Keylogger service provides peek inside Nigerian 419 scammers' tactics

Security researcher Brian Krebs has had a look at the contents of "BestRecovery" (now called "PrivateRecovery") a service used by Nigerian 419 scammers to store the keystrokes of victims who have been infected with keyloggers. It appears that many of the scammers -- known locally as "Yahoo Boys" -- also plant keyloggers on each other, and Krebs has been able to get a look at the internal workings of these con artists. He's assembled a slideshow of the scammers' Facebook profiles and other information.

While many of the victims of this keylog service appear to be 419 scammers, I found that just as often an account was apparently being used to keep tabs on trusting Americans who were being duped into sending money overseas, either in pursuit of some stolen riches or — more often — in hopes of finally meeting someone they had only met online. Often when I reviewed logs chronicling some sad situation in which a woman or man in the United States was apparently the victim of a romance scam, the identifier in the “note” field of each keylog record was “picture.” It seems clear that these romance scammers are infecting their bogus sweethearts by disguising the keylogger as pictures of themselves.

The other pattern that became evident after reviewing all of this BestRecovery user data was that roughly ten percent of the user email addresses were tied to active Facebook accounts. As might be expected, a lot of those accounts used aliases — my personal favorites being “MoolahGroup Nigeria” and “Unscrupulous Buccaneer.” Still other accounts that were tied to legitimate, personal Facebook pages. Nearly all of them who listed their location were users in Lagos, Nigeria or Kuala Lumpur, Malaysia (with the exception of accounts apparently set up to assist in dating scams).

Spy Service Exposes Nigerian ‘Yahoo Boys’ [Brian Krebs/Krebs on Security]