The Inside Scoop on a Six-Figure Nigerian Fraud CampaignMarch 17, 2020
Cybercrime is usually a one-way street. Shady types send their malicious documents and Trojans downstream to us innocent folk. Worst-case scenario, we get infected. Best-case scenario, we smirk, hit “delete” and move on with our lives. Either way, we’re left with many lingering questions. Who sends these out? Where did they get our email address? Do they really make money doing this? How much?
If you’ve asked yourself these questions too many times, today is your lucky day. Meet A██████████ A███████ D██████ton, who we’ll call Dton for short:
Dton is an upstanding Nigerian citizen. He believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues. Even his primary school teacher is willing to sing his praises on a phone call’s notice.
But behind this positive persona hides a dark secret. In the best comic book villain tradition, Dton leads a double life:
By day, he is Dton, administrator of businesses and achiever of organizational goals. But by night, he is Bill Henry, Cybercriminal Entrepreneur.
Bill is a regular customer at the Ferrum shop – a fine business that stocks north of 2,500,000 stolen credit card credentials. During the years 2013-2020, the account he regularly logs into has been used to purchase over $13,000 worth in stolen credit card credentials.
Once Bill gets his hand on stolen credit card credentials, he is quick to monetize his new asset:
This typical charge is for 200,000 Nigerian Naira (NAN), the equivalent of about $550 USD. Luckily for whoever owns the original credit card used here, the transaction does not go through; but Bill is patient. He tries another merchant, and if that fails, he buys another credit card for another $4 or $16 and tries again. Eventually a transaction goes through. A back-of-the-envelope calculation shows that during the years 2013-2020, the $13,000 spent by this account were converted into about 1,000 credit cards, which were then fraudulently charged for a total easily exceeding $100,000 — probably several times that.
You might object that the above story is a violation of basic economics. If a stolen credit card can be fraudulently charged for $500, why would anyone sell it for only $10? Well, stealing credit card credentials is easy and anonymous, given that banking malware and point-of-sale malware is everywhere and is notoriously difficult to trace back to whoever wrote and deployed it. Making credit card charges is something else entirely; it carries a whole additional set of risks and requires a distinct set of skills. Chief among those skills is sheer audacity — which Dton has no lack of, as you’ll see soon.
Dton’s business has always been his pride, but one thing he could never get to like was having to constantly pay up at the Ferrum shop. He knew that true blood cybercriminals harvest their stolen credentials with their own two hands, fresh from the spam fields covered in morning dew; he longed to have that life. Some times, he would spend the $10 at the Ferrum shop and the transactions wouldn’t even go through. His resentment grew. He was an entrepreneur, not a gambler.
No longer content to just buy, sell and monetize victim data, it was a matter of time before Dton dove head-first into the world of DIY stolen credentials. He was buying “leads” – email addresses of potential marks – in bulk.
But most of his attention went into buying malicious tools of the trade: Packers and crypters, infostealers and keyloggers, exploits and remote VMs. He had a true passion to play the field and see what worked best for him. Just for malware alone, he purchased and tried out AspireLogger:
And many, many other software of the kind that Windows Defender warns you about. Soon, Dton had a complete spamming staging ground — an army of remote, anonymized VMs that he could connect to with a VPN, and were equipped with the necessary tools for his work. On these machines he would take his hand-picked malicious binaries and run them through packers:
Wrap them in an appealing malicious document:
Carefully pick a message and subject line – then send the result out to a long, long list of potential victims.
Shortly after, the victim credentials came pouring in. Nanocore and its ilk delivered. Dton was ecstatic.
For Dton, this was a career milestone — but still, not everything was sunshine and rainbows. Sometimes Dton’s tool suppliers would make exaggerated financial demands:
In Dton’s place, would you pay $800 to have 3 binaries packed so that they have 0 VirusTotal detections? You probably shouldn’t. VT detection statistics aren’t always up-to-date, and aren’t guaranteed to reflect the full range of protections offered by the vendors involved.
Worse yet, Dton wouldn’t always see eye-to-eye with his manager when discussing goals:
Yes – Dton has a manager. Possibly his manager also has a manager, and so on for eight tiers, but it grieves us to speculate on that. As you can see, Dton’s manager – “A” for short — periodically sends venture capital and expects handsome returns. If a project is not going well, The Boss gets angry, and as he says, you wouldn’t like him when he’s angry. Dton’s boss rules the workplace with an iron fist, and Dton’s terms of employment apparently demand that he install a Remote Administration Tool (RAT) on his own machine, which his boss can access freely. This leads to some very strange conversations:
Yes, Mr. A, relax. Relax about the cybercriminal whose every movement you monitor obsessively, and who just logged in to your Yandex account. Chill.
Why would Dton’s boss share his Yandex credentials with his underling so freely? That’s a very good question. Then again, why would they both use the same inbox for stolen victim data and for routine RAT-based workplace monitoring of Dton’s work? Take another look at the stream of incoming victim data:
All the recovered data tagged “HP-PC” is monitored data from Dton’s machine, aggregated with the rest of the victim data. In a certain poetic sense, Dton is just another victim. (A famous quote from the social media site, reddit, goes: “I work as a dishwasher, and I come home after hours of work in which I get covered in filth, then I take a shower only to realize… I am the final dish”. This kind of reminded us of that).
So: Dton’s career has a promising future, and his RAT-spamming operation is alive and kicking. But conversion rates are not what they could be and Dton’s boss is unhappy. Packing the malware to improve conversion rates comes at an overbearing premium. Dton begins to doubt the validity of the entire setup. He uses brand-name malware, and therefore gets burned by security solutions, since the vendors have a special incentive to go after “household name” malware; if he tries to stave off the detection with artisanal packing / crypting services, he has to pay out the nose. The free-to-use packers on his staging ground VMs just don’t cut it.
It then occurs to Dton that there is technically one way out of this bind: write his own RAT. If it’s written from scratch, then it’s novel, and can therefore get around for exactly the same reasons as the novel coronavirus. No one has a signature, no one has a vaccine, none of the existing immune systems have ever seen it before. By the time they figure it out, a lot of damage will already be done.
Of course, Dton is no coder. He has to get someone else to do it for him. He receives a recommendation for such a person who hangs out at a certain discord and goes by the name “RATs &exploits”. Mr. &exploits has spoken with many customers before, and has a canned reply for those interested in his services:
Dton engages this person, and a deal begins to take shape.
RATs&exploits also offers personal one-on-one technical support and hands-on demonstration of how to use the RAT. Here he is demonstrating his use of “Azorult”, a well-known piece of malware, on a virtual machine:
Mutual impressions are good, and soon money exchanges hands. Dton’s toolkit has reached the next level. He now has his own personalized, hand-crafted RAT as well as a personalized web client to monitor his victims. He leans back, smiles and surveys his domain.
In fact, Dton has not only found a professional contact in this RAT developer, but a true kindred spirit:
Or has he?
Not much later, Dton is remotely viewing fresh screenshots — taken from the personal machine of the developer he has just done business with.
Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer’s machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence.
Not one to put all his eggs in one basket, Dton kept pursuing the dream of having his malware packed without having to pay “packing rent”. He soon became interested in dataprotector (datap.pro), a packer which offers a “lifetime package”:
Of course, you don’t just purchase something like datap out of the blue. You need to know who to talk to. Dton soon reached his contact person for purchasing datap, who goes by “n0$f3ratu$” (That’s “Nosferatus”, for those in the audience who don’t speak l33t). Wary about investing such a large sum up front, Dton opted for the 45 days package, which is about a tenth of the price.
Dton paid up, tried using the product a few times, and soon he was angry.
He was not pleased with the product, or the price, or something at any rate. He felt that he should pull a power play to get a better deal, or else that n0$f3ratu$ should have just let him have the lifetime package for $36.50 – and that since he did not, there should be consequences. And then Dton had an idea.
Welp. Let’s look at that YouTube link:
That’s our friend n0$f3ratu$– teaching people how to bypass Windows Defender using the very same crypter he had just sold Dton. One moment, Dton was working together with this guy; the next, he was stabbing him in the back. Again.
Dton does not immediately submit this anonymous report. Instead he uses it to taunt n0$f3ratu$ – who reacts about as positively as you’d expect:
We can only speculate on what n0$f3ratu$ means by that. Probably he and Dton got into a very heated debate about the price of the dataprotector lifetime package, and found that their differences were irreconcilable. And thus Dton reached the crowning achievement of his career – majorly angering the technical people on whose work his entire livelihood depended. Way to go, Dton.
So, what have we learned?
On some level, we know that cybercriminals are flesh and blood. They have feelings, wants and needs; they hold grudges, they make mistakes. But some cybercriminals are much more flesh and blood than others. We can’t put enough emphasis on the absurd contrast between the more professional operations that we have been watching on the one hand, and this absolute train wreck on the other.
Somewhere in Russia, as you are reading this, a well-coordinated gang is rotating their C&C servers on a daily basis and signing their malware with a rogue certificate authority. Bugs are corrected, features are introduced, security vendors are watched with a keen eye. Meanwhile, halfway across the earth in Nigeria, Dton is spamming out RATs that all contain hard-coded credentials for the single Gmail inbox the RATs all report to – then purposefully gets himself infected with a copy as well. When business with someone goes well, Dton infects them with a RAT just in case it later turns out to be useful; when business with someone goes less than well, Dton resolves the dispute by reporting them to the Interpol.
And you know what? Dton is fine. Dton is living the good life.
This is technically a picture of Dton’s colleague, but the point still stands.
We don’t need to tell you how to defend yourself against Dton’s RATs, because if you’re reading this, you already know how. Update your web browser. Before clicking a web link, ask yourself who put it there and check out the actual target domain, starting from the top level. Don’t open that unsolicited “invoice” or “shipment notice”; if you do open it, don’t open the attached document; if you do open that, don’t click “enable macros”.
It’s all trite advice that’s been repeated a million times – but the people who need to hear it aren’t reading this blog post. That’s how even Dton, a YOLO cybercriminal if we ever saw one, gets plenty of victims and rolls in cash.
Talk to your friends about low-effort cybercrime. Tell them that whenever they open an email, they should take a long, hard look at the picture above, and imagine the person pictured there composing that email in a Turbomailer window. And that if the image fits too well, they should think about their next click very carefully.
*Note: All personal details have been blurred for the sake of this publication. The full details have been reported to relevant law enforcement officials