When you spot a phishing attempt or an email with a suspicious document attached in your inbox, have you ever wondered who actually sent it to you, and how they got your details? Or even how much money they really make from their activities?
Well, we can now answer those questions. Over the past few months, Check Point’s researchers have painstakingly uncovered the identity of a prolific cyber-criminal known as ‘Dton’. He has been active for over seven years, and earned at least $100,000 US from his ‘work.’ In fact, it’s likely he has earned several times that amount.
Dton is 25, single, and lives in Benin City, a place with a population of nearly 1.5 million in Southern Nigeria. From his resumé, Dton seems like a model citizen. But he also has another identity: Bill Henry, a career cyber-criminal who buys goods with stolen credit cards and launches phishing and malware attacks.
So how did Dton (AKA Bill) get started in a life of cybercrime that has earned him, on average, at least 14x the new national minimum wage in Nigeria and 3x the average professional salary every year since 2013?
Getting started: stolen credit card scams
Bill / Dton started out by speculating a little: he spent around $13,000 buying the details of 1000 credit cards from a special online marketplace specializing in stolen payment card credentials. With each stolen card – costing around $4 to $16 each – Bill usually tried to charge about 200,000 Nigerian Naira (NAN), equivalent to around $550 US. If the transaction is blocked, he tries another merchant, or another card until one succeeds. From his ‘investment’ in the 1000 stolen cards, Bill has been able to charge at least $100,000.
However, it seems that constantly buying new blocks of stolen card details started to irritate Bill / Dton: he resented having to pay upfront and wanted higher margins and profits. So he started buying ‘leads’ – bulk email addresses of potential targets, so he could launch his own exploits.
Moving into multi-level malware marketing
Bill / Dton started buying up the tools of the trade to help him craft malware to spam out to his list of targets. These tools include off-the-shelf packers and crypters, infostealer and keylogger components, and exploits. With these tools, he could custom-build his own malware, insert them into a benign-looking document, create his email, then blast it out to his large list of marks.
This quickly delivered lots of user credentials that Bill could exploit, earning him more money – and also satisfying his boss. Yes, Bill / Dton is not a sole trader: he has a manager, who in turn reports to another manager. These managers pass seed capital down to Bill / Dton, but they also expect strong returns on their investments. It’s the cybercrime equivalent of a ‘pyramid selling’ or multi-level marketing scheme.
Once again, Bill / Dton started to get irritated (as we all sometimes do) by his boss nagging all the time, and by the diminishing returns from buying and using off-the-shelf malware toolkits. He decided to develop his own malware from scratch – malware that has no known signature, and that can bypass most security defenses – so he could work for himself.
It’s a RAT eat RAT world
As Bill / Dton is not a coder, he hired a person named ‘RATs &exploits’ to develop his malware for him. But it seems the expression ‘there is no honor amongst thieves’ is true: Bill / Dton compromised Mr RATs &exploits’ machine with a RAT, so he could spy on his work and hopefully steal some of his secrets. When that wasn’t enough, he also engaged – and then fell out with – another shady character behind a specialized malware packer program, by arguing with him on underground forums over prices and usage. The result was that when Bill / Dton didn’t get what he wanted, he reported the other party to Interpol. The cyber-crime economy is certainly a rat-eat-rat world – but all the while and despite these minor setbacks, Bill / Dton carried on earning illicit cash.
Dton’s journey into cybercrime shows how even a relatively unskilled, and undisciplined individual can profit handsomely from fraud and malicious online activity. This is simply because, like many other criminal activities, cyber-crime is a numbers game. It doesn’t matter if 499 people don’t open a malware-spiked email: the 500th person will. And when you can target hundreds of thousands of people at a time, you only need to infect a handful to get hold of your ill-gotten gain.
To protect yourself against becoming a victim of the thousands of Dtons / Bills out there, you should follow these best practices:
- When shopping online, ensure you are ordering goods from an authentic source. Don’t click on promotional links in emails, and instead Google your desired retailer and click the link from the Google results page to avoid having your personal and payment details skimmed.
- Beware of ‘special’ offers. An 80% discount on a new iPhone or “an exclusive cure for Coronavirus for $150” is usually not a reliable or trustworthy opportunity.
- Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
- Protect your organization with an holistic, end to end cyber architecture, to prevent zero-day attacks
Since uncovering Dton / Bill’s identity and activities, Check Point’s research team has notified law enforcement authorities in Nigeria and internationally and shared its findings with them. Full details of Dton’s exploits are available on the Check Point Research blog.