Interpol and the Economic and Financial Crimes Commission (EFCC) have arrested three Nigerians in connection to cybercrimes against oil and gas companies.
The three men used a malicious Remote Access Trojan (RAT), known as Agent Tesla, the agencies said. Interpol said the men had used the RAT to “reroute financial transactions” and steal confidential details from companies.
Those targeted were from Southeast Asia, the Middle East and North Africa.
Interpol launched its global operation, named Killer Bee. The EFCC arrested the three in a sting operation, in a Lagos suburb and in Benin City.
“Through its global police network and constant monitoring of cyberspace, Interpol had the globally sourced intelligence needed to alert Nigeria to a serious security threat where millions could have been lost without swift police action,” said Interpol director of cybercrime Craig Jones.
Jones said the agency expects to carry out more arrests around the world, with more intelligence coming in.
A Nigerian court has convicted one of the three and sent him to prison for 12 months. The other two are on trial.
“Cybercrime is spreading at a fast pace, with new trends constantly emerging. Through operations like Killer Bee, Interpol supports EFCC in keeping pace with new technologies and understanding the possibilities they create for criminals and how they can be used as tools for fighting cybercrime,” said EFCC director of operations Abdulkarim Chukkol.
The EFCC official said the action sent “clear message that cybercrime will have serious repercussions for those involved in business email compromise fraud, particularly in Nigeria”.
The Singapore government supported Killer Bee, which was led by the ASEAN Cybercrime Operations Desk.
Interpol received intelligence on the RAT malware from Trend Micro.
Partners include Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand and Vietnam.
The three arrested are 31 to 38 years old, EFCC said.
Malwarebytes reported on a Nigerian cybercrime ring in early May that used Agent Tesla. The software company reported the ring leader was born in 1985.
The Nigerian Tesla group stole more than 800,000 credentials from 28,000 victims, it said.
“In this case we see an interesting evolution from a threat actor that was performing the classic advance-fee scam (419 scam) before moving into the malware distribution world, more or less for the same end goal,” said Malwarebytes.
While the threat is real, the Nigerian scammer made a number of mistakes. “The attacker managed to infect his own machine,” Malwarebytes said. He also managed to reveal his own IP address, pointing to an address in Lagos.