"Scammer Infects His Own Machine With Spyware, Reveals True Identity"

A scammer who stole over 800,000 credentials from nearly 28,000 victims within the past several years exposed himself after infecting his own machine with info-stealing malware. While tracking a group called Nigerian Tesla among threat actors targeting Ukrainian entities, Malwarebytes researchers got on the scammer's trail. The threat actor switched from conducting 419 advance fee fraud, also known as Nigerian letter scams, to distributing the widely used Remote Access Trojan (RAT), Agent Tesla, for stealing personal data from victims' infected systems. Nigerian Tesla was recently found attempting to distribute the malware through a phishing campaign targeting Ukrainians. The attack involved the command-and-control server (C2) sending a message to Agent Tesla on infected systems to confirm that the malware had been properly configured for remote communication. Further analysis of the campaign revealed multiple test emails from the attacker's own machine, suggesting the attacker had infected themself with Agent Tesla malware. According to Malwarebytes, the threat actor made several mistakes, but the biggest one was infecting his own computer with the Agent Tesla stealer and having all the credentials from their machine collected and exfiltrated. The test emails exposed the attacker's IP address, which then led to the discovery of the attacker's real identity. The researchers found the attacker's address, photos, and driver's license. This article continues to discuss the history, mistakes, and identification of the attacker associated with Nigerian scams and malware distribution. 

Dark Reading reports "Scammer Infects His Own Machine With Spyware, Reveals True Identity"