Bennett Oghifo
Global cybersecurity leader, Trend Micro Incorporated, has announced that its close cooperation with INTERPOL on the organisation’s Africa Cyber Surge II operation has led to the identification of more than 20,000 suspicious cybercrime networks across 25 countries on the continent.
A statement by Trend Micro said Cybercrime is a global phenomenon with a long history in Africa. The Nigerian 419 scam was for years a staple of email-based fraud, and today its modern successors range from phishing and business email compromise (BEC) to romance scams. As countries across the continent digitise at a rapid pace, local criminal gangs are realising they have a potentially massive pool of victims to target both at home and abroad.
“There is often a misconception around how threat actors are not present on the continent. But it would be a mistake to underestimate cybercriminals in Africa. In fact, it’s become critical for organisations in both the public and private sectors to work together to fight against the growing onslaught of malicious online activity. That’s why Trend Micro welcomes the opportunity to work with law enforcement to shut down local cybercrime operations,” said Emmanuel Tzingakis, Technical Lead, African Cluster at Trend.
Following a successful campaign to counter cybercrime on the continent last year, the policing alliance ran a four-month sequel beginning in April 2023. Law enforcers in 25 countries participated, under the auspices of the INTERPOL Africa Cybercrime Operations Desk and INTERPOL’s Support Programme for the African Union in relation to AFRIPOL (ISPA). Police made 14 arrests and identified a massive 20,674 suspicious cybercrime networks linked to losses of over $40m.
Along with the alliance partners, Trend Micro was able to share information on: 3,786 malicious command and control servers, 14,134 victim IPs linked to data stealer cases, 1,415 phishing links and domains, and 939 scam IPs.
Over 400 other malicious URLs, IPs and botnets. Operation reveals current trends in the African threat landscape.
The information provided by Trend Micro to investigators offers insights into current trends within the African threat landscape. During the most recent African Surge operation, the following was uncovered by the Trend Micro team:
The malicious infrastructure of 1,500 malicious IP addresses through Trend’s Global Threat Intelligence. These were located mainly in South Africa (57%), Egypt (14%), the Seychelles (5%), Algeria (5%) and Nigeria (4%). These IPs were linked to notorious malware families including Quakbot and Emotet, which are key enablers of ransomware and other threats.
Around 200,000 detections of malicious traffic in the first quarter of 2023, linked to scams (44%), malware (25%), phishing (17%) and command-and-control servers (13%). Most of these were facilitated by bulletproof hosting services in the Seychelles (140,000 detections) and South Africa (56,000).
Information about prolific offshore bulletproof hosters such as 1337team Limited (48%), Petersburg Internet Network Ltd (19%) and Flokinet Ltd (13%).
Information on the ELITETEAM bulletproof hoster based in the Seychelles, which we linked to threat activity including Redline Stealer, Agent Tesla, Azorult Stealer, and Racoon Stealer, as well as generic ransomware and backdoors.
Intelligence requested by INTERPOL on at least 10 suspects engaging in fraud and BEC. Through open-source tooling and crosschecking of entities such as mobile numbers, email addresses, names, aliases, IP addresses, and social media accounts, Trend Micro was able to provide invaluable assistance to investigators.
“The African Surge operation is a testament to what can be achieved when cybersecurity vendors and law enforcers work together to disrupt cybercrime networks. Trend will continue to leverage our threat intelligence to drive key insights around criminal activities in Africa and beyond, helping to put a stop to their exploitation of unsuspecting victims,” concludes Tzingakis.
