So, this is fascinating. While we all digest the latest warnings about the accelerating risk of online scams, malware, hacks, credit card fraud, fake sites and apps, the question of who’s behind the crimes and how they operate lurks in the background. Well now the cyber team at Check Point has delved into the detail, looking for the people behind the crimes, putting names to the threat.
It’s little surprise that the team’s research took them to Nigeria: Home to countless cyber scams, the country has built a reputation—some deserved, some overblown for perpetrating online crimes around the world. Last September, when the Department of Justice announced 281 arrests in a crackdown on business email compromise, a staggering 167 of those arrests were in Nigeria. This week another 13 Nigerians were charged by the FBI for participating in a $30 million fraud.
Check Point happened upon one such Nigerian, best described as a cyber career criminal. Nicknamed Dton, this 25-year-old resident of Benin City in Edo State, has been engaged in cybercrime since his teens. In the last seven years he has bought around $13,000 in stolen cards, which he has turned into $100,000 in gains. Not bad for a country in which the average salary is around $500 per month.
“This guy is a cyber criminal,” Check Point’s Yaniv Balmas tells me. “ He steals whatever he can get his hands on. So from a consumer perspective, this is just a new view into what happens on the other side of cyber threats.”
According to Check Point, Dton is a self-styled “upstanding Nigerian citizen—he believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator—even his primary school teacher is willing to sing his praises on a phone call’s notice.” But this is a man who leads “a double life,” the team says, “in the best comic book villain tradition.”
Under the pseudonym Bill Henry, Dton spent countless nights browsing Ferrum’s 2.5 million stolen credit cards and credentials for those he thinks he can use. A card will cost Dton somewhere between $4 and $16, he will immediately try to put a transaction onto the card before it’s stopped. A typical transaction might be $500 a time, albeit often the cards will not work. No matter. He’ll simply go buy another one. Check Point estimates he has bought 1,000 over the years, generating a return “exceeding $100,000—probably several times that.”
For Dton and countless fraudsters like him, the skill is not in buying stolen cards, it’s in knowing how to transact on them. “Chief among those skills,” the security researchers say, “is sheer audacity—which Dton has no lack of.”
You see, for Dton the card business is entry level. He has always aspired to bigger and better things. “One thing he could never get to like was having to pay up at the Ferrum shop,” Check Point says. “His resentment grew. He was an entrepreneur, not a gambler.” And so it was only a matter of time before he “dove head-first into the world of DIY stolen credentials—buying email addresses in bulk.”
These “leads” are one thing, but once you have a victim in sight and the means to make contact, we’re in an entirely different world. This isn’t the anonymized numbers game of card theft, this is direct fraud, and so it’s time to head to the underground markets where such “tools of that trade” are also available to buy.
According to Check Point, Dton evolved from cards to “packers and crypters, infostealers and keyloggers, exploits and remote VMs.” But in doing so, Dton moved from the relatively safe world of online credential marketplaces to the much more dangerous worlds of organized cyber criminals. The nasty groups behind the trojans and other malware that you read about weekly on these pages.
Dton started with AspireLogger, OriginLogger, the NanoCore RAT. “Soon, Dton had a complete spamming staging ground—an army of remote, anonymized VMs that he could connect to with a VPN, and were equipped with the necessary tools for his work.” These were packed into documents, attached to phishing emails with luring subject lines, and sent out to the world.
And then “victim credentials came pouring in—Nanocore and its ilk delivered. Dton was ecstatic.” But this new world had its challenges. Suppliers who demanded serious financial payments for the tools Dton needs, a manager who was on Dton’s backs for him to work harder and achieve ever more.
You see this is organized. Dton has a manager overseeing his work. It’s a scam factory. “Dton’s manager, Ability, periodically sends venture capital and expects handsome returns. If a project is not going well, Ability gets angry, and as he says, you wouldn’t like him when he’s angry. Dton’s boss rules the workplace with an iron fist, and Dton’s terms of employment apparently demand that he install a Remote Administration Tool (RAT) on his own machine, which his boss can access freely.”
Eventually Dton decides he’s had enough of being a cog in the machine—he wants to be the machine. Dton decides to commission his own RAT, something new, some infection for which there’s not yet a cure. “Dton is no coder—he has to get someone else to do it for him. He receives a recommendation for such a person who hangs out at a certain discord and goes by the name ‘RATs &exploits’.”
Commissioning a RAT.
Dton pays his money and gets his RAT. But life is never simple. Dton remains under surveillance to ensure his productivity is up to speed. He also makes the move to infect the machine of his own RAT developer with a, erm, RAT as well. “Dton, whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer’s machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence.”
Now Dton is on the slippery slope. He will continue to play the game with malware developers, buying tools, getting himself ripped off in the process, falling out, moving on. “When business with someone goes well,” Check Point says, “Dton infects them with a RAT just in case it turns out to be useful. When business with someone goes less well, Dton resolves the dispute by reporting them to Interpol.”
There is no happy ending. No conclusion. This is today. This is everyday. As Check Point muses in its report. “we can’t put enough emphasis on the absurd contrast between the more professional operations that we have been watching on the one hand, and this absolute train wreck on the other.”
The advice for users the world over doesn’t change. Don’t click on unknown attachments, don’t blindly follow links, don’t download apps from random, unknown developers, don’t play into Dton’s hands. Meanwhile, “somewhere in Russia, as you are reading this, a well-coordinated gang is rotating their C&C servers on a daily basis and signing their malware with a rogue certificate authority.” And they are fuelling the army of Dton’s that want to come steal from you.
“There are hundreds more criminal just like Dton,” Balmas says, “so the damages are considerable. We have provided a rare ‘fly on the wall’ perspective, showing his day in a life. It turns out to be a very eclectic life style, completely crazy, completely disorganized—He is shooting all over the place, trying to stand to his goal defined by a boss who is also installing a malware on his computer in order to track him.”
Meanwhile, “you know what—Dton is fine, Dton is living the good life.”