When you spot a phishing attempt or an email with a suspicious document attached in your inbox, have you ever wondered who actually sent it to you and how they got your details? Or even how much money they really make from their activities?
Well, we can now answer those questions. Over the past few months, Check Point’s researchers have uncovered the identity of a prolific cyber-criminal known as ‘Dton’. He has been active for over seven years, and earned at least US$100 000 from his ‘work.’ In fact, it’s likely he has earned several times that amount.
Dton is 25, single, and lives in Benin City, a place with a population of nearly 1,5 million in southern Nigeria. From his CV, Dton seems like a model citizen. But he also has another identity: Bill Henry, a career cybercriminal who buys goods with stolen credit cards and launches phishing and malware attacks.
So how did Dton (aka Bill) get started in a life of cybercrime that has earned him, on average, at least 14 times the new national minimum wage in Nigeria and 3 times the average professional salary every year since 2013?
Getting started: stolen credit card scams
Dton started out by speculating a little: he spent around US$13 000 buying the details of 1000 credit cards from a special online marketplace specialising in stolen payment card credentials. With each stolen card – costing around $4 to $16 each – Bill usually tried to charge about 200 000 Nigerian Naira (NAN), equivalent to around $550 US. If the transaction is blocked, he tries another merchant, or another card until one succeeds. From his ‘investment’ in the 1000 stolen cards, Bill has been able to charge at least US$100 000.
However, it seems that constantly buying new blocks of stolen card details started to irritate Dton: he resented having to pay upfront and wanted higher margins and profits. So he started buying ‘leads’ – bulk email addresses of potential targets, so he could launch his own exploits.
Moving into multi-level malware marketing
Dton started buying up the tools of the trade to help him craft malware to email (spam) to his list of targets. These tools include off-the-shelf packers and crypters, infostealer and keylogger components and exploits. With these tools, he could custom-build his own malware, insert it into a benign-looking document, create his email, then blast it out to his large list of marks.
This quickly delivered lots of user credentials that Bill could exploit, earned him more money – and also satisfied his boss. Yes, Dton is not a sole trader: he has a manager, who in turn reports to another manager. These managers pass seed capital down to Dton, but they also expect strong returns on their investments. It’s the cybercrime equivalent of a ‘pyramid selling’ or multi-level marketing scheme.
Once again, Dton started to get irritated (as we all sometimes do) by his boss nagging all the time, and by the diminishing returns from buying and using off-the-shelf malware toolkits. He decided to develop his own malware from scratch – malware that has no known signature and that can bypass most security defences – so he could work for himself.
It’s a RAT eat RAT world
As Dton is not a coder, he hired a person named ‘RATs &exploits’ to develop his malware for him. But it seems the expression ‘there is no honour among thieves’ is true: Dton compromised Mr RATs &exploits’ machine with a RAT (remote-access trojan), so he could spy on his work and hopefully steal some of his secrets.
When that wasn’t enough, he also engaged – and then fell out with – another shady character behind a specialised malware packer program, by arguing with him on underground forums over prices and usage. The result was that when Dton didn’t get what he wanted, he reported the other party to Interpol. The cybercrime economy is certainly a rat-eat-rat world – but all the while and despite these minor setbacks, Dton carried on earning illicit cash.
Dton’s journey into cybercrime shows how even a relatively unskilled, and undisciplined individual can profit handsomely from fraud and malicious online activity. This is simply because, like many other criminal activities, cybercrime is a numbers game. It doesn’t matter if 499 people don’t open a malware-spiked email: the 500th person will. And when you can target hundreds of thousands of people at a time, you only need to infect a handful to get hold of your ill-gotten gains.
To protect yourself against becoming a victim of the thousands of Dtons/Bills out there, you should follow these best practices:
1. When shopping online, ensure you are ordering goods from an authentic source. Don’t click on promotional links in emails, and instead Google your desired retailer and click the link from the Google results page to avoid having your personal and payment details skimmed.
2. Beware of ‘special’ offers. An 80% discount on a new iPhone or “an exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy opportunity.
3. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
4. Protect your organisation with a holistic, end-to-end cyber architecture, to prevent zero-day attacks.
Since uncovering Dton/Bill’s identity and activities, Check Point’s research team has notified law enforcement authorities in Nigeria and internationally and shared its findings with them. Full details of Dton's exploits are available on the Check Point Research blog at https://research.checkpoint.com/2020/the-inside-scoop-on-a-six-figure-nigerian-fraud-campaign/
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version