This is second part of research on KeyBase keylogger. Multiple installations are found on same server, and due to few flaws in setup and web panel itself all files are public; with a bit of poking around it was easy to find a lot of details. Scammer infected his own PC and screenshots are uploaded to server.
Searching for name Ozokwel Chidinma (visible on Skype window in several screenshots) Google search revealed next information:
metadata from the .doc document revealed user DE GREAT
poking around with variations de great, de-great, degreat I have found his username on few skiddy forums, one of them (government honeypot hackforums.net) is probably main source of all software that he use (keyloggers, crypters).
Search for nickname degreat247 reveals connections between some of his domains, IP’s, free dns,
here is a few screenshots from his computer revealing some of activities and even more connections, leading to name Kevin Goodluck, additional email, address, domains… a lot of domains, used for scam, phishing, etc
Address used to register domains: 202 Road, C Close, Festac, Lagos, Nigeria
From [email protected] he is sending malware attachments to several other persons, most likely to his friends or costumers.
Keybase samples are detected and blocked by antivirus companies so he need to crypt it, to reduce detection rate
He is using login credentials stolen from compromised computers, most likely to send phishing emails and figure out how other emails are constructed, to send more realistic request for money transfer, or whatever they are doing to scam people.
here is the example of Skype sessions where he teach another scammer how to do some tasks.
And finally, some of domains connected with his name(s) and email(s)
Many of domains are used for phishing.
Scary, isn’t it? By the way, I have seen a lot of specific details in screenshots taken from victim’s computers, and I’ve sent them emails to warn them ( to at least 10 victims) but nobody replied or did anything to clean malware and protect their computers; they simply ignored my emails. I know because logs and screenshots are still coming to this server… So much about it.