Nigerian spammer made 3X average national salary firehosing macro-laden Word docs at world+dog

And his boss monitored him with a RAT

A most entertaining piece of threat research from Check Point gives a unique insight into the "working" life of a Nigerian email spammer who made thousands of dollars from stolen credit cards alone in recent years.

The scammer in question, whose true identity was known to Check Point, was by day "a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues," as the infosec biz put it.

Yet, behind that facade of respectability, "Dton" (a made-up name to, er, spare his blushes) was in fact an email spammer – a spammer working as part of a Nigerian cybercrime syndicate that generates its ill-gotten gains through buying and using stolen credit card details.

Check Point this week chronicled Dton's alternate lifestyle in great detail, setting out how his boss monitored him with a remote-access trojan (RAT) to ensure Dton generated a suitable return on investment for the syndicate. The scammer made $100,000 over seven years, which compares very favourably with Nigeria's average annual salary of between $5,000 and $6,000.

Dton worked hard at both of his lives. His cybercriminal boss was a bit of a hard case (aren't they all?) and controlled his output through a shared Gmail inbox. Dton's criminal job was a bit of a drudge, really: the syndicate gave him around $1,000 a year which he had to spend buying stolen card data from Ferrum, a cybercrime marketplace.

Having bought the card data, Dton then patiently tried them out at online retailers, one by one, until he was able to make a false transaction. This criminal operation netted him and his handlers, by Check Point's estimation, around $100,000 in total – and possibly more – between 2013 and 2020.

Unsatisfied by his criminal works, and perhaps irritated by his boss' Panopticon-style surveillance of him (which didn't stop his "manager" questioning why or how Dton had logged into his Yandex email account), Dton decided to go freelance. According to Check Point, he invested in tools including the AspireLogger key logger, and RATs such as Nanocore and Azorult. Having done so, he would pack his malware into a Word document macro before firing it out to a list of spam targets using Turbomailer.

Despite his growing interest in online fraud techniques, Dton appeared to be unaware that the RAT on his own machine was exfiltrating his very own personal data and mixing it in with the lists of stolen information he himself was creating. Nonetheless, the "entrepreneur" struck out on his own, engaging a custom RAT coder to write him a unique piece of malware – and, just for good business sense, managed to infect the coder's device with the RAT while the two were discussing their terms and conditions.

"Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer's machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence," commented Check Point.

The tale came to an end when Dton, irritated by paying $800 a pop to have someone else pack his malware binaries for him, tried to blag a 90 per cent discount on a subscription to the datap packer service, which charged $300 for a lifetime subscription. Naturally, datap's operator, one "n0$f3ratu$" told him to go forth and multiply – so an aggrieved Dton filled out Interpol's online "contact us" webform with all the incriminating information he had on n0$f3ratu$ before screenshotting it and trying to use it as blackmail material to get his discount.

n0$f3ratu$ was unhappy with this:

Kiss my ass OR suck my cock! Your choice! When you fill that form please tell them how you tried [to] get money from me. 300$ Dude you are lucky we will never meet face to face.

"And thus Dton reached the crowning achievement of his career – majorly angering the technical people on whose work his entire livelihood depended. Way to go, Dton," commented a bone-dry Check Point.

As an entertaining tale, it's a good one. But this also gives a much deeper insight into the lifestyle and motivation of an email spammer. To him it's all about the money and return on investment. While Check Point didn't supply any guesstimates about how much of the stolen card cash stayed with Dton rather than being passed back up the cybercrime syndicate's chain, his primary motivation was undoubtedly financial.

With that in mind, ordinary folk can take simple precautions: guard your online banking credentials like gold bars, don't open unsolicited email attachments and above all, don't enable macros on documents you aren't expecting to receive. ®

Broader topics

Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022