By Rasheed Sobowale
Cybercrime is one of the most lucrative illegal activities in Nigeria. Press releases from the Nigerian anti-graft commission, EFCC, were usually centred on the arrest of a cybercriminal or group.
In August 2019, 77 Nigerians were among 80 suspects involved in cybercrimes dubbed by the United States prosecutors as one of the “largest cases of its kind in US history”.
In September, the FBI in collaboration with the law enforcement agencies in 10 countries clamped down 281 internet fraudsters. Of those arrested, 167, were from Nigeria.
In a recent development, a Cybersecurity firm, Check Point Research, headquartered in Israel has revealed how a suspected Nigerian cybercriminal under the moniker “Bill Henry” has been targeting hundreds of thousands of unware people.
The Nigerian whose real name was obliterated by the firm and instead referred to as Dton was described thus: “He believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues. Even his primary school teacher is willing to sing his praises on a phone call’s notice.”
Judging from the blurred details on his curriculum vitae (CV) obtained by the security firm, the male suspect’s name may have been Darlington, an indigene of Edo State and a graduate of the College of Education Ekiadolor, Edo State.
Although Dton appears to be a typical professional Nigerian, he lives a double life. During the day, he is a business administrator who is in search of better life through legitimate means but at night, he is Bill Henry, a name not peculiar to any typical Nigerian born person.
– How Dton (Bill Henry) operates his Cybercrime business –
The researcher who tracked down the Nigerian internet fraudster discovered his first call place is a Ferrum shop to purchase stolen credit card credentials.
This kind of online store offers dumps service by selling dump cards. According to Investopedia, a credit card dump is an unauthorized digital copy of the information contained in the magnetic strip of an active credit card, such as the card number and expiration date. The information can then be used to create a fake credit card to make purchases.
ALSO READ: EFCC arrests nine suspected internet fraudsters in Abuja
Dton between the years of 2013 and 2020 regularly visits this site and one specific account he usually uses has purchased about 1,000 credit card credentials for over $13,000. He purchases each for about $4 or $16.
Every card Dton buys, he tries to make a transaction worth N200,000 with it and if the transaction fails, he tries it with another merchant before giving up; and then he repeats his strategy and purchases another from the site.
His successful transactions have cost the original card owners more than $100,000 or several times of that.
– Why sell for less –
In case you are wondering people that sell these credits card for few bulks must be set of fools, you may be right but not in its entirety. Making payments via stolen credit cards is a risky adventure and requires some set of skills to avoid being traced and that is what people like Dton possess.
– Change of vendor –
Since not all cards purchased by this fraudster generated expected returns, he got frustrated. He is not the type interested in speculation.
READ ALSO: EFCC seals Osun club where alleged 94 internet fraudsters were arrested
Dton decided to harvest credit cards himself. He began to buy “leads” email addresses of potential victims in bulk. Here is a reason Nigerians need to be cautious of platforms/websites where they provide their emails or enter their card details.
These emails are just a means to an end and not the end itself. Dton is not a coder, so he purchased different software tools including packers and crypters, infostealers and keyloggers, exploits and remote VMS.
For malware, he purchased AspireLogger, NanoCore, OriginLogger and other VMs software that PC Windows Defender will alert users about.
These softwares are used as RAT (Remote Administration Tool) which allows another person to initiate action or track action on another computer gadgets from anywhere.
These softwares can monitor your login details, extract personal information from your gadgets such as card details, contacts, login in details and lots more.
“On these machines, he would take his hand-picked malicious binaries and run them through packers:
Dton will need a bait to make the victim allow him access into their gadget. So he will incorporate his malicious binaries in an appealing document:
He then sends the document to the bulk emails he has purchased.
Virtual machines vs cybercrime tools
Virtual Machines (VMs) are operating systems designed to run inside other operating systems. This means where two machines are expected to have existed, only one does. The second machine in this case controlled by people like Dton will allow normal communication with the server just like in the case of a physical machine. This is where and how Dton will be able to extract the info he needs from the users’ personal computer.
Sorry!! Victims that clicked the link provided in the email already gave out vital information about themselves, notably their credit card details.
Happy Dton does not hesitate to share his excitation with friends.
Everything comes at a price. Since Dton is not a coder, he relies on malware tools suppliers. Sometimes according to the Israeli cybersecurity firm, Dton tool suppliers demands more for their service.
– Dton venture capitalist –
The tools used by Dton are not cheap. As can be seen in the screenshot above, the tool seller is requesting $800 for his service.
Dton has someone who bankrolls him. It is also suspected that this person also has someone who sponsors him/her and the chain continues.
The sponsor acts as an investor and expects return on investment. When business is bad, the manager is not happy.
– Novel CoronaRAT –
Dton has a big vision and will not settle for less. He looks out for a way to build is own Malware software (RAT) and spread across different computers just like the pandemic virus, COVID-19 (Coronavirus). Since it is new, no anti-virus or anti-malware is aware of it yet; thus an easy pass for it.
He got someone.
The deal commenced.
RATs&exploits also offers personal one-on-one technical support and hands-on demonstration of how to use the RAT. In the screenshot below, he explains how the “Azorult”, works:
The new RAT works perfectly
RATs&exploits support and loyalty is unwavering.
Let us repeat that: Dton, whose business model is infecting many innocent victims with RATs, and whose work is subject to strict surveillance by infecting his own machine with a RAT, commissioned a malware developer to write a personalized RAT for him and then had that developer’s machine compromised with a RAT. There is a decent chance that your brain just got infected with a RAT by reading this sentence, Check Point Research stated.
– Growing network of Internet Fraudsters in Nigeria –
A few days ago, Vanguard reported that the Economic and Financial Crimes Commission (EFCC) arrested 48 suspected internet fraudsters in Abeokuta, Ogun State.
The suspects, many of whom claimed to be undergraduates, were arrested in the Alabata area of the Ogun State capital. A statement issued by the EFCC’s Acting Head of Media and Publicity, Tony Oriade, said the suspects were apprehended following reports on their alleged involvement in internet-related crimes.
Prior to this, Vanguard earlier reported that the Ibadan Zonal Office of the Economic and Financial Crimes Commission (EFCC) has arrested six suspected internet fraudsters.
The suspects, made up of five males and a female, were arrested on Monday at Oluyole and Alao-Akala Estate areas of the city.
Recently, the Federal Bureau of Investigation, FBI, has arrested thirteen Nigerians, over alleged $30 million money-laundering scheme in the United States.
– Nigeria 7th most targeted with malware –
A Kasperky survey of its users revealed Nigerians mobile phones are the seventh most targeted by mobile malware.
– How to protect yourself –
A United States cybersecurity firm, Proofpoint, noted that these fraudsters are now refining “their use of social engineering, relying on human interaction rather than automated exploits to install malware, initiate fraudulent transactions, steal data, and engage in other malicious activities.”
These attacks 99 per cent of time relies on you the gadget owner to click a link or open an attachment. Be cautious of opening emails in your spam or email with contents that look too good to be true.
When you notice a potential scammers email, flag it as spam and delete it without trying to check out the embedded link or document.
Also, be cautious of the permission you give apps on your phone.
Comments expressed here do not reflect the opinions of Vanguard newspapers or any employee thereof.