September 9, 2013

A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored.

The login page for the BestRecovery online keylog service.

The login page for the BestRecovery online keylog service.

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right).

But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

Initially, I assumed my source had unearthed the data via an SQL injection attack or some other  database weakness. As it happens, the entire list of users is recoverable from the site using little more than a Web browser.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails (dittoswiss@yahoo.com, for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

The seriously ghetto options page for BestRecovery web-based keylogger service.

The seriously ghetto options page for BestRecovery web-based keylogger service.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances. “While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

Oddly enough, a large percentage of the keylog data stored at BestRecovery indicates that many of those keylog victims are in fact Nigerian 419 scammers themselves. One explanation is that this is the result of scammer-on-scammer attacks. According to a study of 419ers published in the Dec. 2011 edition of Cyberpsychology, Behavior, and Social Networking (available from the Library of Congress here or via this site for a fee), much of the 419 activity takes place in cybercafes, where “bulk tickets are sold for sending spam emails and some systems are dedicated to fraudsters for hacking and spamming.”

The keylog records available for the entries marked "Yahoo Boys" show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

The keylog records available for the entries marked “Yahoo Boys” show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

Perhaps some enterprising Nigerian spammers simply infected a bunch of these cybercafe machines to save themselves some work. It is also possible that vigilante groups which target 419 scammers — such as Artists Against 419 and 419eater.com — were involved, although it’s difficult to believe those guys would bother with such a rudimentary service.

BestRecovery gives customers instructions on how to use a provided tool to create a custom Windows-based keylogger and then disguise it as a legitimate screensaver application. New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used). Interestingly, many of the victim PCs have a curious notation: “Yahoo Boys”.

Keylog data apparently collected from a Yahoo Boy.

Keylog data [partially redacted] that was apparently collected from a Yahoo Boy.

BLACK HAT OR BLACK MAGIC?

As noted in the above-mentioned academic paper (“Understanding Cybercrime Perpetrators and the Strategies They Employ in Nigeria”), the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime.  According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

I had never heard that Nigerian 419 scammers relied on voodoo to increase their email mojo, and I must admit the next part of the study freaked me out a little bit.  According to the researchers, the use of voodoo and charms for spiritual protection and to charm potential victims is very common among Yahoo Boys in Nigeria, and is referred to as “Yahoo Plus.” But wait, there’s more. From the paper:

“Another level of this is referred to as ‘Yahoo Plus Plus,’ which…. involves the use of human parts and may need kidnapping other human beings for rituals, which is not necessary in ‘‘Yahoo Plus.’’ In Yahoo Plus Plus, the use of things such as their finger nails, rings, carrying of corpses, making incision on their body, sleeping in the cemetery, citing of incantation, using of their fingers for rituals, and having sex with ghosts are common. A few of the informants, however, denied that they use voodoo in the business, whereas others affirmed their use of voodoo.”

While many of the victims of this keylog service appear to be 419 scammers, I found that just as often an account was apparently being used to keep tabs on trusting Americans who were being duped into sending money overseas, either in pursuit of some stolen riches or — more often — in hopes of finally meeting someone they had only met online. Often when I reviewed logs chronicling some sad situation in which a woman or man in the United States was apparently the victim of a romance scam, the identifier in the “note” field of each keylog record was “picture.” It seems clear that these romance scammers are infecting their bogus sweethearts by disguising the keylogger as pictures of themselves.

The other pattern that became evident after reviewing all of this BestRecovery user data was that roughly ten percent of the user email addresses were tied to active Facebook accounts. As might be expected, a lot of those accounts used aliases — my personal favorites being “MoolahGroup Nigeria” and “Unscrupulous Buccaneer.”  Still other accounts that were tied to legitimate, personal Facebook pages. Nearly all of them who listed their location were users in Lagos, Nigeria or Kuala Lumpur, Malaysia (with the exception of accounts apparently set up to assist in dating scams).

YB-John-PC

I put together the following slideshow, which displays just some of the Facebook profiles used by the most active customers of this keylog service.  The music for this photo montage was taken from the 419 apologist video called, I Go Chop Your Dollar, which apparently is well-known in 419 scammer circles and explains that 419 scams are “just a game,” and that everyone plays them.

The lyrics to the song are, in part:

419 no be thief, it’s just a game
everybody dey play ’em
If anybody fall mugu [fool]…
Ha! my brother, I go chop dem

Oyinbo [white] man, I go chop your dollar
I go take your money and disappear
419 is just a game
You are the loser, I am the winner

In any case, it’s likely there will be a whole line of Krebs-themed voodoo dolls somewhere in Lagos not long after this story runs. Stay tuned for the next piece in this series on 419 scams, which examines the connections between and among the 280 or so Nigerian users of this service who had Facebook accounts.

bk-voodooOne final note: It took a crazy amount of time to pore through all this data and to do so many Facebook lookups. It would have taken an eternity, had it not been for the help of Damon McCoy, assistant professor of computer science at George Mason University (my alma mater). McCoy and his band of willing grad students agreed to help with the laborious work of conducting thousands of Facebook account lookups, and then finding new Facebook accounts to do more lookups when Facebook suspended accounts for conducting too many lookups (the threshold seems to be around 50 lookups before Facebook locks an account for 24 hours). I’d also like to recognize the work of KrebsOnSecurity reader Patrick Madigan, who helped with lookups and with some of the research that will feature in the next story in this series.


110 thoughts on “Spy Service Exposes Nigerian ‘Yahoo Boys’

  1. Daniel

    Good job guys…. Interesting reading this, even though i have watched documentaries on CNN about this….

    The other thing is I am a Nigerian who leaves in Nigeria among this people…. They are no good people, the scam even Nigerians within the country as well. They intimidate and sometimes kill.

    I have never been a victim, but i receive a lot of their mails. I can easily spot a scam mail when i see one, but a lot of people have been victims..

    However, I read a comment that its Govt sponsored. that is not correct. They are not sponsored, its just that government is not giving priority attention to fighting it , because this is not a physical crime, they lack the technology needed to provide evidence to presecute this boys. So when they are taken to court, most of the times they are set free due to lack of evidence…

    Also, the victims in my own opinion are to blame, because i see no reason you are prepared to collect money from someone you did not give money to keep or you send money to someone you have never met. I believe if they are not greedy they wouldnt have fallen victims…

    No matter how rosy they coin the mail, i cant fall for it because am not planning to reap where i did not sow.

  2. B.Wolff

    I don’t think these are clients, but instead this is some sort of membership portal. I suspect they are all Yahoo Boys and this is a place for them to go and trade information and trade craft.

  3. d don

    Thanks for this exposure but let us get this straight. over 90% of Nigerian young graduates are unemployed and the govt is taking billions to your countries unchecked, what do you expect these young men to do? sit and watch themselves starve to death? when Bush visited Nigeria in 2006, he sealed the face of corruption in the nigerian oil sector and legalised Nigerian corruption internationally so our problem is you. You people have taken all our resources and caused corruption to be the order of the day. Who is to blame? To be more clear, it is these young men who are more patriotic than the government because they bring money to help their families whil the govt takes away with the collaboration of Europe and America. So go judge yourself before you judge us.

  4. Li Pan

    Who ever wrote this article is just a racist..

    cam happen all over the world if you go through Wikipedia page on internet fraud (http://en.wikipedia.org/wiki/Internet_fraud) you will discover they are many type of fraudsters, but if you type scam on the internet you will see many vigilante sites all focused on African Scam, they support their local fraudsters and spite the African fraudsters including whoever wrote this crap, Ive not seen any vigilante for click fraud but i know a lot of White and Arab folks that survive on click fraud.

    This article contain a lot of missing information that could change your point of view. For starters the service was created by a Pakistani student, this particular service paid all his bills through his university. (I bet if he begs the owner of blog for money for university he would not provide).

    Furthermore the service existed since 2005 and have been used for major damage and spy activities which was not mentioned in this article and those damages were done by Asians and Arabs and South Americans, using this particular service I didn’t see any mention of that in this article also.

    The emails were carefully filtered to affect mostly Africans and people that used the service used it in spying each other not even to use as a scam tool. They were so many emails with Facebook account in the list that were missed out from the slide… I start to wonder how smart the professor Damon McCoy would be or is he just another racist?

    This article was created to make an impression but the writer is so naive and far from the truth because of his plight to make Africans look dumb, Then he brings Voodoo into the matter, can a spyware use voodoo??

    But I know this service since 2005 and plenty damages its done beyond your imagination. it was called KeySpy back in the days before bestrecovery.

    My Questions.

    A Nigerian didn’t make that software why do blame them?

    How do you know its the celebrated Yahoo Boys that use the service?

    The American Government are spying on you what make them better than the users of the service?

    I beleive the American Goverment wish they had voodoo…. lol.

    After reading this article is was so funny i thought the racist days were over..

    If you want to fight a war again fraudsters start from the top dude..

    1. Adams

      I have the complete database and logs which contains not only Africans but also Americans, Malaysians, Arabs, Pakistan, Philippine, etc.

  5. Elite

    THE INES WHO MAKE AND CODE BOTNETS AND OTHER MALWARE TOOLS…why not get them lol

  6. enjejem

    you americans and non- african’s polluted our country with corruption, its still our money that our leaders take to your country, so who is holier, well i wouldnt blame the yahoo boys, cos if you insist nigeria is corrupt then you people are the cause.. when pointing a finger mind you 3 are pointing back at you…this boys are trying to stay alive with the dilapidated state of the economy

  7. robinson3d

    I see no reason why it should be Nigeria! Nigeria! Nigeria! the country is not as bad as you think. In every place, there must be a bad man. So that is it

  8. Adams

    I have the complete database and logs which contains not only Africans but also Americans, Malaysians, Arabs, Pakistan, Philippine, etc.

  9. Adams

    So, this is not nigeria boys the writer is only been political….. Stop blackmailing Nigerians email me and I ll give you my prove I am a white hearth hacker and I am proud of who I am…

  10. mark

    this man with all this information is one of what he is saying , just because his own site is not patronised, he now talk bad about privaterecovery or bestrecovery how every all his wards are fake and is an evil man with a very bad heart. please don’t mind his stories nothing bad about privaterecovery or bestrecovery
    i have done my own investigations and i find out nothing

    thanks

  11. john

    please note that the person with all this stories is a staff working with privaterecovery or bestrecovery who now breakup from them and now have his own site, all this sties is to kill the image of privaterecovery or bestrecovery because his own keylogging site is not patronised beware of fake and bad people like him, because he personally right back to him introducing a new keylogging site to me which happens to be his, but i don’t use site and i don’t have such time

  12. Madmonkey

    “and having sex with ghosts are common.”
    Now I have seen everything! LOL

  13. okoye

    Am Gonna sue u guys..Just wait and see..Am an ethical hacker (a white hat). And yes I purchased that software for a project purpose. So u don’t have a right to call me a scammenor spoil my image online.

    1. Hans

      okoye, I know of the best lawyer you could use to sue, but he is under contract with the Scamgerican government…

      For $10,ooo I can get the contract cancelled and we can start suing to restore your Marius image…

      You will make millions!

  14. JP

    I can’t decide what is funnier. The comment section or the article itself.

    The people who do this activity are pitiful and petty. Look how silly they look on Facebook.

    Its all hilarious. Whats more fun is scamming these wannabe scam artists. I had the privilege to do this back in 2007. Hope to have the chance again soon.

  15. Gary

    I suspect the to and fro of debate in this comment thread will be one of those rare cases that go on and on, ad infinitum, for as long as the internet continues to exist – both sides serving up their most scathing tongue-in-cheek rebukes and the other side smashing each back with equally witty repartee, a relished nod and a knowing wink.

    I’ll make sure to log in every now and then over the next few days, weeks, months and years to keep track.

    Most entertaining.

  16. david

    Pls can someone explain something to me? How does the owner of this blog confirm this guys are all scam artists..Does using a keylogger makes someone a scam artist? Or did he catch any of them sending any form of fraudulent email with it? What if the person in question is using it for internet security purpose? Pls explain this cos I wanna be sure ur not spoiling people’s image to create traffic on the internet and make some money from google

  17. JMJ Squared

    I am extremely disappointed and somewhat surprised by an underlying tone running through this article, as it comes from one I considered more enlightened.

    — What exactly defines a “ghetto” website or anything else, for that matter? Nationality? Certainly not race, right?

    — Does the author know that vudun, sometimes *transliterated* voodoo, is an ancient, widely practice, benevolent and respected religion, which, of course, he would never deride?

  18. Hans

    Pual, nothing in this article says anything about skin color but because you are likely black, your moral outrage and defense turns to charge others as racist…

    When you have no firm argument, just resort to name calling and expletives..

    The rest of your post and it’s language really says a lot about yous and you are only a young youth..

    As Li Pan said, ” please expand your knowledge about life.”

    1. JMJ Squared

      Respectfully, my “knowledge about life”, my education, my world travels are considerable and equal-to or greater-than most, including probably your own. Yet, like PAUL SHU and LI PAN, I detect a code-worded racism (“ghetto website”) and Nigeria-bashing.

      Momentarily using the same logic you used in deducing PAUL SHU is “likely Black”, I think that your “likely being” German and, therefore, inclined to murderous racial/religious/ethnic viewpoints, makes it difficult for you to grasp what he is saying.

      Of course, in addition to “Nigerian = email scammer” , we can identify similar nefarious traits in other nationalities; for example:
      1. American = spy and trojan-producer.
      2. Israeli = banking-scammer and trojan-producer.
      3. Chinese = malware coder, baby killer.
      4. Korean = patent-infringer, intellectual-property thief.
      5. Japanese = intentionally-fatally-defective auto producer.

      With little imagination not worthy of a serious journalist, I’m sure that you could add to my “examples” very easily.

      Krebbs is a serious journalist but he either dropped the ball on this one or he allowed some reprehensible, personal prejudices creep into this article. I hope it was the former.

      With little thought

  19. Paul shu

    Hans i think you should read the article again. Because he is basing online scam to Nigerians alone.

  20. Hans

    Paul, it is not true but if I am wong please leave a cut and paste…

    The author would only discredit himself, by suggesting that Nigeria is the ONLY scamming nation on the planet…

    There are plenty of scammers in America: the real difference is that in the USA, efforts are made to arrest and prosecute them…

    Put, Bolo Haram, in charge of The 419 Department and these crimes would be greatly reduced…

  21. Dada

    Is unfortunate that these western powers took our riches from our accestors cuz they were kinda not that smart and think their decendants won’t do something about it.I won’t care if I am being ripped off after years of ripping others off,get it?

  22. Just Saying

    “Why do Nigerian Scammers Say They are from Nigeria?”

    http://research.microsoft.com/apps/pubs/?id=167719

    Well, they may be insane and stupid. Or they may be playing the odds.

    From the abstract:
    Finally, this approach suggests an answer to the question in the title. Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

Comments are closed.