Men face jail time for using SpyEye malware to steal consumers' online bank account information and launder $157,000. Separately, a TeamPoison hacker awaits sentencing for stealing former U.K. prime minister Tony Blair's online address book.

Mathew J. Schwartz, Contributor

July 2, 2012

3 Min Read

British police Friday announced that three men from the Baltic States who participated in a financial malware campaign will serve jail time.

Lithuanian national Pavel Cyganok, 28, and Estonian national Ilja Zakrevski, 26, respectively received five- and four-year prison sentences on computer-misuse charges, while Latvian national Aldis Krummins, 45, was sentenced on June 18 to a two-year prison sentence on money laundering charges.

"This complex international investigation concerned the construction and distribution of sophisticated banking Trojans," said detective constable Bob Burls, from the United Kingdom's Metropolitan Police central e-crime unit. "The defendants, during the course of their enterprise, developed a highly organized IT infrastructure to enable their criminality, including in some cases the automatic infection of innocent computer users with their malicious code."

British police said their investigation began after Estonian police alerted them that Zakrevski might be targeting U.K. banking consumers with a version of the SpyEye malware, which is designed to steal people's online banking credentials. Machines infected by SpyEye are also made part of a botnet that can be used to infect further PCs, or to facilitate spam email campaigns.

[ International law enforcement cooperation is critical to stopping financial malware operations. See FBI Busts Massive International Carding Ring. ]

Police said that within days of starting their investigation, they found 1,000 PCs--not only in Britain, but also in Denmark, the Netherlands, and New Zealand, that were connecting to the command-and-control (C&C) servers controlling this particular SpyEye botnet. Next, they discovered that a PC based in Estonia, which linked to an online username used by Zakrevski ("ASAP911") was being used to review the number of infected PCs that were contacting one of the C&C servers. From there, investigators uncovered additional servers, which they were able to link--by using digital forensic techniques--to both Zakrevski and Cyganok.

According to authorities, the two men used credit card data siphoned off of consumers' PCs by SpyEye to pay for additional IT equipment, personal expenses--including car insurance--as well as luxury goods, some of which were later resold via online automation sites. All told, police said the pair used online accounts to launder about $157,000.

Zakrevski had been arrested at his home in Denmark on unrelated charges. After British police issued a European arrest warrant, in July 2011 he was extradited to Britain and charged there. Meanwhile, British police said that at the time they arrested Cyganok--who lives in Birmingham, England--he was actively logged into a number of the C&C servers.

In other hacker-related prosecution news, TeamPoison hacker Junaid Hussain (a.k.a. TriCk), 18, pleaded guilty in British court last week to charges made against him under Britain's Computer Misuse Act 1990, which is the law in Britain typically used to charge people who are suspected of hacking offenses. Hussain was arrested in May 2012 on charges of having stolen former British prime minister Tony Blair's address book, as well as using Skype to swamp Britain's anti-terrorism hotline with bogus calls.

According to court testimony, Hussain obtained Blair's contact details by breaking into a Gmail account used by Katy Kay, a former special advisor to Blair. Hussain's attorney said that his client's activities had been meant as a prank.

Hussain faces sentencing on July 27. British police have said their investigation into activities carried out under the TeamPoison banner remains ongoing.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights