Researchers at Check Point offer a look at a Nigerian citizen who moonlights as a cybercriminal who uses social engineering techniques. The man, whom the researchers call “Dton,” frequently visits an online store that peddles millions of stolen credit card numbers. Each of these credit cards is worth between $4 and $16 on the black market. Over the course of seven years, Dton has purchased more than $13,000 worth of stolen credit card information from this store.
He would then attempt to rack up fraudulent charges on the cards using various digital payment services. The researchers did the math and concluded that even if many of the credit cards didn’t work, Dton still probably made several hundred thousand dollars off of this technique.
Dton grew more ambitious, however, and began buying lists of email addresses and various types of malware.
“Soon, Dton had a complete spamming staging ground — an army of remote, anonymized VMs that he could connect to with a VPN, and were equipped with the necessary tools for his work,” Check Point says.
The researchers go on to give a detailed and humorous glimpse into the daily life of a scammer. Dton is far from a sophisticated cybercriminal. He squabbles with his manager, reports his malware developers to INTERPOL when he grows unhappy with them, and infects his own computer with malware so his boss can monitor his work. He also infects his business partners’ machines with malware, just in case things go south.
“On some level, we know that cybercriminals are flesh and blood,” the researchers write. “They have feelings, wants and needs; they hold grudges, they make mistakes. But some cybercriminals are much more flesh and blood than others. We can’t put enough emphasis on the absurd contrast between the more professional operations that we have been watching on the one hand, and this absolute train wreck on the other.”
The researchers emphasize that despite Dton’s incompetencies, he still manages to be a successful cybercriminal. By following simple security best practices, such as being careful about clicking on links or opening attachments, and never clicking “Enable content” in a document, users can defend themselves against these attacks.
“It’s all trite advice that’s been repeated a million times – but the people who need to hear it aren’t reading this blog post,” the researchers write. “That’s how even Dton, a YOLO cybercriminal if we ever saw one, gets plenty of victims and rolls in cash.”
Check Point’s report shows that scammers can turn a profit because there are enough people in the world who still fall for their social engineering tricks. They don’t even have to be particularly good, novel, or convincing tricks. They just have to find their marks. New-school security awareness training can help your employees fight back by teaching them how to avoid falling for these scams.
Check Point has the story: https://research.checkpoint.com/2020/the-inside-scoop-on-a-six-figure-nigerian-fraud-campaign/
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
