Research Saturday 4.11.20
Ep 130 | 4.11.20
Profiling an audacious Nigerian cybercriminal.
Transcript

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/SecureDC, or connect with Juniper on Twitter or Facebook. That's juniper.net/SecureDC. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:55] Thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Check Point Researcher: [00:01:34] I am as bewildered as you at the sheer audacity of this guy.

Dave Bittner: [00:01:39] The research we're discussing today is from the team at Check Point Research. It's titled, "The Inside Scoop on a Six-Figure Nigerian Fraud Campaign." Our researchers this week have requested anonymity for security reasons, and we're going to respect that request.

Check Point Researcher: [00:01:57] Our job as researchers involves us looking at malware all day long. And when you look at malware all day long, eventually you're going to run across some very strange and unexpected leads. This happens a few times a year to one of our researchers, and it happened this time. We happened across this guy who, as my colleague said, did not make it very difficult to happen across him.

Dave Bittner: [00:02:25] Well, let's learn a little bit about this person here. Who is this person and how did he come on your radar?

Check Point Researcher: [00:02:34] He's – I don't know – I would describe him as an entry-level cybercriminal. I mean, he has a lot of years of experience under his belt, but he doesn't know to code at all. He has basically zero technical knowledge, so every time he needs to do anything technical, his first instinct is to just approach someone who actually does know about the technical aspect of things and ask to buy whatever he needs, whether it's some sort of malware, or a packer for a malware, or at least a free – or, like, basically anything else. So, if I had to sum it up in one word, I would say he's like a cybercriminal entrepreneur, basically.

Dave Bittner: [00:03:20] Hmm. And in your research here, you highlight that this person is – sort of has two personas, one by day and one by night.

Check Point Researcher: [00:03:29] Mm-hmm. That is true. I don't think it's too uncommon. I believe this guy really would like to separate his identities. People like his family and his grade school teacher who makes a guest appearance in the publication – I don't think he would really love for them to know about this second life that he leads.

Dave Bittner: [00:03:53] Well, let's go through some of this criminal's various exploits here. In your research, you describe – he does a lot of business in stolen credit cards.

Check Point Researcher: [00:04:05] Yes, he does. How would I say it – the crime is already halfway done, right? You have all of these malwares, infostealing Trojans, and other malicious binaries floating out there infecting people and stealing their credentials. And some people are like – they like to be anonymous cowards like us, and they decide that once they've been able to steal these credentials, basically their job is done. They don't want to take the risk. They don't want to try to perform fraudulent credit card charges and maybe have the authorities on their tails. So they just sell these credentials, these stolen credentials, on an online shop, such as the Ferrum shop, where this Dton person discussed in the publication was a loyal customer.

Check Point Researcher: [00:04:53] And he, as the entrepreneur that we described earlier, saw this is an opportunity, because these anonymous cowards – they don't have the audacity to perform these fraudulent charges, but he definitely does. And he buys these credentials for a few dollars. And then for each such stolen credential, he performs a very, very large fraudulent charge, you know, to compensate him for the risk that he's taking on. And he made a pretty penny using this method. It didn't, in the end – if you read the publication – it didn't satisfy him, and he moved on to bigger and better things. But he made a large amount of money just with that mode of operation.

Dave Bittner: [00:05:32] Yeah, you point out in the research here that he could have easily made over a hundred thousand dollars, maybe even more than that. And one of the things about him is his audacity – that he's someone who's willing to take these risks.

Check Point Researcher: [00:05:45] Mm-hmm. I believe that the world of cybercrime is full of these people, because if you look at the numbers, it's easy money if you're willing to take the risks involved – like, for instance, the fact that now there is a publication about him out there on the Internet. That's one of the risks that you're taking on. But if you're willing to take them on, it's easy money. So I'm not surprised that guys like him exist.

Dave Bittner: [00:06:08] And he goes beyond just dealing in credit cards and starts to get into some of the other tools of the trade. Can you describe to us – what other things is he up to?

Check Point Researcher: [00:06:18] For example, he decides, to put it simply, that buying the stolen credit card credentials is not enough for him because he has to pay up to get the credit cards and sometimes they don't even work. So he decides that he wants to get the stolen credentials himself, which means he has to infect people himself using infostealing malware.

Check Point Researcher: [00:06:40] This means that he has to actually obtain his own malware and worry about things like obtaining leads, obtaining email addresses of potential victims, and worrying about solutions by security vendors stopping his malware, which is why he goes around and tries to buy packers and crypters and stuff like that in order to reduce the detection rate of the malicious binaries that he's spreading around. It's really – his ambition to expand his business and be more independent cost him a lot of headache.

Dave Bittner: [00:07:13] Now, you mentioned at the outset that it seems as though this person does not have a lot of technical abilities.

Check Point Researcher: [00:07:20] Mm-hmm.

Dave Bittner: [00:07:20] As you witness him going after these other tools – these keyloggers and various types of malware – are you seeing sort of a self-education here? Is he getting better? Is he learning the tools?

Check Point Researcher: [00:07:32] We are seeing zero self-education. We are seeing, like, the machine-learning sort of self-education, where he just tries everything to see what appears to give him the best numbers, and then mindlessly goes with that. And you know what? It's a strategy I can respect. It worked out well enough for him.

Dave Bittner: [00:07:49] And so does he have success with these sorts of tools, with the keyloggers, and so on?

Check Point Researcher: [00:07:53] I believe he does, because if you look at the publication, in one of the screenshots, he tried one of the many, many, many, many, many strains of malware that he eventually gets to try out, and it's Nanocore, a well-known and well-respected brand name in the cybercrime arena. And he wakes up in the morning after he sent out all of these malicious payloads, and he sees the amount of leads that he got, and he's, like, ecstatic. It's more than in his wildest dreams. So I think – I don't know what the answer is if you ask me, but if you ask him, he was very satisfied with the results, at least for a while.

Dave Bittner: [00:08:31] And can you give us some insights – what was your ability to track him here? How were you able to just keep an eye on him while he was doing these things?

Check Point Researcher: [00:08:39] Oh, oh, right – so, we really aren't at liberty to disclose this. We can say that all of this information about him fell off the back of a truck.

Dave Bittner: [00:08:48] I see. (Laughs)

Check Point Researcher: [00:08:48] If you really insist to know, it wasn't like some complex sting operation. At no point someone sat at a keyboard for fifteen minutes typing furiously and then and there said, like, "I'm in." 

Dave Bittner: [00:09:01] (Laughs)

Check Point Researcher: [00:09:01] This guy – he had a really, really, really lousy OPSEC. He was just sitting there waiting for someone to find him. And I think, like, in theory, an analyst with one week of experience could have found all of this information. Of course, I'm exaggerating, but really he was just a sitting target. So I think that's really the takeaway here.

Dave Bittner: [00:09:24] Yeah, I mean, that's really an interesting insight, that this person who, I suppose on the one hand, as you say, the OPSEC was very lazy, so reflects the laziness of criminals, but also was willing to put in the time of just trying and trying and trying things. It seems like he had plenty of time on his hands.

Check Point Researcher: [00:09:45] Well, first of all, it's not the laziness of criminals in general – it's, like, this one specific guy.

Dave Bittner: [00:09:51] (Laughs)

Check Point Researcher: [00:09:52] We've seen the people behind Emotet and Gozi and GandCrab – these are professionals. They really put in the work and they keep up with the times and technical advancements, you know, at least to some sort of standard. This guy is a different breed of criminal. Yeah, he had all the time in the world to try every single solution that he could possibly think of without, like, understanding anything technical about what he was doing. But again, it worked out well-enough for him, so who are we to argue?

Dave Bittner: [00:10:24] Well, it's interesting too – one of the things you point out in your research is that he was not always terribly successful in dealing with the other people in the criminal underground. It seems as though there were times when they were trying to take advantage of him.

Check Point Researcher: [00:10:37] Actually, most of the time, he is the one trying to take advantage of other people by, like, infecting them with remote administration tools while they were trying to do business with him. I agree that the other sorts of people that he is interacting with, sometimes they demand exaggerated prices for their tools. But first of all, I don't feel very sorry for him given the goal that he is after. And second, it's a very, very, very large free market. And I believe that, for example, if he's looking at a packer and he thinks the price is really, really inflated, he could have easily found another packer, which is not much worse for much less of the costs. So, if you were talking earlier about his laziness, maybe, you know, if he had put more effort on this front, you know, just when he sees a price that seems inflated to him, just take a deep breath and let it go, and go look for something else, instead of, you know, infecting people with RATs, and ratting them out to INTERPOL, maybe he would have had a better outcome.

Dave Bittner: [00:11:48] Well, and this person does move on to some spamming using remote access Trojans, using RATs. What was he doing there?

Check Point Researcher: [00:11:57] Well, as I said, this was his way of getting credit card credentials on his own, without being dependent on external shops that sell these credentials after they had already been stolen. I suppose that he figured that this would raise his profit margin. And look, this guy – if there's one thing I can say about him, he was very, very, very attuned to his profit margin and he was watching it keenly all the time. So, given that he kept on this path of spamming malware everywhere and did not just go back to purchasing credentials at the store, then I suppose that it really did increase his margins over just buying the credentials.

Dave Bittner: [00:12:43] And at some point, he goes and hires someone to custom-code his own RAT for him, yes?.

Check Point Researcher: [00:12:48] Yeah, this is an instance of a fascinating phenomenon that you see across the cybercrime field. I think this is not something limited to this one guy. It's like – how would I call it – voodoo programming, maybe? This cargo cult cybercriminal activity. Because he sees that the numbers are not as high as he would like, and this entire theory, – I can only speculate, all right? – but this entire theory builds up in his head that his enemy is detections. Right? Some amorphous adversaries, security vendors, demons of that sort, are blocking the malware that he is spreading. It's not, you know, say, people looking at the email that he just sent and with one look saying, no, I'm not clicking that – it's the detections. And he decides that the issue is that all of these malwares, they are too familiar, they are brand names, and if he really, really wants to get higher conversion rates, what he needs is something brand new, made from scratch. I wouldn't agree with him on that, but this is the path that he chose.

Dave Bittner: [00:14:00] There's a remarkable part in your research here, where you describe this gentleman Dton infecting his developer with a RAT itself?

Check Point Researcher: [00:14:15] I could not believe it when I saw it. 

Dave Bittner: [00:14:18] (Laughs)

Check Point Researcher: [00:14:18] When I was told that this is, in fact, what had happened – among Dton's many, many, many other exploits – I asked, what? Excuse me, what? Are you really sure? I am going to put this sentence in a Check Point Research publication, so can you please triple check for me that this event, in fact, happened? 

Dave Bittner: [00:14:37] (Laughs)

Check Point Researcher: [00:14:38] Right? And after I heard the word "yes" for the fifth time, I put it in the publication. But I am as bewildered as you with the sheer audacity of this guy.

Dave Bittner: [00:14:48] Yeah, there's no honor among thieves, evidently. And he certainly was prolific, just – like you said, just trying thing after thing after thing.

Check Point Researcher: [00:14:58] This is true. There is a – we called it in the publication a veritable grocery list of malware that he tried out just to see the conversion rate, whether it's going up or down now that he tried a different sort of malware.

Dave Bittner: [00:15:14] And so, where do you leave things? As things stand now, your journey with this particular criminal – was there an ending point for this, or is he still at it?

Check Point Researcher: [00:15:25] (Laughs) We disclosed a huge pile of material to the local Nigerian authorities, as well as to a spooky three-letter agency that shall remain unnamed. And we're – as a security vendor, we're chasing malicious samples of the sort that he sent out in spam messages all the time. Check Point and other security vendors – they spend a lot of their time hunting indications of compromise and other characteristics of these malware to be able to protect people from them.

Check Point Researcher: [00:15:58] But, you know, if you know anything about security, you know that this chase is an honest effort, but it's not a guarantee. People need to practice good security hygiene and be vigilant regarding what links they click, and whether they enable macros on every document that they receive. It's the sad truth.

Dave Bittner: [00:16:17] It's remarkable to me that this marketplace – first of all, that it exists – but that it's as sophisticated as it is, in that someone like this, who really, more than anything, just has ambition and time on his hands, can get out there, be entrepreneurial, and start his own little successful criminal enterprise. 

Check Point Researcher: [00:16:39] Mm-hmm. Yeah. Malware is a whole economy now. It did not used to be like that, but like I think since the advent of Zeus and malware like that, there's been an explosion in all sorts of opportunities to purchase malware and tools related to malware – exploit-as-a-service, packer-as-a-service, everything-as-a-service. So, you really can approach your cybercriminal enterprise without knowing anything technical at all, and just approach the whole thing like you're putting together a grocery list with your shopping cart. OK, I need a packer, OK, I need this malware, OK, I need this list of leads. And you're all set.

Dave Bittner: [00:17:19] In terms of people protecting themselves against the sort of things that this particular criminal was up, what sort of recommendations do you have? 

Check Point Researcher: [00:17:27] Well, OK, when you look at this sort of issue, of this really potato-grade criminal activity being able to siphon so much money away from innocent people, there are really two ways that you can look at it.

Check Point Researcher: [00:17:40] One way is to become depressed and say that there's nothing new under the sun, this is just the way the world is. These people are going to exist as long as innocent people mindlessly click links in emails and mindlessly enable macros, and this is always the way that it's going to be. Because, you know, I can sit here and tell the people listening to this podcast about what links not to click until kingdom come, but the truth is that, like we said in a publication, the people who need to hear this advice the most aren't listening to this podcast. And this is sad. 

Check Point Researcher: [00:18:13] Now, my personal opinion is that probably the way forward is – I'll put it bluntly – nannying and mollycoddling the laymen more. Because this is something that has precedent in the information security landscape. By now, your web browser will sometimes tell you, no, you're not going to that website. No, we are not adding an exception for that certificate, and that's final. One day – I'm not sure, but possibly – it may be that your email client or service provider will tell you, no, you're not clicking on that link. A copy of Microsoft Word may tell you, no, you're not enabling macros. Because, like I mentioned earlier, as sad as it is, it seems that in a lot of cases the way forward is to protect the people from their own choices.

Dave Bittner: [00:19:04] Our thanks to the team at Check Point Research for sharing their insights. The research is titled, "The Inside Scoop on a Six-Figure Nigerian Fraud Campaign." We'll have a link in the show notes.

Dave Bittner: [00:19:16] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.

Dave Bittner: [00:19:24] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.

Dave Bittner: [00:19:32] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.