What is the nature of the cyber attack reported by KrebsOnSecurity?

The attack is a sophisticated phishing campaign targeting established companies in the transportation and aviation industries, compromising email accounts to trick customers into sending large payments to scammers.

Who is behind this phishing campaign?

The investigation points to a long-running Nigerian cybercrime ring.

How can one identify these phishing domains?

Some of the early domains registered to the email address associated with the imposter domain mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

Nigerian Cybercrime Ring Targets Transportation Industry with Phishing Campaign

Q: How did the attackers execute this phishing campaign?

They created a fake Microsoft 365 login page and tricked an executive into entering their credentials, which were then used to mine the executive's inbox for past communications about invoices. The attackers copied and modified some of these messages with new invoice demands, sending them to customers and partners.

Q: What industries are primarily targeted by this cybercrime ring?

The transportation and aviation industries.

KrebsOnSecurity reports a successful phishing attack on an executive, resulting in a six-figure financial loss. The attack is linked to a long-running Nigerian cybercrime ring.

A long-running Nigerian cybercrime ring has been targeting established companies in the transportation and aviation industries through sophisticated phishing campaigns, compromising email accounts to trick customers into sending large payments to scammers.

What Happened

KrebsOnSecurity recently reported on a successful phishing campaign that targeted an executive at a company in the transportation industry. The attackers created a fake Microsoft 365 login page and tricked the executive into entering their credentials, which were then used to mine the executive's inbox for past communications about invoices.

The attackers copied and modified some of these messages with new invoice demands, sending them to customers and partners of the company. At least one customer fell for the ruse and paid a phony invoice, resulting in a six-figure financial loss. The attackers had spun up a look-alike domain just a few hours after the executive's inbox credentials were phished.

The investigation into the attacker's infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries. A reader who works in the transportation industry sent a tip about the recent successful phishing campaign, sharing details about the attack and its aftermath.

Background and Context

The email addresses associated with the imposter domain are tied to many such phishing domains, with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for one of these email addresses reveals a humorous blog post from 2020 on the Russian forum hackware[.]ru, which found that this email address was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page.

DomainTools shows that some of the early domains registered to this email address in 2016 include other useful information. For example, the WHOIS records for alhhomaidhicentre[.]biz reference the technical contact of "Justy John" and the email address [email protected].

Why It Matters to the Industry

This phishing campaign highlights the ongoing threat posed by sophisticated cybercrime groups targeting legitimate businesses. The use of fake login pages, invoice scams, and look-alike domains is a common tactic used by these groups to compromise email accounts and trick customers into sending large payments.

The fact that this group has been active since at least 2012 and has registered over 240 domains in the past year or so suggests a high level of organization and sophistication. The use of multiple email addresses, phone numbers, and aliases also makes it difficult for cybersecurity and law enforcement organizations to track down the individuals behind these attacks.

This type of phishing campaign poses a significant threat to adult-industry platforms and operators, who often rely on email communications with customers and partners. The use of fake login pages and invoice scams can be particularly effective in tricking recipients into sending large payments, highlighting the need for robust security measures and employee training programs.

What Comes Next

The Financial Crimes Enforcement Network (FinCEN) has a 66 percent success rate in freezing fraudulent funds wired by victims. Viable victim complaints filed with ic3.gov promptly after a fraudulent transfer will be automatically triaged by FinCEN.

Palo Alto's Unit 42 researchers have published a list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks, including conducting regular employee security training and reviewing network security policies. Getting familiar with the "financial fraud kill chain" or FFKC is also crucial for BEC victims seeking to claw back payments made to fraudsters.

Key Facts

The Nigerian cybercrime ring has been targeting established companies in the transportation and aviation industries through sophisticated phishing campaigns.
The attackers use fake login pages, invoice scams, and look-alike domains to compromise email accounts and trick customers into sending large payments.
At least 240 domains registered in 2024 or 2025 are associated with the imposter domain, with virtually all of them mimicking legitimate domains for companies in the aerospace and transportation industries worldwide.
The group has been active since at least 2012 and uses multiple email addresses, phone numbers, and aliases to evade detection.
FinCEN has a 66 percent success rate in freezing fraudulent funds wired by victims, with viable victim complaints filed with ic3.gov being automatically triaged by FinCEN.

The ongoing threat posed by sophisticated cybercrime groups highlights the need for robust security measures and employee training programs to protect against phishing campaigns like this one. Adult-industry platforms and operators must remain vigilant in protecting their email communications and customer data from these types of attacks.