammers. An investigation into the attacker\u2019s infrastructure factors to a long-running Nigerian cybercrime ring that’s actively concentrating on established corporations within the transportation and aviation industries.<\/p>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/shutterstock-airplanes.png\")
<\/p>\nPicture: Shutterstock, Mr. Teerapon Tiuekhom.<\/p>\n<\/div>\n
A reader who works within the transportation business despatched a tip a couple of latest profitable phishing marketing campaign that tricked an govt on the firm into coming into their credentials at a faux Microsoft 365 login web page. From there, the attackers shortly mined the manager\u2019s inbox for previous communications about invoices, copying and modifying a few of these messages with new bill calls for that have been despatched to a number of the firm\u2019s prospects and companions.<\/p>\n
Talking on situation of anonymity, the reader stated the ensuing phishing emails to prospects got here from a newly registered area identify that was remarkably just like their employer\u2019s area, and that no less than certainly one of their prospects fell for the ruse and paid a phony bill. They stated the attackers had spun up a look-alike area only a few hours after the manager\u2019s inbox credentials have been phished, and that the rip-off resulted in a buyer struggling a six-figure monetary loss.<\/p>\n
The reader additionally shared that the e-mail addresses within the registration information for the imposter area \u2014 roomservice801@gmail.com<\/strong> \u2014 is tied to many such phishing domains. Certainly, a search on this electronic mail deal with at DomainTools.com<\/strong> finds it’s related to no less than 240 domains registered in 2024 or 2025. Nearly all of them mimic authentic domains for corporations within the aerospace and transportation industries worldwide.<\/p>\n An Web seek for this electronic mail deal with reveals a humorous weblog publish from 2020<\/a> on the Russian discussion board hackware[.]ru, which discovered roomservice801@gmail.com was tied to a phishing assault that used the lure of phony invoices to trick the recipient into logging in at a faux Microsoft login web page. We\u2019ll come again to this analysis in a second.<\/p>\n DomainTools exhibits that a number of the early domains registered to roomservice801@gmail.com in 2016 embrace different helpful data. For instance, the WHOIS information for alhhomaidhicentre[.]biz<\/strong> reference the technical contact of \u201cJusty John<\/strong>\u201d and the e-mail deal with justyjohn50@yahoo.com<\/strong>.<\/p>\n A search at DomainTools discovered justyjohn50@yahoo.com has been registering one-off phishing domains since no less than 2012. At this level, I used to be satisfied that some safety firm certainly had already revealed an evaluation of this specific risk group, however I didn\u2019t but have sufficient data to attract any strong conclusions.<\/p>\n DomainTools says the Justy John electronic mail deal with is tied to greater than two dozen domains registered since 2012, however we will discover tons of extra phishing domains and associated electronic mail addresses just by pivoting on particulars within the registration information for these Justy John domains. For instance, the road deal with utilized by the Justy John area axisupdate[.]internet<\/strong> \u2014 7902 Pelleaux Highway in Knoxville, TN \u2014 additionally seems within the registration information for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one level included the e-mail deal with rsmith60646@gmail.com<\/strong>.<\/p>\n That Rsmith Gmail deal with is linked to the 2012 phishing area alibala[.]biz (one character off of the Chinese language e-commerce large alibaba.com, with a special top-level area of .biz). A search in DomainTools on the cellphone quantity in these area information \u2014 1.7736491613 \u2014 reveals much more phishing domains in addition to the Nigerian cellphone quantity \u201c2348062918302\u201d and the e-mail deal with michsmith59@gmail.com<\/strong>.<\/p>\n DomainTools exhibits michsmith59@gmail.com seems within the registration information for the area seltrock[.]com<\/strong>, which was used within the phishing assault documented in the 2020 Russian weblog publish<\/a> talked about earlier. At this level, we’re simply two steps away from figuring out the risk actor group.<\/p>\n The identical Nigerian cellphone quantity exhibits up in dozens of area registrations that reference the e-mail deal with sebastinekelly69@gmail.com<\/strong>, together with 26i3[.]internet<\/strong>, costamere[.]com<\/strong>, danagruop[.]us<\/strong>, and dividrilling[.]com<\/strong>. A Internet search on any of these domains finds they have been listed in an \u201cindicator of compromise\u201d record on GitHub<\/a> maintained by Palo Alto Networks<\/strong>\u2018 Unit 42<\/strong> analysis crew.<\/p>\n In accordance with Unit 42, the domains are the handiwork of an unlimited cybercrime group primarily based in Nigeria that it dubbed \u201cSilverTerrier<\/strong>\u201d again in 2014. In an October 2021 report<\/a>, Palo Alto stated SilverTerrier excels at so-called \u201centerprise e-mail compromise<\/strong>\u201d or BEC<\/strong> scams, which goal authentic enterprise electronic mail accounts by way of social engineering or laptop intrusion actions. BEC criminals use that entry to provoke or redirect the switch of enterprise funds for private achieve.<\/p>\n Palo Alto says SilverTerrier encompasses tons of of BEC fraudsters, a few of whom have been arrested in varied worldwide legislation enforcement operations by Interpol<\/strong>. In 2022, Interpol and the Nigeria Police Power arrested 11 alleged SilverTerrier members<\/a>, together with a distinguished SilverTerrier chief<\/a> who\u2019d been flaunting his wealth on social media for years. Sadly, the lure of simple cash, endemic poverty and corruption, and low boundaries to entry for cybercrime in Nigeria conspire to supply a continuing stream of recent recruits.<\/p>\n BEC scams have been the seventh most reported crime tracked by the FBI\u2019s Web Crime Grievance Middle<\/strong> (IC3) in 2024, producing greater than 21,000 complaints. Nevertheless, BEC scams have been the second costliest type of cybercrime reported to the feds final 12 months, with practically $2.8 billion in claimed losses<\/em>.\u00a0In its 2025 Fraud and Management Survey Report<\/a>, the Affiliation for Monetary Professionals<\/strong> discovered 63 % of organizations skilled a BEC final 12 months.<\/p>\n Poking at a number of the electronic mail addresses that spool out from this analysis reveals a variety of Fb accounts for individuals residing in Nigeria or within the United Arab Emirates, lots of whom don’t seem to have tried to masks their real-life identities. Palo Alto\u2019s Unit 42 researchers reached an identical conclusion, noting that though a small subset of those crooks went to nice lengths to hide their identities, it was normally easy to study their identities on social media accounts and the main messaging providers.<\/p>\n Palo Alto stated BEC actors have change into much more organized over time, and that whereas it stays simple to search out actors working as a gaggle, the observe of utilizing one cellphone quantity, electronic mail deal with or alias to register malicious infrastructure in help of a number of actors has made it much more time consuming (however not unimaginable) for cybersecurity and legislation enforcement organizations to kind out which actors dedicated particular crimes.<\/p>\n \u201cWe proceed to search out that SilverTerrier actors, no matter geographical location, are sometimes linked by way of just a few levels of separation on social media platforms,\u201d the researchers wrote.<\/p>\n Palo Alto has revealed a helpful record of suggestions<\/a> that organizations can undertake to attenuate the incidence and impression of BEC assaults. Lots of these suggestions are prophylactic, resembling conducting common worker safety coaching and reviewing community safety insurance policies.<\/p>\n However one advice \u2014 getting acquainted with a course of generally known as the \u201cmonetary fraud kill chain<\/strong>\u201d or FFKC \u2014 bears particular point out as a result of it affords the only greatest hope for BEC victims who’re looking for to claw again funds made to fraudsters, and but far too many victims don\u2019t realize it exists till it’s too late.<\/p>\n Picture: ic3.gov.<\/p>\n<\/div>\n As defined in this FBI primer<\/a>, the Worldwide Monetary Fraud Kill Chain is a partnership between federal legislation enforcement and monetary entities whose objective is to freeze fraudulent funds wired by victims. In accordance with the FBI, viable sufferer complaints filed with ic3.gov<\/a> promptly after a fraudulent switch (typically lower than 72 hours) might be robotically triaged by the Monetary Crimes Enforcement Community<\/a> (FinCEN).<\/p>\nJUSTY JOHN<\/h2>\n
SILVERTERRIER<\/h2>\n
FINANCIAL FRAUD KILL CHAIN<\/h2>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/ffkc-fbi.png\")
<\/p>\n