The Imperva Defence Centre research team have taken a deep dive into a specific phishing attack and the person behind it, discovering a new meaning to the term, ‘Nigerian prince’ (those notorious advance-fee scams of the 90s).
Their research lead to an attacker who went by the email address: firstname.lastname@example.org. Investigation of Lvrxdnona’s server provided some interesting insights and exposed several hacking and phishing resources. In addition to phishing landing pages for Excel Online, OneDrive and Google Docs, the researchers also found several do-it-yourself (DIY) deployments kits for these campaigns
The researchers were curious to know who lvrxdnona is, so dug deeper to find the following:
- Lvrxdnona was present in the Nigerian Best Forum (NBF), which is the biggest Nigerian online community, where he appeared as a 28-year-old student from Lagos. The young man is not so beloved in the hacker community; he was banned by other users in several forums and classified as a Bot\Scammer – Fake Sale Threads Poster
- Lvrxdnona has a wide range of dubious interests. He published an attractive Money Making Tutorial 2016 on the eMoneySpace forum, which promises participants a profit of $100-200 per day.
- Moreover, lvrxdnona was found in a list of Nigerian spammers on stopforumspam.com (Figure 16).
- Lvrxdnona was also found in social networks such as Snapchat, Instagram, INK361, Twitter and Facebook.
While the cybercrime world is mostly comprised of organized groups operating in an industrial fashion, there are still individual entrepreneurs like lvrxdnona (perhaps today’s new ‘Nigerian prince’). This is attributed to the low cost, simplicity of operation, and availability of servers and DIY kits. The research also shows that with some effort and a little detective work the people behind cyber-criminal operations can be tracked.
The full blog is available at: https://www.imperva.com/blog/2017/04/hot-on-the-credential-theft-trail-tracking-a-hacker-from-a-dropbox-phishing-campaign/