CyberWire Daily - Profiling an audacious Nigerian cybercriminal. [Research Saturday]
Episode Date: April 11, 2020By day, he is Dton, an upstanding Nigerian citizen. He believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator; an accomplished busi...ness administrator; a renaissance man who is adored by his colleagues. But by night, he is Bill Henry, Cybercriminal Entrepreneur. We sat down with a researcher at CheckPoint for the inside scoop into this fascinating, brazen individual. The research can be found here: The Inside Scoop on a Six-Figure Nigerian Fraud Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
The IMS bewildered you at the suredacity of this guy.
The research we're discussing today is from the team at Checkpoint Research.
It's titled The Inside Scoop on a Six-Figure Nigerian Fraud Campaign.
Our researchers this week have requested anonymity for security reasons,
and we're going to respect that request.
Our job as researchers involves us looking at malware all day long,
and when you look at malware all day long. And when you look at malware all day long,
eventually you're going to run across
some very strange and unexpected leads.
This happens a few times a year to one of our researchers.
And it happened this time.
We happened across this guy who, as my colleague said,
did not make it very difficult to happen across him.
Well, let's learn a little bit about this person here.
Who is this person and how did he come on your radar?
He's, I don't know, I would describe him as an entry-level cyber criminal.
I mean, he has a lot of years of experience under his belt,
but he doesn't know to code at all. He has basically zero technical knowledge. So every
time he needs to do anything technical, his first instinct is to just approach someone who actually
does know about the technical aspect of things and ask to buy whatever he needs, whether it's some sort of malware or a packer for a malware or a list of leads or basically anything else.
So if I had to sum it up in one word, I would say it's like a cyber criminal entrepreneur, basically.
And in your research here, you highlight that this person is sort of has two personas, one by day and one by night.
That is true. I don't think it's too uncommon.
I believe this guy really would like to separate his identities.
People like his family and his grade school teacher who makes a guest appearance in the publication.
I don't think he would really love for them to know about this second life that he leads.
Well, let's go through some of this criminal's various exploits here.
In your research, you describe he does a lot of business in stolen credit
cards yes he does how would i say the crime is already halfway done right you have all of these
maras in for stealing trojans and other malicious binaries floating out there and infecting people
and stealing their credentials and some people are like people like to be anonymous cowards like us
and they decide
that once they've been able to
steal these credentials, basically their job is
done. They don't want to take the risk.
They don't want to
perform fraudulent credit card charges
and maybe have
the authorities on their tails.
So they just sell
these stolen credentials on online shops,
such as the phone shop where this detone person discussed in the publication was a loyal customer.
And he, as the entrepreneur that we described earlier, saw this as an opportunity because
these anonymous cowards, they don't have the audacity to perform these fraudulent charges but he definitely does and he buys these credentials for a few dollars and then for each such stolen
credential he performs a very very large fraudulent charge you know to compensate him for
the risk that he's taking on and he made a pretty penny using this method it didn't in the end if
you read the publication it didn't satisfy him.
And he moved on to bigger and better things.
But he made a large amount of money just with that mode of operation.
Yeah, you point out in the research here that he could have easily made over $100,000, maybe even more than that.
And one of the things about him is his audacity, that he's someone who's
willing to take these risks. I believe that the world of cybercrime is full of these people,
because if you look at the numbers, it's easy money. If you're willing to take the risks involved,
like, for instance, the fact that now there's a publication about him out on the internet,
that's one of the risks that you're taking on. But if you're willing to take them on, it's easy money.
So I'm not surprised that guys like him exist.
And he goes beyond just dealing in credit cards
and starts to get into some of the other tools of the trade.
Can you describe to us what other things is he up to?
For example, he decides to put it simply
that buying the stolen credit card credentials is not enough for him
because he has to pay up to get the credit cards and sometimes they don't even work.
So he decides that he wants to get the stolen credentials himself, which means he has to
infect people himself using info-stealing malware. This means that he has to actually obtain his own malware and worry about
things like obtaining leads, obtaining email addresses of potential victims, and worrying
about solutions by security vendors stopping his malware, which is why he goes around and
tries to buy peckers and cryptos and stuff like that in order to reduce the detection rate of the malicious binaries that he's spreading around.
So, really, it's his ambition to expand his business and be more independent cost him a lot of headache.
Now, you mentioned at the outset that it seems as though this person does not have a lot of technical abilities.
As you witness him going after these other tools, these key loggers and
various types of malware, are you seeing sort of a self-education here? Is he getting better? Is he
learning the tools? We are seeing zero self-education. We are seeing like the machine
learning sort of self-education, where he just tries everything to see what appears to give him
the best numbers and then mindlessly goes with that. And you know what? It's a strategy I can respect. It worked out well enough for him.
And so does he have success with these sorts of tools, with the key loggers and so on?
I believe he does, because if you look at the publication in one of the screenshots,
he tried one of the many, many, many, many, many strains of malware that he eventually
gets to trying out. And it's a nano core, a well-known and well-respected brand name in the
cyber crime arena. And he wakes up in the morning after he sent out all of these malicious payloads
and he sees the amount of leads that he got and he's like ecstatic. It's more than in his wildest
dreams. So I think, I don't know what the answer is if you ask me,
but if you ask him, he was very satisfied with the results,
at least for a while.
And can you give us some insights?
What was your ability to track him here?
How were you able to just keep an eye on him
while he was doing these things?
We really aren't at liberty to disclose this. We can say that
all of this information about him
fell off the back of a truck.
If you really
insist to know,
it wasn't like some complex
sting operation. At no point
someone sat at the keyboard for 15 minutes
typing furiously and then in there said
I'm in. This guy,
he had a really, really really really lousy
object he was just sitting there waiting for someone to find him i think like in theory an
analyst with one week of experience could have found all of this information of course i'm
exaggerating but really he was just a sitting. So I think that's really the takeaway here.
Yeah, I mean, that's really an interesting insight that this person who, I suppose, on the one hand, as you say, the OPSEC was very lazy. So reflects the laziness of criminals, but also was willing to put in the time of just trying and trying and trying things.
Seems like had plenty of time on his hands.
First of all, it's not the laziness of criminals in general.
It's like this one specific guy.
We've seen the people behind Emotet and Gozi and Guncraft.
These are professionals.
They really put in the work and they keep up with the times and technical advancements, you know, at least to some sort of standard.
Like this guy is a different breed of criminal.
Yeah, he had all the time in the world to try every single solution that he could possibly think of without like understanding anything technical about what he was doing.
But again, it worked well out well enough for him.
So who are we to argue?
Well, it's interesting, too.
One of the things you point out in your research is that he was not always terribly successful in dealing with the other people in the criminal underground.
It seems as though there were times when they were trying to take advantage of him.
Actually, most of the time, he's the one trying to take advantage of other people by infecting them
with remote administration tools while they're trying to do business with him.
I agree that the other sorts of people that he is interacting with, sometimes they demand
like exaggerated prices for their tools.
But first of all, I don't feel very sorry for him giving the gold that he's
after and the second it's a very very very large free market and I believe
that for example if he's looking at the pecker and he thinks the price is really
really inflated he could have easily found another pecker which is not much
worse for much less of the cost so if you're talking
earlier about his laziness maybe you know if you had put more effort on this
front you know just when he sees a price that seems inflated to him just take a
deep breath and let it go and go look for something else instead of you know
infecting people with rats and ratting them out to the Interpol,
maybe he would have had a better outcome.
Well, and this person does move on to some spamming using remote access Trojans, using rats.
What was he doing there?
Well, as I said, this was his way of getting credit card credentials on his own without being dependent on external shops that sell these credentials after they had already been stolen.
I suppose that he figured that this would raise his profit margin.
And look, this guy, if there's one thing I can say about him, he was very, very, very attuned to his profit margin, and he was watching it keenly all the time.
So given that he kept on this path of spamming malware everywhere
and did not just go back to purchasing credentials at the store,
then I suppose that it really did increase his margins
over just buying the credentials.
And at some point, he goes and hires someone to custom code his own RAT. did increase his margins over just buying the credentials.
And at some point he goes and hires someone to custom code his own RAG for him.
This is an instance of fascinating phenomenon that you see across the
cybercrime field, I think. This is not something
limited to this one guy. It's like, how would I call it?
Voodoo programming, maybe. This cargo cult, cyber criminal activity, because he sees that the numbers are not as high as he would like.
And this entire theory, I can only speculate, right? But this entire theory builds up in his
head that his enemy is detections, right?
Some amorphous adversaries, security vendors, demons of that sort are blocking the malware that he's spreading.
It's not, you know, sane people looking at the email that he just sent and with one look saying, no, I'm not clicking that.
It's the detections.
And he decides that the issue is that all of these malware, they are too familiar.
They are brand names.
And if he really, really wants to get higher conversion rates, what he needs is like something brand new made from scratch.
I wouldn't agree with him on that.
But this is the path that he chose.
the path that he chose.
There's a remarkable part in your research
here where you describe
this gentleman
Deton
infecting
his developer
with a rat itself?
I could not believe it when I saw it.
When I was told that this
is in fact what had happened
among Deton's many, many, many other exploits,
I asked, what?
Excuse me, what?
Are you really sure?
I'm going to put this sentence in a Checkpoint Research publication,
so can you please triple check for me that this event in fact happened?
Right?
And after I heard the word yes for the fifth time,
I put it in the publication.
But I am as bewildered as you at the sheer audacity of this guy.
Yeah, there's no honor among thieves, evidently.
And he certainly was prolific.
Like you said, just trying thing after thing after thing.
Yeah, this is true.
We called it in the publication a veritable grocery list of malware that he tried out just to see the conversion rate,
whether it's going up or down, now that he tried a different sort of malware.
And so where do you leave things? As things stand now, your journey with this particular criminal, was there an ending point for this?
We disclosed a huge pile of material to the local Nigerian authorities, as well as to
a spooky three-letter agency that shall remain unnamed.
And we're, as a security vendor, we're chasing malicious samples of the sort that he sent
out in his spam messages all the time.
Checkpointed our security vendors. They spend a lot of their time hunting the indications of compromise
and other characteristics of these
malware to be able to protect people from them.
But you know, if you know anything about security, you know that
this chase is an honest effort, but it's not a guarantee.
People need to practice good security hygiene and be vigilant regarding what links they click and whether they enable macros on every document that they receive.
It's the sad truth.
to me that this marketplace is
first of all that it exists, but that
it's as sophisticated as it is
in that someone like this
who really, more than
anything, just has ambition and
time on his hands, can get out
there, be entrepreneurial, and
start his own little successful criminal
enterprise. Malware is the whole economy now.
It did not used to be like that,
but I think since the advent of
zeus and malware like that there's been an explosion in all sorts of opportunities to
purchase malware and tools related to malware exploit as a service pecker as a service
everything as a service so you really can approach your cyber criminal enterprise without knowing anything technical at all
and just approach the whole thing like you're putting together a grocery list with your shopping cart.
Okay, I need a packer. Okay, I need this malware. Okay, I need this list of leads.
And you're all set.
In terms of people protecting themselves against the sort of things that this particular criminal was up to, what sort of recommendations do you have?
Well, okay, when you look at this sort of issue of this really potato-grade criminal activity, being able to siphon so much money away from innocent people, there are really two ways that you can look at it.
One way is to become depressed and say, there's nothing new the sun this is just the way the world is these people are going to exist as long as innocent people
mindlessly click links in emails and mindlessly enable macros and this is always the way that
it's going to be because you know i can sit here and tell the people listening to this podcast about
what links not to click until kingdom come but
the truth is that like we said in the publication the people that who need to hear this advice the
most aren't listening to this podcast and this is sad now my personal opinion uh is that uh probably
the way forward is i'll put it bluntly nannying and mollycoddling the layman more. Because this is something that has precedent in the information security landscape.
By now, your web browser will sometimes tell you, no, you're not going to that website.
No, you're not adding an exception for that certificate.
And that's final.
One day, I'm not sure, but possibly, it may be that your email client or service provider will tell you, no,
you're not clicking on that link. A copy of Microsoft Word may tell you, no, you're not
enabling macros. Because like I mentioned earlier, as it is, it seems that in a lot of cases,
the way forward is to protect people from their own choices.
protect people from their own choices.
Our thanks to the team at Checkpoint Research for sharing their insights.
The research is titled The Inside Scoop on a Six-Figure Nigerian Fraud Campaign.
We'll have a link in the show notes. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and compliant. Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.