Scammer infected his laptop with KeyBase keylogger, posting his own screenshots and logs. One of the many, I know. Anyway, his screenshots, bit of online researching and connecting dots reveals info that need to be posted, for awareness and other reasons.
His fresh photo (increased size) from one Skype session.
Older photos can be found on his FB account
Student at Lagos State University (screenshots below)
Address reported on student application:
59 Ago Palace Way Okota (Lagos, Nigeria)
Folami Ahmed Oyewale
Folami-holmes Ahmed Hoyewale
Holmes Ferguson, Wale, Waley, Peter Lewis, Gary Finlay, Victoria Collins, Sarah, Alonso…
Skype : holmessmg
Application for Lagos State University
Email for his professor (halaw313 at yahoo, Lawal Hanat / hanat.lawalraji on facebook)
Tip: Click on photos to enlarge
Yahoo inbox, full of “business partners”. On next few screenshots he is purchasing, receiving and sharing stolen accounts for emails, hosting, RDP accounts…
Note: This guy who is distributing Keybase and Pony files with a pattern of dates deserve special treatment, info coming soon. Just a few of his “distributions” in last few month:
hurricanspin.ru/kb/walter-7aug-7sept/ hurricanspin.ru/kb/twovineye-29aug-29sept/ hurricanspin.ru/kb/viapethree-22aug-22sept/admin.php hurricanspin.ru/kb/hyzeeksept1-oct1/admin.php hurricanspin.ru/kb/walter-7aug-7sept/login.php hurricanspin.ru/kb/vipefive-22aug-22sept/admin.php hurricanspin.ru/kb/vineone-29aug-29sept/login.php hurricanspin.ru/kb/twovineye-29aug-29sept/login.php hurricanspin.ru/kb/vaipe4-22aug-22sept/admin.php junebarks.org.in/vipetwo-22aug-22sept/admin.php junebarks.org.in/bonepony1sept-1oct/admin.php junebarks.org.in/davidk-4july-4aug/admin.php juliedclient.org.in/wzlog/sellythree-31july-31aug/admin.php juliedclient.org.in/wzlog/foursell31july-31aug/admin.php ninetyman.org.in/ambros-21july-21aug/cp.php?m=login twentysixjune.biz/kjosh29june-29july/admin.php latinoslock.org.in/doittwo-6june-6july/admin.php quotox.org.in/con/klosh-5aug-5sept/login.php fitchersbook.org.in/nato3-27thOct/admin.php fitchersbook.org.in/dik3-Nov8th/admin.php chimmxyz.org.in/datt-1stNov/admin.php
James Perolo – stolen Remote Desktop (RDP) access
email@example.com – stolen Remote Desktop (RDP) access
When stolen credentials for email accounts, hosting, RDP accounts are ready, it’s time for spreading. Next few screenshots show some of activities for spreading malware through emails and spamming, phishing, whaling…
His email dumps for spam
His collection of documents and files with hidden malware. Sending them like attachments, infecting victim’s computers when document is opened.
Whaling from stolen email account
phishing from hacked server
spamming from stolen RDP account
Fake company “United Inspirations Limited” (what the fuck this even means) spreading malicious attachments.
Attachments are heavily detected on VirusTotal
Regardless of his explanation how document is secured and Macro’s need to be enabled,
Victims very often can’t open document, at all. Apparently, It might be a time to change your malware provider, Folami.
In addition to his standard phishing/spam/scam operations he is doing another type of scam that is well known for Nigeria – Love scam or internet variant of it – E-Whoring. Basically, there is a lot of horny guys who think that love can be found on Facebook chat and Google Hangouts. And Ahmed Folami is there, to give them hope. It’s “her” birthday and she is fishing for compliments and money for the “ticket to your country”
More success on Google Hangouts.
Money received by the mule named Ajanaku Olalekan
So, how much he earns? Here is his bank account, but I don’t know how much of that is actually taken from victims.
That’s it. Apparently, KeyBase keylogger is here to stay, it’s easy to use, even low-level scum like Ahmed Folami can use it – if somebody install it for him, give him files to distribute, give him RDP to spam, emails to spam… real hax0r :)