Bank customers, companies lose billions to Nigeria’s weak cybersecurity
Godfrey George writes on how Nigerian institutions can strengthen their cybersecurity to safeguard themselves against illegal hackers
Students of Babcock University, Ilishan-Remo, Ogun State, a private Christian co-educational university owned and operated by the Seventh-Day Adventist Church, could not believe their eyes when they logged into their school’s website on Tuesday.
Some hackers had broken the site’s firewall, taken full control of the website and even posted pornographic materials.
An ex-student, who did not want to be named, said she almost dropped her phone when she opened the website to apply for her transcript that morning.
The 22-year-old, who recently graduated from the varsity’s engineering faculty, told Sunday PUNCH that she felt embarrassed and threatened, at the same time.
“I felt like I couldn’t breathe for a moment. We are talking about a university’s website overtaken by hackers who post pornographic pictures and videos,” she said.
Going online to chat with her friend in her class WhatsApp group, news of the intrusion had already spread to her utmost shock.
On Twitter, a user, Dami Adenuga, took a screenshot of the ‘porn-infested’ website interface and splashed it on his page.
He wrote, “Babcock University’s website was hacked and porn was uploaded there. You people no dey fear God?”
Hours after the cyberattack on the site, our correspondent, who monitored the situation, observed that more content was being uploaded hours after the first one went out.
The hackers requested visitors to the website to click on a link to chat live with pornstars.
For a faith-based institution, the cyberattack was a hit from a thunderbolt.
Reaching out to a source within the school information technology department on that day seemed impossible as the lines rang out.
Hours later, the source called back to say the lewd content had been brought down but declined to speak on the kind of attack it was and if a ransom was paid to the hackers.
“Bro, it was a terrible one. We worked with external hands to take back the website and we have improved website security,” he simply said with a cold tone.
Tech experts believe that it must have been a ransomware attack, where a hacker or a group of hackers, take over a site and the real owners are required to pay a ransom to retrieve the site.
A Lagos-based tech entrepreneur, Mba Mba, noted that the Babcock situation might not be that straightforward.
“It will be hard to know exactly who is responsible except if the school decides to engage other cybersecurity experts to look into the matter. This means employing legal hackers to fish out whoever is responsible would be the beginning.
“But, from this end, it could have been an internal breach just to demean the university, which prides itself as one of the best faith-based institutions in the country.
“It could have been a ransomware attack or a denial of service or session hijacking, also known as a man-in-the-middle attack. Only a proper assessment can prove that,” he added.
The day after the attack, the management of the varsity apologised for the glitches.
The university’s Director of Communication and Marketing, Joshua Suleiman, in a statement on Wednesday, confirmed that the school’s Information Management System Account was hacked
He said, “We never voluntarily, either by omission or commission, sent out such information to anyone, so we are sorry if it made a wrong impression. Rest assured, we have secured our network already.
“We have always recognised that constant vigilance is required to protect against intrusions because of our understanding that even the most diligent cybersecurity efforts have not been able to address all cyber risks that organisations face.
“This is why, unfortunately, malicious attacks and intrusion efforts are continuous and evolving, and in certain cases, they have been successful at the most robust institutions.”
The message by the school’s image maker highlighted a critical point – messages were sent out to users.
The ex-student who spoke to Sunday PUNCH noted that she got messages to click on some links but found out that they were fishy.
“I learnt some of my colleagues who clicked on the links had their data wiped out,” she added.
Schools as targets
In the past, cyberattacks like ransomware and data breaches happened in many schools and universities around the world, leading to the loss of sensitive information and damage to their reputations.
In 2015, the Federal University of Technology, Owerri, Imo State’s website was hacked by a syndicate identified as the Nigerian Cyber Army, known for its illicit acts of breaching cybersecurity
The hackers terrorised many websites with various attacks like malware – software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system – and SQL Injection Attacks – unauthorised access to sensitive data, such as passwords, credit card details and personal user information – for weeks on end.
A member of the group, Batch Fweak, was said to have made a post on Facebook, stating, “Nobody can stop me. FUTO on my mind.”
A few hours later, the university’s website was defaced as some students claimed that their data might have been tampered with.
Using what experts term a ‘noob trick’, which entails uploading a shell amidst other procedures to deface a website, NCA gained access to the site.
The university retrieved the website later that day.
An Oyo State-based school administrator, Mr Olu Francis, said hackers took over his secondary school’s website, got the personal information of some parents and sent them text messages.
“We (school management) didn’t notice it because we were still developing the site. But we had uploaded all the information of our students and parents/guardians there to get a feel of what it would look like,” he said.
To his surprise, some parents called to tell him that they got text messages to pay certain fees into a specified account with a strange name so they called to confirm.
“The annoying thing is that some parents already transferred the money and called me to ask if I got the alert. When I checked my other line, I found out that I was also sent that text message. It was like a nightmare. I was running helter-skelter in search of a solution.
“I asked the developer to shut down the site but it was already too late; the damage was massive. We are talking about over 800 students in a section of the school and another 1400 or so in another section,” he added.
Francis stated that he had to personally call every parent/guardian to tell them what happened after sending counter-text messages to them.
“I visited the bank to trace the account, but the bank said the person was not their customer and that the account that was used had been dormant for years and may have just been used as a pathway to siphon the money.
“It was amazing how a bank official would tell me that nonsense. I got a court injunction for the account to be frozen but, to my greatest surprise, the account truly had been dormant for more than five years. The owner had died years before that,” he added.
Frustrated, Francis said he got tired of the matter and dropped it but moved all the school’s funds from that bank to another one that promised better cyber safety.
Attacks on NPC, INEC servers
Barely months after the National Population Commission opened up its portal for recruitment and other needs, and weeks before a national census, scheduled to hold from May 3 to 5, hackers invaded the NPC server.
This, according to experts, may be a way to frustrate the project aimed at obtaining accurate figures for economic planning and other related matters.
A Manager at the NPC, Dr Inuwa Jalingo, at a meeting in Abuja, however, stated that the situation had been put under control through “specialised workforce, Information and Communication Technologies classes and mop-up phase.”
In early January, the Chairman of the Independent National Electoral Commission, Prof. Mahmood Yakubu, noted that there were attempts to hack into the commission’s system ahead of the general elections.
The INEC chairman, who was represented by the Deputy Director of ICT, Dr Lawrence Bayode, noted that the attacks came in from different parts of the world.
He said, “We were looking at the system yesterday and we were seeing that people were trying to come into the system from France; but we are also putting some infrastructure in place (to make sure they don’t)”.
Days after the election, the Managing Director, Galaxy Backbone, the Federal Government’s information technology and shared services provider, Muhammad Abubakar, said the company blocked over 200 cyberattacks during the presidential and National Assembly elections on February 25.
According to him, the result viewing portal of INEC suffered a system collapse that forced it offline for several hours on election day, “spawning a severe backlog in the transmission of presidential election results over the high throughput infrastructure.”
On March 15, Mr Isa Pantami, the country’s communication and digital economy minister, acknowledged that the INEC server recorded more than 12 attacks both within and outside the country’s cyberspace.
He said in the run-up to the 2023 general elections, threat intelligence revealed an astronomical increase in cyber threats to Nigerian cyberspace, adding that generally, threats to public websites and portals averaged 1.55 million daily.
Banks worst hit
A January report by Financial Institutions Training Centre revealed that Nigerian bank customers lost a total of N2.72bn to fraud in the first and second quarters of 2022.
Between July and September 2020, banks, according to the Nigeria Inter-Bank Settlement System Plc, lost N3.5bn to fraud-related incidents, representing a 534 per cent increase from the same period in 2019, when it was N552m.
In 2018, commercial banks in Nigeria lost a cumulative N15bn ($32.36m) to electronic fraud and cybercrime.
This was a 537 per cent increase on the N2.37bn loss recorded in 2017.
In the same period in 2018, over 25,043 bank customers and depositors lost N1.9bn to cyber fraud, with fraud incidents rising by 55 per cent from the previous year’s 17,600.
Nigeria’s Consumer Awareness and Financial Enlightenment Initiative had projected a $6tn loss by 2030 to cybercrime within and outside Nigeria. These crimes are committed mostly through phishing and identity theft.
In September 2022, suspected fraudsters, during a three-day cyber-attack, hacked a customer’s account domiciled in an old-generation bank and transferred N523.337m from the account to 18 different accounts in the same bank.
The spokesperson for the Police Special Fraud Unit in Ikoyi, Lagos State, SP Eyitayo Johnson, said the suspects subsequently transferred the money from the 18 accounts into 225 accounts domiciled in 22 other banks and financial institutions.
He added that the coordinated cyber-attack was carried out on Saturday, April 23, till the early hours of Monday, April 25, 2022, adding that two suspects had been arrested in connection to the crime.
In January 2023, a bank customer with one of the top banks, Chiamaka Agim, lamented how over N4m was debited from her account without her authorisation.
Speaking to Sunday PUNCH, Agim said between 8.43pm and 9pm, she lost over N4m from her account.
“I was first debited N3.7m to another bank, N222,900 to another bank and N102,000 to another account.
“What was left in my account was about N12,900.
“I couldn’t even breathe well. I couldn’t think. In a space of five minutes, my entire life’s savings were wiped off. I don’t know who did this and I don’t know how it happened,” she said.
She further stated that she visited the bank the next day but was told to get some documents, which she did.
In the end, the bank said it retrieved about N800,500, which she blatantly rejected.
It took days for the bank to finally get some substantial sum back to the lady although it kept insisting that the victim bought a token for some online transactions, a claim she continuously opposed.
In March 2023, the Lagos State Police Command arraigned a fraud syndicate comprising eight men before the Federal High Court in Lagos for allegedly hacking the server of an electronic platform, ITEX Integrated Services Limited, and stealing N435.3m.
The defendants, including Aderuku Adedayo, Adigun Benjamin, Awopetu Tosin, Ajibade Ayomide, Ojo Olwaseun, Miller Oluwafemi, Olaleye Samuel and Ajibade Ayodeyi, are facing charges bordering on conspiracy, hacking, stealing and fraud preferred against them by the police.
The prosecutor, Morufu Animashaun, told the court that the defendants conspired among themselves and others now at large to commit the offences on September 7, 2022, at 1E, Sinari Daranijo Street, Victoria Island, Lagos.
According to the prosecutor, the offences contravened sections 8(a), 1(1)(a), 2(a) and 7(2)(b)of the Advance Fee Fraud and other Fraud Related Offences Act 2006, and punishable under Section 1(3) of the same Act.
All the defendants pleaded not guilty to the charges.
In another related case, a man, Salau Femi, was arrested by detectives from the Special Fraud Unit of the Nigeria Police Force for allegedly hacking into the server of a Nigerian bank to steal N1.87bn.
The suspect, police said, was the kingpin of a syndicate that specialised in hacking into the servers of banks and corporate agencies.
He was arrested after he hacked the Flex-Cube Universal Banking System of a first-generation bank.
The SFU spokesman, Johnson, in a statement, said the suspect created fictitious credits totalling N1.87bn on the accounts of three of the bank’s customers.
A leading fintech company recently denied being hacked after reports emerged that hackers had stolen over $4m from its accounts in Nigeria.
The company stated that it identified an unusual trend of transactions on some users’ profiles during a routine check of its transaction monitoring system.
However, according to the company, no user lost any funds, adding that the fintech’s security measures addressed the issue before any harm could be done.
The recent developments in the hack highlight the increasing threat of cybercrime and the need for companies to invest in robust security measures to protect themselves and their customers.
A growing menace
A January 19 Forbes report stated that over 800,000 passwords and 50,000 individuals were targets of a Nigerian fraud operation cybercriminal gang, known as SilverTerrier.
According to the report, 11 individuals were arrested in December by Interpol.
The international policing agency said the suspects appeared to have targeted as many as 50,000 individuals and companies via Business Email Compromise (BEC).
“These so-called BEC scams help criminals find a way to intercept emails, either via hacking into accounts or spoofing email addresses, and trick companies into sending funds to the fraudsters rather than business partners with whom they believed they were interacting.
“BEC remains the most costly kind of fraud to Americans. According to the FBI’s most recent annual cybercrime report, losses totalled $1.8bn in 2020 alone, with global losses estimated to be close to $5bn in the years between 2018 and 2020. That makes it a far more financially damaging crime than ransomware, one of the better-known cyberattacks,” part of the report read.
The SilverTerrier gang is known as one of the more successful BEC fraud groups, and Interpol said initial analysis of one of the 11 suspects’ computers indicated they had more than 800,000 usernames and passwords, which could potentially have been used to hack into company email accounts.
Another suspect was found to be monitoring conversations between 16 companies and their clients to divert legitimate transactions just as they were about to be made, Interpol said.
An Assistant Inspector-General of Police, Garba Umar, said while working with Interpol, he was able to “give the order to hunt down these globally active criminals nationwide, flushing them out no matter where they tried to hide in my country.”
The report revealed how a cybersecurity company, Palo Alto Network, tracked all BEC fraud coming out of Nigeria under the name SilverTerrier and found that among the nearly 500 different “actors” involved, they were “often connected through only a few degrees of separation on social media platforms,” showing links between over 120 actors.
The company also claimed that one of those arrested had previously been apprehended by the FBI in 2018.
“His recent arrest marks one of the first known instances of a Nigerian actor being arrested twice for BEC,” it added.
This will not be the first large-scale cyber fraud Nigeria would witness.
In November 2022, a gang of hackers known as OPERA1ER, stole at least $11m from companies in Nigeria, Benin, Cameroon, 11 other African countries, and Argentina.
This is according to a new report from Group-IB, a cybersecurity firm, titled, ‘OPERA1ER: Playing God without permission,’ in collaboration with researchers from Orange CERT Coordination Centre.
The firm disclosed that digital forensic artefacts analysed by it and Orange followed more than 30 successful intrusions of the gang between 2018 and 2022.
The company’s data revealed that companies in Ivory Coast were the most targeted.
It said this helped it to trace affected organisations in Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Bangladesh, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo, and Argentina.
In April 2022, some suspected Russian hackers attacked some Nigerian websites, including the popular betting platform, Bet9ja.
This is coming after the United States said it secretly removed malware from computer networks around the world in its bid to pre-empt Russian cyberattacks.
Bet9ja first announced that it was having issues with its website on a Wednesday on its verified Twitter handle.
According to the company, its customers were not able to log in to their accounts.
It said, “We are currently experiencing an issue with our website. This means you may not be able to log in.
“We take this matter very seriously and our IT team is working on it as their number one priority right now.”
However, the next day, Thursday, the firm announced that it had become a victim of a cyberattack.
Bet9ja said, “The Bet9ja betting platform, just like many market-leading global organisations, has recently become a victim of a sophisticated criminal cyber-attack, which is restricting our customers from having access to the platform.
“We are working tirelessly with our IT team, independent forensics, and cybercrime experts to resolve this; we take this matter extremely seriously. Our priority is protecting our customers and you have our assurances that your accounts will not be compromised, and all your funds are safe.”
In a previous post, the firm added that its customer’s funds were secured.
Bank, insurance firms targets – IBM
The International Business Machines Corporation in its most recent report published in March stated that the financial and insurance sectors of Middle Eastern and African countries were faced with more cyberattacks in 2022 than other sectors in the region.
The firm stated that the two sectors accounted for 44 per cent of incidents in 2022, which was four percentage points lower than the 48 per cent recorded in 2021.
Hackers also prioritised attacks on professional, business and consumer services sectors during this period, with the sectors accounting for 22 per cent of attacks.
Security Leader at IBM MEA, Kleimert Knibbs, said, “Proactively managing security risks and evolving cybercrime tactics is a critical priority for organisations across MEA.
“The X-Force Threat Intelligence Index findings demonstrate the continued threat of ransomware and the increasing use of thread hijacking tactics.
“To safeguard against these threats, companies must remain vigilant and focus on effective incident response planning. As the security landscape evolves, it is crucial to prioritise threat intelligence and strengthen defences.”
According to the report, the deployment of backdoors, which allow remote access to systems, emerged as the top action by attackers in the region last year.
It stated that ransomware and worms tied for the second-most common attack type in the region at 18 per cent each.
The firm explained that the IBM Security X-Force Threat Intelligence Index tracks new and existing trends and attack patterns — pulling from billions of data points from network and endpoint devices, incident response engagements and other sources.
ABU, UNN vulnerable
Three years ago, a Pakistani Penetration Tester, Touseef Gul, discovered some bugs (weaknesses or vulnerabilities that hackers can exploit) in three Nigerian universities — Nnamdi Azikiwe University, Akwa; Ahmadu Bello University, Zaria, and Salem University, Lokoja — and Mount Kenya University, a private university in Thika, Kenya.
Bug hunters and penetration testers are cybersecurity professionals that test for loopholes that hackers can exploit in websites or apps of reputable organisations and report them with insights on how to fix them and prevent any intrusion or abuse before it becomes public knowledge.
According to Gul, all he did was a surface search on the main domain of the websites (URL), and he found the bugs without having to go deep into their systems.
“With ABU, Zaria, for example, all I needed to do was type in portal.abu.edu.ng on my browser along with a few other characters, and I discovered the bugs,” he stated.
Gul reported his findings to the universities in 2017, and the developers from UNIZIK reportedly responded by saying the issue could not be resolved due to a crisis in the region.
In the University of Uyo, Akwa Ibom, in 2014, there was pandemonium when some students claimed to have a copy of the General Studies exam question before the exam time.
With hacking, some students access and manipulate results from their school server, input scores for exams they never sat for; register for courses without having to pay for them, and even get onto a school’s admission list to add or take out names.
A few months ago, a government agency’s website was cloned by hackers and many users unknowingly inputted their data, thinking they were applying for a job.
Victims lost money as the agency continued to turn a blind eye.
Cyber laws in Nigeria
As more and more spaces open up in the digital world, so has cybercrime grown in leaps and bounds.
To combat these issues, the government came up with the Cybercrimes (Prohibition and Prevention) Act (2015).
“Cyberlaw acts as a shield over cyberspace, preventing cybercrime from occurring. The government is committed to developing and enforcing regulations to combat illicit online activities,” a publication on legal luminary, Olisa Agbakoba (SAN)’s website stated.
The CPPA (2015) has a significant impact on cyber law in Nigeria as it creates a comprehensive legal, regulatory, and institutional framework in Nigeria to prohibit, prevent, detect, prosecute, and punish cybercrime.
The Act encourages cybersecurity and protection of computer systems and networks, electronic communications, data and computer programmes, intellectual property, and privacy rights, as well as the protection of important national information infrastructure.
Highlighting the categories of the law, the publication stated that cybercrimes against people included cyber harassment and stalking, e-mail phishing, various sorts of spoofing, credit card fraud, and identity theft.
Cybercrime against property includes distributed denial of service attacks, hacking, virus transmission, cyber and typosquatting, computer vandalism, copyright infringement, and intellectual property rights breaches.
“The expansion of the Internet has revealed that the channel of cyberspace is being used by people and groups to threaten foreign governments as well as intimidate a country’s citizens.
“When an individual hacks into a government or military-run website, the offence becomes terrorism,” the report added.
The law also established a Cybercrime Advisory Council in charge of handling issues relating to the prevention and combating of cybercrimes, cyber threats, computer-related cases and the promotion of cybersecurity in the country.
Cyberattacks in Africa increased by 300% — Pantami
Pantami, on Tuesday, disclosed that Africa’s digital economy is facing a major challenge as cyberattacks continue to rise at an alarming rate.
According to Pantami, a recent report by the Africa Cybersecurity Report noted that cyberattacks in Africa increased by 300 per cent over the last year alone, adding that this trend is worrisome given that Africa’s digital economy is on the rise and has been projected to be worth $180bn by 2025 by the World Bank.
The minister, who spoke at the opening ceremony of a two-day cybersecurity stakeholder workshop in Abuja, however, said the growth could be severely impeded if businesses and organisations did not take the necessary steps to protect themselves against cyber threats.
Strengthen cyber infrastructure – NCS
The President, National Computer Society, Prof. Adesina Sodiya, in an interview with our correspondent, said Nigerian digital spaces had been experiencing cyberattacks for quite some time.
According to him, some of the tertiary institutions in the country, last year, experienced denial of service and man-in-the-middle attacks, among others.
“As a nation, we have been talking about it for quite some time that we need to continue to prepare and update our cyber infrastructure because these attacks are going to be there forever.
“It is just like the physical armed robbers. We now have a situation where many corporate organisations are moving to e-governance and embarking on digital infrastructure.
“Of course, this digital community that we have all found ourselves in makes it easy for us all to access resources that are available remotely.
“In cybersecurity, the major concern is that these websites must guarantee legitimate access and legitimate use of resources. The truth is that these cybercriminals will continue to develop their threats to whatever barrier we put in place but we must continue to update our systems as we go on to counter the attacks if they come,” he noted.
Another cybersecurity expert and founder, IDot Creations, Chukwuemeka Orjiani, said the Federal Government should give regular updates to individuals and organisations on cybersecurity.
On how to avoid attacks, he said, “People should be told how to get firewalls, VPNs and other ways to mitigate attacks. It is not healthy to put your information online. Learn to change your passwords and PIN and not click on any link you see.”
Another expert, Enoch Ibidapo, said the goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers.
“Targets are typically the users of financial applications, SaaS (software as a service) businesses, e-commerce sites and other websites where logging in is required.
“Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers, or an illicit password change,” he added.
According to him, employing more cybersecurity programmers and enlightening the public on what they should and should not do on the Internet would go a long way to mitigate the attacks.