Menu
This suspected cybercriminal may be buying coke with your online bank funds

This suspected cybercriminal may be buying coke with your online bank funds

CSIS Security Group has turned over its findings to law enforcement in several countries

On the coffee table was a message etched in powder, presumably cocaine: "I really miss you."

The photo was on a social networking profile of a 23-year-old man in Ukraine that analysts with a Danish computer security company believe designed and rents an advanced malicious software program targeting the financial industry, called "Hesperbot."

Hesperbot first emerged in Turkey around 2013. It's an advanced package of tools that can be used by less-skilled cybercriminals to break into online bank accounts, even defeating two-factor authentication systems. It is now being used against banking customers in Germany, France, the U.K., Australia, the Czech Republic, Portugal.

"I bet this [Hesperbot] is going to spread," said Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.

Kruse gave a presentation on his company's findings at the Association of Antivirus Asia Researchers conference in Sydney on Friday. His analysts have extensively studied Hesperbot, and with lots of skill and a bit of luck, they say they've connected Hesperbot's creator back to a real person.

It involved an extensive gumshoe effort, including a deep analysis of how Hesperbot works. Kruse's company has shared its findings with Europol, the European Union's law enforcement agency, Microsoft as well as law enforcement in Germany and the U.K.

Kruse showed a photo of the man during his presentation, but it can't be published due to the ongoing investigation. It's somewhat rare for computer security analysts to connect a cybercrime operation back to real people, as the perpetrators often take extensive precautions to prevent being traced.

From there, it's up to law enforcement to conduct their own investigations, which can be complicated by jurisdictional issues or a lack of cooperation from other countries. Law enforcement is still very much catching up with how to deal with cybercrime, Kruse said.

"It's a new area for them," Kruse said. "It's very complex."

CSIS analysts are currently monitoring 27 online bank account theft campaigns ongoing around the world using Hesperbot, whose infrastructure is rented out to budding cybercriminals.

"You can do a lot of damage," Kruse said later on the sidelines of the conference. "If you hit some of the small to medium size companies with attacks like this, you can really steal a lot of money."

CSIS also gained access to other backend technical information on Hesperbot, which yielded clues that made its creator easier to look for. Kruse said CSIS monitors underground, password-protected forums where cybercriminals trade tools and tips.

The database of one of those forums had at one time been hacked and leaked, which contained information on their Hesperbot man, leading to his identity, he said.

Hesperbot's infrastructure is hosted on a so-called "bulletproof" hosting service in Ukraine, which is the term for an ISP that caters to cybercriminals by providing connectivity services that are hard for authorities to shut down.

CSIS was also able to procure backend technical information on the bulletproof hosting company.

Surprisingly, they found that the same bulletproof hosting company used for Hesperbot was connected with several other well known types of malware, including Cryptolocker. That malware program encrypts a person's files, demanding a ransom from its victims to decrypt them.

The hosting company was also linked to the ZeroAccess botnet, the Andromeda botnet and Gameover Zeus , all malware programs involved in various kinds of financial fraud.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityCSIS Security Groupmalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments