Attacks/Breaches
7/2/2012
11:33 AM
Connect Directly
RSS
E-Mail
50%
50%

British Police Bust Baltic Financial Malware Trio

Men face jail time for using SpyEye malware to steal consumers' online bank account information and launder $157,000. Separately, a TeamPoison hacker awaits sentencing for stealing former U.K. prime minister Tony Blair's online address book.

British police Friday announced that three men from the Baltic States who participated in a financial malware campaign will serve jail time.

Lithuanian national Pavel Cyganok, 28, and Estonian national Ilja Zakrevski, 26, respectively received five- and four-year prison sentences on computer-misuse charges, while Latvian national Aldis Krummins, 45, was sentenced on June 18 to a two-year prison sentence on money laundering charges.

"This complex international investigation concerned the construction and distribution of sophisticated banking Trojans," said detective constable Bob Burls, from the United Kingdom's Metropolitan Police central e-crime unit. "The defendants, during the course of their enterprise, developed a highly organized IT infrastructure to enable their criminality, including in some cases the automatic infection of innocent computer users with their malicious code."

British police said their investigation began after Estonian police alerted them that Zakrevski might be targeting U.K. banking consumers with a version of the SpyEye malware, which is designed to steal people's online banking credentials. Machines infected by SpyEye are also made part of a botnet that can be used to infect further PCs, or to facilitate spam email campaigns.

[ International law enforcement cooperation is critical to stopping financial malware operations. See FBI Busts Massive International Carding Ring. ]

Police said that within days of starting their investigation, they found 1,000 PCs--not only in Britain, but also in Denmark, the Netherlands, and New Zealand, that were connecting to the command-and-control (C&C) servers controlling this particular SpyEye botnet. Next, they discovered that a PC based in Estonia, which linked to an online username used by Zakrevski ("ASAP911") was being used to review the number of infected PCs that were contacting one of the C&C servers. From there, investigators uncovered additional servers, which they were able to link--by using digital forensic techniques--to both Zakrevski and Cyganok.

According to authorities, the two men used credit card data siphoned off of consumers' PCs by SpyEye to pay for additional IT equipment, personal expenses--including car insurance--as well as luxury goods, some of which were later resold via online automation sites. All told, police said the pair used online accounts to launder about $157,000.

Zakrevski had been arrested at his home in Denmark on unrelated charges. After British police issued a European arrest warrant, in July 2011 he was extradited to Britain and charged there. Meanwhile, British police said that at the time they arrested Cyganok--who lives in Birmingham, England--he was actively logged into a number of the C&C servers.

In other hacker-related prosecution news, TeamPoison hacker Junaid Hussain (a.k.a. TriCk), 18, pleaded guilty in British court last week to charges made against him under Britain's Computer Misuse Act 1990, which is the law in Britain typically used to charge people who are suspected of hacking offenses. Hussain was arrested in May 2012 on charges of having stolen former British prime minister Tony Blair's address book, as well as using Skype to swamp Britain's anti-terrorism hotline with bogus calls.

According to court testimony, Hussain obtained Blair's contact details by breaking into a Gmail account used by Katy Kay, a former special advisor to Blair. Hussain's attorney said that his client's activities had been meant as a prank.

Hussain faces sentencing on July 27. British police have said their investigation into activities carried out under the TeamPoison banner remains ongoing.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.