Attacks/Breaches

7/2/2012
11:33 AM
50%
50%

British Police Bust Baltic Financial Malware Trio

Men face jail time for using SpyEye malware to steal consumers' online bank account information and launder $157,000. Separately, a TeamPoison hacker awaits sentencing for stealing former U.K. prime minister Tony Blair's online address book.

British police Friday announced that three men from the Baltic States who participated in a financial malware campaign will serve jail time.

Lithuanian national Pavel Cyganok, 28, and Estonian national Ilja Zakrevski, 26, respectively received five- and four-year prison sentences on computer-misuse charges, while Latvian national Aldis Krummins, 45, was sentenced on June 18 to a two-year prison sentence on money laundering charges.

"This complex international investigation concerned the construction and distribution of sophisticated banking Trojans," said detective constable Bob Burls, from the United Kingdom's Metropolitan Police central e-crime unit. "The defendants, during the course of their enterprise, developed a highly organized IT infrastructure to enable their criminality, including in some cases the automatic infection of innocent computer users with their malicious code."

British police said their investigation began after Estonian police alerted them that Zakrevski might be targeting U.K. banking consumers with a version of the SpyEye malware, which is designed to steal people's online banking credentials. Machines infected by SpyEye are also made part of a botnet that can be used to infect further PCs, or to facilitate spam email campaigns.

[ International law enforcement cooperation is critical to stopping financial malware operations. See FBI Busts Massive International Carding Ring. ]

Police said that within days of starting their investigation, they found 1,000 PCs--not only in Britain, but also in Denmark, the Netherlands, and New Zealand, that were connecting to the command-and-control (C&C) servers controlling this particular SpyEye botnet. Next, they discovered that a PC based in Estonia, which linked to an online username used by Zakrevski ("ASAP911") was being used to review the number of infected PCs that were contacting one of the C&C servers. From there, investigators uncovered additional servers, which they were able to link--by using digital forensic techniques--to both Zakrevski and Cyganok.

According to authorities, the two men used credit card data siphoned off of consumers' PCs by SpyEye to pay for additional IT equipment, personal expenses--including car insurance--as well as luxury goods, some of which were later resold via online automation sites. All told, police said the pair used online accounts to launder about $157,000.

Zakrevski had been arrested at his home in Denmark on unrelated charges. After British police issued a European arrest warrant, in July 2011 he was extradited to Britain and charged there. Meanwhile, British police said that at the time they arrested Cyganok--who lives in Birmingham, England--he was actively logged into a number of the C&C servers.

In other hacker-related prosecution news, TeamPoison hacker Junaid Hussain (a.k.a. TriCk), 18, pleaded guilty in British court last week to charges made against him under Britain's Computer Misuse Act 1990, which is the law in Britain typically used to charge people who are suspected of hacking offenses. Hussain was arrested in May 2012 on charges of having stolen former British prime minister Tony Blair's address book, as well as using Skype to swamp Britain's anti-terrorism hotline with bogus calls.

According to court testimony, Hussain obtained Blair's contact details by breaking into a Gmail account used by Katy Kay, a former special advisor to Blair. Hussain's attorney said that his client's activities had been meant as a prank.

Hussain faces sentencing on July 27. British police have said their investigation into activities carried out under the TeamPoison banner remains ongoing.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9036
PUBLISHED: 2018-06-20
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
CVE-2018-12327
PUBLISHED: 2018-06-20
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq ...
CVE-2018-12558
PUBLISHED: 2018-06-20
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
CVE-2018-6563
PUBLISHED: 2018-06-20
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti...
CVE-2018-1120
PUBLISHED: 2018-06-20
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call t...