This suspected cybercriminal may be buying coke with your online bank funds

CSIS Security Group has turned over its findings to law enforcement in several countries

On the coffee table was a message etched in powder, presumably cocaine: "I really miss you."

The photo was on a social networking profile of a 23-year-old man in Ukraine that analysts with a Danish computer security company believe designed and rents an advanced malicious software program targeting the financial industry, called "Hesperbot."

Hesperbot first emerged in Turkey around 2013. It's an advanced package of tools that can be used by less-skilled cybercriminals to break into online bank accounts, even defeating two-factor authentication systems. It is now being used against banking customers in Germany, France, the U.K., Australia, the Czech Republic, Portugal.

"I bet this [Hesperbot] is going to spread," said Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.

Kruse gave a presentation on his company's findings at the Association of Antivirus Asia Researchers conference in Sydney on Friday. His analysts have extensively studied Hesperbot, and with lots of skill and a bit of luck, they say they've connected Hesperbot's creator back to a real person.

It involved an extensive gumshoe effort, including a deep analysis of how Hesperbot works. Kruse's company has shared its findings with Europol, the European Union's law enforcement agency, Microsoft as well as law enforcement in Germany and the U.K.

Kruse showed a photo of the man during his presentation, but it can't be published due to the ongoing investigation. It's somewhat rare for computer security analysts to connect a cybercrime operation back to real people, as the perpetrators often take extensive precautions to prevent being traced.

From there, it's up to law enforcement to conduct their own investigations, which can be complicated by jurisdictional issues or a lack of cooperation from other countries. Law enforcement is still very much catching up with how to deal with cybercrime, Kruse said.

"It's a new area for them," Kruse said. "It's very complex."

CSIS analysts are currently monitoring 27 online bank account theft campaigns ongoing around the world using Hesperbot, whose infrastructure is rented out to budding cybercriminals.

"You can do a lot of damage," Kruse said later on the sidelines of the conference. "If you hit some of the small to medium size companies with attacks like this, you can really steal a lot of money."

CSIS also gained access to other backend technical information on Hesperbot, which yielded clues that made its creator easier to look for. Kruse said CSIS monitors underground, password-protected forums where cybercriminals trade tools and tips.

The database of one of those forums had at one time been hacked and leaked, which contained information on their Hesperbot man, leading to his identity, he said.

Hesperbot's infrastructure is hosted on a so-called "bulletproof" hosting service in Ukraine, which is the term for an ISP that caters to cybercriminals by providing connectivity services that are hard for authorities to shut down.

CSIS was also able to procure backend technical information on the bulletproof hosting company.

Surprisingly, they found that the same bulletproof hosting company used for Hesperbot was connected with several other well known types of malware, including Cryptolocker. That malware program encrypts a person's files, demanding a ransom from its victims to decrypt them.

The hosting company was also linked to the ZeroAccess botnet, the Andromeda botnet and Gameover Zeus , all malware programs involved in various kinds of financial fraud.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityCSIS Security Groupmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?