KrebsOnSecurity recently heard from a reader whose boss\u2019s email account got phished and was used to trick one of the company\u2019s customers into sending a large payment to scammers. An investigation into the attacker\u2019s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/shutterstock-airplanes.png?resize=749%2C535&ssl=1\")
<\/p>\nImage: Shutterstock, Mr. Teerapon Tiuekhom.<\/p>\n<\/div>\n
A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive\u2019s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company\u2019s customers and partners.<\/p>\n
Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer\u2019s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive\u2019s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.<\/p>\n
The reader also shared that the email addresses in the registration records for the imposter domain \u2014 roomservice801@gmail.com<\/strong> \u2014 is tied to many such phishing domains. Indeed, a search on this email address at DomainTools.com<\/strong> finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.<\/p>\n An Internet search for this email address reveals a humorous blog post from 2020<\/a> on the Russian forum hackware[.]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We\u2019ll come back to this research in a moment.<\/p>\n DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for alhhomaidhicentre[.]biz<\/strong> reference the technical contact of \u201cJusty John<\/strong>\u201d and the email address justyjohn50@yahoo.com<\/strong>.<\/p>\n A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn\u2019t yet have enough information to draw any solid conclusions.<\/p>\n DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain axisupdate[.]net<\/strong> \u2014 7902 Pelleaux Road in Knoxville, TN \u2014 also appears in the registration records for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one point included the email address rsmith60646@gmail.com<\/strong>.<\/p>\n That Rsmith Gmail address is connected to the 2012 phishing domain alibala[.]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records \u2014 1.7736491613 \u2014 reveals even more phishing domains as well as the Nigerian phone number \u201c2348062918302\u201d and the email address michsmith59@gmail.com<\/strong>.<\/p>\n DomainTools shows michsmith59@gmail.com appears in the registration records for the domain seltrock[.]com<\/strong>, which was used in the phishing attack documented in the 2020 Russian blog post<\/a> mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.<\/p>\n The same Nigerian phone number shows up in dozens of domain registrations that reference the email address sebastinekelly69@gmail.com<\/strong>, including 26i3[.]net<\/strong>, costamere[.]com<\/strong>, danagruop[.]us<\/strong>, and dividrilling[.]com<\/strong>. A Web search on any of those domains finds they were indexed in an \u201cindicator of compromise\u201d list on GitHub<\/a> maintained by Palo Alto Networks<\/strong>\u2018 Unit 42<\/strong> research team.<\/span><\/p>\n According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed \u201cSilverTerrier<\/strong>\u201d back in 2014. In an October 2021 report<\/a>, Palo Alto said SilverTerrier excels at so-called \u201cbusiness e-mail compromise<\/strong>\u201d or BEC<\/strong> scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.<\/p>\n Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by Interpol<\/strong>. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members<\/a>, including a prominent SilverTerrier leader<\/a> who\u2019d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.<\/p>\n BEC scams were the 7th most reported crime tracked by the FBI\u2019s Internet Crime Complaint Center<\/strong> (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with nearly $2.8 billion in claimed losses<\/em>.\u00a0In its 2025 Fraud and Control Survey Report<\/a>, the Association for Financial Professionals<\/strong> found 63 percent of organizations experienced a BEC last year.<\/p>\n Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto\u2019s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.<\/p>\n Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.<\/p>\n \u201cWe continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,\u201d the researchers wrote.<\/p>\n Palo Alto has published a useful list of recommendations<\/a> that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.<\/p>\n But one recommendation \u2014 getting familiar with a process known as the \u201cfinancial fraud kill chain<\/strong>\u201d or FFKC \u2014 bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don\u2019t know it exists until it is too late.<\/p>\n Image: ic3.gov.<\/p>\n<\/div>\n As explained in this FBI primer<\/a>, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov<\/a> promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network<\/a> (FinCEN).<\/p>\nJUSTY JOHN<\/h2>\n
SILVERTERRIER<\/h2>\n
FINANCIAL FRAUD KILL CHAIN<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/07\/ffkc-fbi.png?resize=749%2C786&ssl=1\")
<\/p>\n