Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

British Police Bust Baltic Financial Malware Trio

Men face jail time for using SpyEye malware to steal consumers' online bank account information and launder $157,000. Separately, a TeamPoison hacker awaits sentencing for stealing former U.K. prime minister Tony Blair's online address book.

British police Friday announced that three men from the Baltic States who participated in a financial malware campaign will serve jail time.

Lithuanian national Pavel Cyganok, 28, and Estonian national Ilja Zakrevski, 26, respectively received five- and four-year prison sentences on computer-misuse charges, while Latvian national Aldis Krummins, 45, was sentenced on June 18 to a two-year prison sentence on money laundering charges.

"This complex international investigation concerned the construction and distribution of sophisticated banking Trojans," said detective constable Bob Burls, from the United Kingdom's Metropolitan Police central e-crime unit. "The defendants, during the course of their enterprise, developed a highly organized IT infrastructure to enable their criminality, including in some cases the automatic infection of innocent computer users with their malicious code."

British police said their investigation began after Estonian police alerted them that Zakrevski might be targeting U.K. banking consumers with a version of the SpyEye malware, which is designed to steal people's online banking credentials. Machines infected by SpyEye are also made part of a botnet that can be used to infect further PCs, or to facilitate spam email campaigns.

[ International law enforcement cooperation is critical to stopping financial malware operations. See FBI Busts Massive International Carding Ring. ]

Police said that within days of starting their investigation, they found 1,000 PCs--not only in Britain, but also in Denmark, the Netherlands, and New Zealand, that were connecting to the command-and-control (C&C) servers controlling this particular SpyEye botnet. Next, they discovered that a PC based in Estonia, which linked to an online username used by Zakrevski ("ASAP911") was being used to review the number of infected PCs that were contacting one of the C&C servers. From there, investigators uncovered additional servers, which they were able to link--by using digital forensic techniques--to both Zakrevski and Cyganok.

According to authorities, the two men used credit card data siphoned off of consumers' PCs by SpyEye to pay for additional IT equipment, personal expenses--including car insurance--as well as luxury goods, some of which were later resold via online automation sites. All told, police said the pair used online accounts to launder about $157,000.

Zakrevski had been arrested at his home in Denmark on unrelated charges. After British police issued a European arrest warrant, in July 2011 he was extradited to Britain and charged there. Meanwhile, British police said that at the time they arrested Cyganok--who lives in Birmingham, England--he was actively logged into a number of the C&C servers.

In other hacker-related prosecution news, TeamPoison hacker Junaid Hussain (a.k.a. TriCk), 18, pleaded guilty in British court last week to charges made against him under Britain's Computer Misuse Act 1990, which is the law in Britain typically used to charge people who are suspected of hacking offenses. Hussain was arrested in May 2012 on charges of having stolen former British prime minister Tony Blair's address book, as well as using Skype to swamp Britain's anti-terrorism hotline with bogus calls.

According to court testimony, Hussain obtained Blair's contact details by breaking into a Gmail account used by Katy Kay, a former special advisor to Blair. Hussain's attorney said that his client's activities had been meant as a prank.

Hussain faces sentencing on July 27. British police have said their investigation into activities carried out under the TeamPoison banner remains ongoing.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...