And his boss monitored him with a RAT
A most entertaining piece of threat research from Check Point gives a unique insight into the “working” life of a Nigerian email spammer who made thousands of dollars from stolen credit cards alone in recent years.
The scammer in question, whose true identity was known to Check Point, was by day “a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues,” as the infosec biz put it.
Yet, behind that facade of respectability, “Dton” (a made-up name to, er, spare his blushes) was in fact an email spammer – a spammer working as part of a Nigerian cybercrime syndicate that generates its ill-gotten gains through buying and using stolen credit card details.
Check Point this week chronicled Dton’s alternate lifestyle in great detail, setting out how his boss monitored him with a remote-access trojan (RAT) to ensure Dton generated a suitable return on investment for the syndicate. The scammer made $100,000 over seven years, which compares very favourably with Nigeria’s average annual salary of between $5,000 and $6,000.
Dton worked hard at both of his lives. His cybercriminal boss was a bit of a hard case (aren’t they all?) and controlled his output through a shared Gmail inbox. Dton’s criminal job was a bit of a drudge, really: the syndicate gave him around $1,000 a year which he had to spend buying stolen card data from Ferrum, a cybercrime marketplace.
Having bought the card data, Dton then patiently tried them out at online retailers, one by one, until he was able to make a false transaction. This criminal operation netted him and his handlers, by Check Point’s estimation, around $100,000 in total – and possibly more – between 2013 and 2020.
Unsatisfied by his criminal works, and perhaps irritated by his boss’ Panopticon-style surveillance of him (which didn’t stop his “manager” questioning why or how Dton had logged into his Yandex email account), Dton decided to go freelance. According to Check Point, he invested in tools including the AspireLogger key logger, and RATs such as Nanocore and Azorult. Having done so, he would pack his malware into a Word document macro before firing it out to a list of spam targets using Turbomailer.
Despite his growing interest in online fraud techniques, Dton appeared to be unaware that the RAT on his own machine was exfiltrating his very own personal data and mixing it in with the lists of stolen information he himself was creating. Nonetheless, the “entrepreneur” struck out on his own, engaging a custom RAT coder to write him a unique piece of malware – and, just for good business sense, managed to infect the coder’s device with the RAT while the two were discussing their terms and conditions.
“Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer’s machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence,” commented Check Point.
The tale came to an end when Dton, irritated by paying $800 a pop to have someone else pack his malware binaries for him, tried to blag a 90 per cent discount on a subscription to the datap packer service, which charged $300 for a lifetime subscription. Naturally, datap’s operator, one “n0$f3ratu$” told him to go forth and multiply – so an aggrieved Dton filled out Interpol’s online “contact us” webform with all the incriminating information he had on n0$f3ratu$ before screenshotting it and trying to use it as blackmail material to get his discount.
n0$f3ratu$ was unhappy with this:
Kiss my ass OR suck my cock! Your choice! When you fill that form please tell them how you tried [to] get money from me. 300$ Dude you are lucky we will never meet face to face.
“And thus Dton reached the crowning achievement of his career – majorly angering the technical people on whose work his entire livelihood depended. Way to go, Dton,” commented a bone-dry Check Point.
As an entertaining tale, it’s a good one. But this also gives a much deeper insight into the lifestyle and motivation of an email spammer. To him it’s all about the money and return on investment. While Check Point didn’t supply any guesstimates about how much of the stolen card cash stayed with Dton rather than being passed back up the cybercrime syndicate’s chain, his primary motivation was undoubtedly financial.
With that in mind, ordinary folk can take simple precautions: guard your online banking credentials like gold bars, don’t open unsolicited email attachments and above all, don’t enable macros on documents you aren’t expecting to receive.