More than 5,000 Kenyan Facebook users have lost millions of shillings in a social hacking scam that lasted for a year, a local cyber security firm has revealed.
The firm, Serianu, says it has unmasked a Kenyan who broke into personal accounts of Facebook users in Nairobi, Mombasa and Eldoret and used the access to solicit funds from thousands of people linked to the breached accounts.
The attack was a type of social hack known as a phishing scam that tricks users into providing a hacker with access rather than relying on technical skill to break into their accounts.
“The hacker created a website that looked aesthetically similar to Facebook and posted it on random users’ pages, inviting them to view their friends’ latest photos,” said William Makatiani, the managing director.
“Users who clicked on the link were asked to provide their log-in details afresh in order to proceed. Once they did this, their usernames and passwords were collected into a database that currently has 5,006 entries.”
The cyber criminals then used the captured log-in credentials to take over a user’s social media page and went on to solicit money from the account owner’s friends while masquerading as the real user.
Owners of the compromised Facebook accounts were also contacted and informed that their accounts would be deleted if they declined to pay money — ranging between Sh5,000 and Sh100,000 — into different mobile money accounts.
To nudge victims into paying up, the fraudsters posted malicious and alarming messages on breached Facebook pages. Serianu estimates that victims of the attacks may have lost up to Sh50 million in the scam.
The Business Daily cannot reveal the hacker’s identity or the website used in the scam because the matter has since been reported to the CyberCrime Unit of the Directorate of Criminal Investigations (DCI), who are investigating.
The website, which has since been taken down, was registered by a Kenyan, hosted locally and with a Safaricom mobile phone number as the contact line.
Internet security breach has become a serious problem since Kenya installed broadband Internet with the landing of undersea fibre optic cables in Mombasa five years ago.
Criminals have used high-speed Internet to illegally obtain and share crucial user information that has cost millions of companies and individuals billions of shillings annually.
UK broadcaster, BBC, last week reported that administrators of a Russian-based site infiltrated thousands of insecure baby monitors, webcams and CCTV cameras in over 250 countries, including Kenya, UK, Pakistan and Zimbabwe, and monitored live feeds.
In the past 12 months, there has been a build-up of Internet security breaches in Kenya. The Kenya Police and the Central Bank of Kenya top the list of 103 crucial government websites that have fallen prey to the hackers.
The Banking Fraud Investigations Department last year reported that hacking of customer bank accounts — mainly by bank employees — between April 2012 and 2013 led to losses of Sh1.49 billion.
Nairobi Senator Mike Sonko’s Twitter account was reportedly compromised this week, exemplifying the ubiquitous nature of the crime in the country.
The Facebook hacker’s operation has since been shut down with the help of PhishTank, a US-based anti-phishing site used by leading IT firms like Google, Yahoo and Mozilla to verify the safety of websites.
A DCI officer at the CyberCrime Unit in charge of the Facebook scam investigation confirmed that Serianu had filed a report detailing the hacking incident.
“Serianu approached us recently and provided information about the alleged crime, including details of one of the individuals who was affected,” said the officer who declined to be quoted as he is not authorised to speak on ongoing investigations.
“We are waiting for the victims to come forward and make a formal complaint,” said the officer.
The Business Daily has established that one of the victims is a nurse at a local hospital. Her Facebook account, which is still under the hacker’s control, was compromised in late October and her friends have since wired Sh17,000 to the fraudster’s different M-Pesa accounts.
Stephen Wanjala, the victim’s husband, said they had contacted the CID officer in charge of the investigation and were preparing to make an official statement.
Cyber security experts say the exponential increase in the number of local hackers is not only a direct result of improved Internet infrastructure, but also a quest for fame and wealth.
Besides, Kenya does not have enough professionals who can effectively secure personal data or rebuff cyber-attacks.
“Expert hackers around the world are considered heroes and revered in many quarters,” said George Njoroge, CEO of East African Data Handlers.
“Some local hackers are after a similar status and if they can make some money while at it, the better. Ignorance on the part of users, including companies, and lack of expertise worsen the situation.”
The Kenya Cyber Security report released in June by Telecommunication Services Providers of Kenya (Tespok) showed that cyber-attacks more than doubled in the past year to 5.4 million.
While previously many of the attacks came from abroad – especially China – the majority of the 1.8 million computers used were stationed locally, indicating that the attacks were from within.
Insider threat by employees were earlier this year ranked top in the list of cyber security risks faced by financial institutions, especially those that have embraced mobile and online banking.
Mr Njoroge cited an ongoing investigation where five employees of a local mid-tier bank are being investigated for stealing Sh280 million from their employer. The case is expected to move to court this month.
The accused allegedly tinkered with the core banking system authorisation protocols and moved the money out to several accounts through mobile money and Internet banking transactions.
US information technology giant IBM in August signed a deal with the government that will see it develop cyber security syllabus for new recruits joining the police service.
Currently, most cybercrime matters are handled by small a team of IT experts – the Kenya Computer Incident Response Team – based at the Communications Authority of Kenya.
The team’s core duty is to liaise with other government and international bodies to tackle cyber-crime.