Attacks/Breaches
7/2/2012
11:33 AM
Connect Directly
RSS
E-Mail
50%
50%

British Police Bust Baltic Financial Malware Trio

Men face jail time for using SpyEye malware to steal consumers' online bank account information and launder $157,000. Separately, a TeamPoison hacker awaits sentencing for stealing former U.K. prime minister Tony Blair's online address book.

British police Friday announced that three men from the Baltic States who participated in a financial malware campaign will serve jail time.

Lithuanian national Pavel Cyganok, 28, and Estonian national Ilja Zakrevski, 26, respectively received five- and four-year prison sentences on computer-misuse charges, while Latvian national Aldis Krummins, 45, was sentenced on June 18 to a two-year prison sentence on money laundering charges.

"This complex international investigation concerned the construction and distribution of sophisticated banking Trojans," said detective constable Bob Burls, from the United Kingdom's Metropolitan Police central e-crime unit. "The defendants, during the course of their enterprise, developed a highly organized IT infrastructure to enable their criminality, including in some cases the automatic infection of innocent computer users with their malicious code."

British police said their investigation began after Estonian police alerted them that Zakrevski might be targeting U.K. banking consumers with a version of the SpyEye malware, which is designed to steal people's online banking credentials. Machines infected by SpyEye are also made part of a botnet that can be used to infect further PCs, or to facilitate spam email campaigns.

[ International law enforcement cooperation is critical to stopping financial malware operations. See FBI Busts Massive International Carding Ring. ]

Police said that within days of starting their investigation, they found 1,000 PCs--not only in Britain, but also in Denmark, the Netherlands, and New Zealand, that were connecting to the command-and-control (C&C) servers controlling this particular SpyEye botnet. Next, they discovered that a PC based in Estonia, which linked to an online username used by Zakrevski ("ASAP911") was being used to review the number of infected PCs that were contacting one of the C&C servers. From there, investigators uncovered additional servers, which they were able to link--by using digital forensic techniques--to both Zakrevski and Cyganok.

According to authorities, the two men used credit card data siphoned off of consumers' PCs by SpyEye to pay for additional IT equipment, personal expenses--including car insurance--as well as luxury goods, some of which were later resold via online automation sites. All told, police said the pair used online accounts to launder about $157,000.

Zakrevski had been arrested at his home in Denmark on unrelated charges. After British police issued a European arrest warrant, in July 2011 he was extradited to Britain and charged there. Meanwhile, British police said that at the time they arrested Cyganok--who lives in Birmingham, England--he was actively logged into a number of the C&C servers.

In other hacker-related prosecution news, TeamPoison hacker Junaid Hussain (a.k.a. TriCk), 18, pleaded guilty in British court last week to charges made against him under Britain's Computer Misuse Act 1990, which is the law in Britain typically used to charge people who are suspected of hacking offenses. Hussain was arrested in May 2012 on charges of having stolen former British prime minister Tony Blair's address book, as well as using Skype to swamp Britain's anti-terrorism hotline with bogus calls.

According to court testimony, Hussain obtained Blair's contact details by breaking into a Gmail account used by Katy Kay, a former special advisor to Blair. Hussain's attorney said that his client's activities had been meant as a prank.

Hussain faces sentencing on July 27. British police have said their investigation into activities carried out under the TeamPoison banner remains ongoing.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.