Nigerian spammer made 3X average national salary firehosing macro-laden Word docs at world+dog

And his boss monitored him with a RAT

A most entertaining piece of threat research from Check Point gives a unique insight into the "working" life of a Nigerian email spammer who made thousands of dollars from stolen credit cards alone in recent years.

The scammer in question, whose true identity was known to Check Point, was by day "a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues," as the infosec biz put it.

Yet, behind that facade of respectability, "Dton" (a made-up name to, er, spare his blushes) was in fact an email spammer – a spammer working as part of a Nigerian cybercrime syndicate that generates its ill-gotten gains through buying and using stolen credit card details.

Check Point this week chronicled Dton's alternate lifestyle in great detail, setting out how his boss monitored him with a remote-access trojan (RAT) to ensure Dton generated a suitable return on investment for the syndicate. The scammer made $100,000 over seven years, which compares very favourably with Nigeria's average annual salary of between $5,000 and $6,000.

Dton worked hard at both of his lives. His cybercriminal boss was a bit of a hard case (aren't they all?) and controlled his output through a shared Gmail inbox. Dton's criminal job was a bit of a drudge, really: the syndicate gave him around $1,000 a year which he had to spend buying stolen card data from Ferrum, a cybercrime marketplace.

Having bought the card data, Dton then patiently tried them out at online retailers, one by one, until he was able to make a false transaction. This criminal operation netted him and his handlers, by Check Point's estimation, around $100,000 in total – and possibly more – between 2013 and 2020.

Unsatisfied by his criminal works, and perhaps irritated by his boss' Panopticon-style surveillance of him (which didn't stop his "manager" questioning why or how Dton had logged into his Yandex email account), Dton decided to go freelance. According to Check Point, he invested in tools including the AspireLogger key logger, and RATs such as Nanocore and Azorult. Having done so, he would pack his malware into a Word document macro before firing it out to a list of spam targets using Turbomailer.

Despite his growing interest in online fraud techniques, Dton appeared to be unaware that the RAT on his own machine was exfiltrating his very own personal data and mixing it in with the lists of stolen information he himself was creating. Nonetheless, the "entrepreneur" struck out on his own, engaging a custom RAT coder to write him a unique piece of malware – and, just for good business sense, managed to infect the coder's device with the RAT while the two were discussing their terms and conditions.

"Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer's machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence," commented Check Point.

The tale came to an end when Dton, irritated by paying $800 a pop to have someone else pack his malware binaries for him, tried to blag a 90 per cent discount on a subscription to the datap packer service, which charged $300 for a lifetime subscription. Naturally, datap's operator, one "n0$f3ratu$" told him to go forth and multiply – so an aggrieved Dton filled out Interpol's online "contact us" webform with all the incriminating information he had on n0$f3ratu$ before screenshotting it and trying to use it as blackmail material to get his discount.

n0$f3ratu$ was unhappy with this:

Kiss my ass OR suck my cock! Your choice! When you fill that form please tell them how you tried [to] get money from me. 300$ Dude you are lucky we will never meet face to face.

"And thus Dton reached the crowning achievement of his career – majorly angering the technical people on whose work his entire livelihood depended. Way to go, Dton," commented a bone-dry Check Point.

As an entertaining tale, it's a good one. But this also gives a much deeper insight into the lifestyle and motivation of an email spammer. To him it's all about the money and return on investment. While Check Point didn't supply any guesstimates about how much of the stolen card cash stayed with Dton rather than being passed back up the cybercrime syndicate's chain, his primary motivation was undoubtedly financial.

With that in mind, ordinary folk can take simple precautions: guard your online banking credentials like gold bars, don't open unsolicited email attachments and above all, don't enable macros on documents you aren't expecting to receive. ®

Broader topics

Other stories you might like

  • DigitalOcean sets sail for serverless seas with Functions feature
    Might be something for those who find AWS, Azure, GCP overly complex

    DigitalOcean dipped its toes in the serverless seas Tuesday with the launch of a Functions service it's positioning as a developer-friendly alternative to Amazon Web Services Lambda, Microsoft Azure Functions, and Google Cloud Functions.

    The platform enables developers to deploy blocks or snippets of code without concern for the underlying infrastructure, hence the name serverless. However, according to DigitalOcean Chief Product Officer Gabe Monroy, most serverless platforms are challenging to use and require developers to rewrite their apps for the new architecture. The ultimate goal being to structure, or restructure, an application into bits of code that only run when events occur, without having to provision servers and stand up and leave running a full stack.

    "Competing solutions are not doing a great job at meeting developers where they are with workloads that are already running today," Monroy told The Register.

    Continue reading
  • Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
    Google Project Zero blows lid off bug involving that old chestnut: XML parsing

    Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.

    The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.

    The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.

    Continue reading
  • Google says it would release its photorealistic DALL-E 2 rival – but this AI is too prejudiced for you to use
    It has this weird habit of drawing stereotyped White people, team admit

    DALL·E 2 may have to cede its throne as the most impressive image-generating AI to Google, which has revealed its own text-to-image model called Imagen.

    Like OpenAI's DALL·E 2, Google's system outputs images of stuff based on written prompts from users. Ask it for a vulture flying off with a laptop in its claws and you'll perhaps get just that, all generated on the fly.

    A quick glance at Imagen's website shows off some of the pictures it's created (and Google has carefully curated), such as a blue jay perched on a pile of macarons, a robot couple enjoying wine in front of the Eiffel Tower, or Imagen's own name sprouting from a book. According to the team, "human raters exceedingly prefer Imagen over all other models in both image-text alignment and image fidelity," but they would say that, wouldn't they.

    Continue reading

Biting the hand that feeds IT © 1998–2022