Cybersecurity firm Check Point Research, in a report shared with The Hacker news, uncovered the digital trail of a Nigerian cybercriminal, who went by the name of "Dton" and targeted hundreds of thousands of people under the moniker of "Bill Henry" by sending them malicious emails with custom-built malware.
The company said it disclosed the findings to concerned Nigerian and international law enforcement authorities for further action.
A multi-stage criminal scheme
The operation began with Dton buying stolen credit card details from Ferrum Shop, an online marketplace that sells over 2.5 million stolen credit card credentials, and then charging them each $550 each to fraudulently net more than $100,000 in illicit transactions.
"During the years 2013-2020, the account he regularly logs into has been used to purchase over $13,000 worth in stolen credit card credentials," Check Point noted.
Subsequently, the researchers found that Dton's monetizing cyber crimes were no longer dependent upon buying stolen credit cards. Instead, he started collecting this data himself, for which he purchased bulk email lists of new victims and malicious tools, including keyloggers (AspireLogger) and remote administration tools (RATs) such Nanocore and AZORult, a family of spyware that steals information and is used to download additional malware.
In the next step, Dton orchestrates a RAT-spamming operation, wherein the custom-built malware is disguised as innocuous email attachments, and sent out to each of the email addresses, thereby harvesting user credential details without the recipients' knowledge.
"Active for over seven years, Dton orchestrates his operation from Benin City, a city in southern Nigeria with a population over 1.5 million," the researchers told The Hacker News.
"But most of his attention went into buying malicious tools of the trade: Packers and crypters, infostealers and keyloggers, exploits and remote VMs."
"Dton now disguises his custom-built malware into everyday email attachments, blasts them out to each of the email addresses on his lists, and harvests user credential details without the email owners ever knowing."
The RATs contain hard-coded credentials for a single Yandex mail to which all the aggregated stolen victim data is sent to.
Protect Yourself from Phishing Attacks
It's no surprise that bad actors are continually finding new ways to trick consumers into providing remote access to their computers to steal information. By combining sophisticated social engineering techniques with information already available about the target from other sources, the attacks have proven to be an easy vector to bypass security barriers.
The ever-evolving sophistication of social engineering scams underscores the need for preparedness and practicing good security hygiene. It's essential that accounts are secured with two-factor authentication and be vigilant when it comes to opening emails and attachments from unknown senders.