Thursday, November 26, 2020

Major Nigerian Phishing and BEC Actors, SSGToolz and CeeCeeBossTMT, Arrested by Nigerian Police and Interpol

 An Interpol headline on November 25, 2020 announces "Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group" however the article does not name the suspects.  The Interpol article says the three are "believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams."  Interpol's Craig Jones says the year-long investigation was known as "Operation Falcon."

The Nigerian Police actually did a press release about the trio on November 19th.  From that we find photos of the three criminals and more information about their crimes and names. The leader of the trio, Onuegwu Ifeanyi, is known online as SSGToolz.  According to the Nigerian Police, he "specializes in creating, designing, and selling phishing links and hosting malware on websites used by the gang for phishing and hacking purposes.  He collects charges running into several millions of naira from other fraudsters he mentors and improves their phishing capabilities."
Onwuka Emmanuel Chidiebere, also known as Ceeceeboss TMT, graduated from Imo State University and specializes in Business Email Compromise (BEC) and hacking. His laptop had over 50,000 email accounts with passwords harvested from various individuals and businesses worldwide.
CeeCeeBoss TMT recruited the third of the trio, Ikechukwu Ohanedozie, who was known as Dozzy. A medical school student also from Imo State, Dozzy's job was sorting out the email accounts and doing research "to determine financial strengths of prospective victims and pass the information to Ceeceeboss.
SSGToolz was not at all discrete with his work, creating his own domain for his tools, appropriately named ssgtoolz[.]net.  From there we see that he also used the gmail account, which was associated with the creation of 85 domain names.

Some of these domain names were used to anchor other types of fraud, for example "c-clh[.]com" was confirmed to be hosting malware on 17JUL2020 and 19JUL2020, and as recently as 22SEP2020, which VirusTotal says was detected as Andromeda, Fareit, or Lokibot by various anti-virus vendors.

He also used this domain to host phish, such as "[.]com" 

According to the ZoneCruncher tool from Zetalytics, At least 76 domains of his domains were observed resolving in their Passive DNS systems.  Many of them were "look alike" domains, likely used for sending malicious email.  Some xamples of these would include: 

agogpharrna[.]com (the "rn" supposed to look like an "m" to imitate agogpharma) 
iescornputers[.]com (the "rn" supposed to look like an "m" for iescomputers) 
tataintiernational[.]com (an extra "i" to imitate tatainternational) 
owenscorming[.]com (an "m" instead of an "n" for OwensCorning) 

Others seem more targeted as general "technical" phish, such as "server-update-mail-verification[.]com" which he registered 12JUN2019, or "itbackupserver[.]com" registered the same day.

CeeCeeBossTMT liked to boast of his wealth on Instagram, although he gave God Almighty all the thanks for the proceeds of his crime.  He also liked to imply that his hard work in the music studio was somehow the source of his wealth, rather than the millions he stole from innocent victims around the world.

Gotta admit, I'm thinking of finding that green track suit and shoes combo for myself.  What do you think?  Also, can anyone tell me which South African airport that top left shot was taken in?

The "TMT" coincides with his TMT Liquor Store, which he frequently tags in his posts.  TMT Liquor shares their WhatsApp Number, +234 901 069 2587 on their Instagram Bio @tmtliquorstore.

We look forward to hearing more about how these three are tied into the larger infrastructure of cybercrime in Nigeria.  If you have more information, please do reach out!


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.