Activities of a Nigerian Cybercriminal Uncovered

Rise and fall of a Nigerian cybercriminal called ‘Dton,’ who made hundreds of thousands of dollars in a 7-year campaign, outlined in new report.

Ever wonder who’s behind one of those Nigerian cyber-crime email campaigns asking you to enter into a shady business deal and how they’re enacted? In a unique profile, researchers pulled back the curtain on such an attack with a report outlining how a Nigerian cybercriminal made hundreds of thousands of dollars over the course of seven years by targeting people through numerous malicious campaigns.

Check Point uncovered the double life of a career cyber-criminal known as Dton, who hoodwinked hundreds of thousands of people with a cybercrime campaign using the moniker “Bill Henry,” the company said in the report, released Tuesday.

“By day, he is Dton, administrator of businesses and achiever of organizational goals,” researchers wrote in the report. “But by night, he is Bill Henry, cybercriminal entrepreneur.”

Dton began his Nigerian cybercriminal business—which operated from 2013 to 2020–with simple credit-card fraud. Eventually, he worked his way up to email-based cybercrime campaigns luring people to click on links that would distribute various types of malware–including a custom-built remote access trojan (RAT), that could steal victims’ information and credentials, according to the report. Check Point researchers reported their findings to the appropriate Nigerian and global authorities, they said.

The first phase of Dton’s cybercriminal enterprise was to purchase stolen credit card details from Ferrum Shop, an online marketplace flogging more than 2.5 million stolen payment card credentials, then charge about $550 to each card he purchased. This netted him a tidy six-figure income that should have been enough for a lucrative side hustle from his day job, researchers said.

“A back-of-the-envelope calculation shows that during the years 2013-2020, the $13,000 spent by this account were converted into about 1,000 credit cards, which were then fraudulently charged for a total easily exceeding $100,000–probably several times that,” researchers wrote.

This is a picture of Dton's colleague

This is a picture of Dton’s colleague.

However, the upfront costs and constant payments to the Ferrum shop—which sometimes didn’t even result in card credentials being transferred to him—inspired Dton to expand his cybercriminal horizons, they said.

“He knew that true blood cybercriminals harvest their stolen credentials with their own two hands, fresh from the spam fields covered in morning dew; he longed to have that life,” researchers wrote.

Dton began buying “leads,” or email addresses of potential marks, in bulk, and then launching campaigns of his own to steal user credentials they wrote. With these leads, Dton escalated his cybercrime activity by sending a variety of malware, comprised of infostealers, keyloggers and crypters, to the bulk email addresses he purchased, researchers said.

These campaigns included the type of emails many people have already come across in their inboxes—the ones that include a formal greeting and request the potential victim to enter into a financial deal with the sender of the email based on the recommendation of a mutual contact.

To engage in his newfound cybercrime activities, Dton bought and tested various malware—such as packers and crypters, infostealers and keyloggers, exploits and remote VMs—from known cybercriminal marketplaces. For example, he tried out several known keyloggers alone, including AspireLogger, Nanocore and OriginLogger, during his shopping spree, Check Point reported.

“Dton now disguises his custom-built malware into everyday email attachments, blasts them out to each of the email addresses on his lists, and harvests user credential details without the email owners ever knowing,” researchers wrote.

Cybercriminal activities have similar structures to legitimate businesses, researchers revealed in their report. During his criminal activity, Dton also had partners in crime and even had to report to managers, with the same every-day headaches and disagreements with co-workers that people in legitimate jobs have to contend with.

Eventually, these frustrations led him to, rather than use malware he bought from other people, hire someone to create a customized RAT that he could use in his cybercriminal campaigns. But eventually Dton turned on the developer of the RAT, using it to compromise the developer’s own machine, researchers said.

Dton also got into an online argument with a provider of packing software for his malware and reached what Check Point researchers called “the crowning achievement of his career–majorly angering the technical people on whose work his entire livelihood depended,” they wrote. “Way to go, Dton.”

Check Point researchers cited the report as yet another cautionary tale to warn people to take care and be mindful in their online activities to ensure they are ordering goods and services from an authentic source.

They also advised them not to click on promotional links directly from emails, beware of lookalike links to known online merchants, and also to beware of “special” offers that seem too good to be true—because they probably are.

Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles