Menu
This suspected cybercriminal may be buying coke with your online bank funds

This suspected cybercriminal may be buying coke with your online bank funds

CSIS Security Group has turned over its findings to law enforcement in several countries

On the coffee table was a message etched in powder, presumably cocaine: "I really miss you."

The photo was on a social networking profile of a 23-year-old man in Ukraine that analysts with a Danish computer security company believe designed and rents an advanced malicious software program targeting the financial industry, called "Hesperbot."

Hesperbot first emerged in Turkey around 2013. It's an advanced package of tools that can be used by less-skilled cybercriminals to break into online bank accounts, even defeating two-factor authentication systems. It is now being used against banking customers in Germany, France, the U.K., Australia, the Czech Republic, Portugal.

"I bet this [Hesperbot] is going to spread," said Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.

Kruse gave a presentation on his company's findings at the Association of Antivirus Asia Researchers conference in Sydney on Friday. His analysts have extensively studied Hesperbot, and with lots of skill and a bit of luck, they say they've connected Hesperbot's creator back to a real person.

It involved an extensive gumshoe effort, including a deep analysis of how Hesperbot works. Kruse's company has shared its findings with Europol, the European Union's law enforcement agency, Microsoft as well as law enforcement in Germany and the U.K.

Kruse showed a photo of the man during his presentation, but it can't be published due to the ongoing investigation. It's somewhat rare for computer security analysts to connect a cybercrime operation back to real people, as the perpetrators often take extensive precautions to prevent being traced.

From there, it's up to law enforcement to conduct their own investigations, which can be complicated by jurisdictional issues or a lack of cooperation from other countries. Law enforcement is still very much catching up with how to deal with cybercrime, Kruse said.

"It's a new area for them," Kruse said. "It's very complex."

CSIS analysts are currently monitoring 27 online bank account theft campaigns ongoing around the world using Hesperbot, whose infrastructure is rented out to budding cybercriminals.

"You can do a lot of damage," Kruse said later on the sidelines of the conference. "If you hit some of the small to medium size companies with attacks like this, you can really steal a lot of money."

CSIS also gained access to other backend technical information on Hesperbot, which yielded clues that made its creator easier to look for. Kruse said CSIS monitors underground, password-protected forums where cybercriminals trade tools and tips.

The database of one of those forums had at one time been hacked and leaked, which contained information on their Hesperbot man, leading to his identity, he said.

Hesperbot's infrastructure is hosted on a so-called "bulletproof" hosting service in Ukraine, which is the term for an ISP that caters to cybercriminals by providing connectivity services that are hard for authorities to shut down.

CSIS was also able to procure backend technical information on the bulletproof hosting company.

Surprisingly, they found that the same bulletproof hosting company used for Hesperbot was connected with several other well known types of malware, including Cryptolocker. That malware program encrypts a person's files, demanding a ransom from its victims to decrypt them.

The hosting company was also linked to the ZeroAccess botnet, the Andromeda botnet and Gameover Zeus , all malware programs involved in various kinds of financial fraud.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareCSIS Security Group

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments