This suspected cybercriminal may be buying coke with your online bank funds

CSIS Security Group has turned over its findings to law enforcement in several countries

On the coffee table was a message etched in powder, presumably cocaine: "I really miss you."

The photo was on a social networking profile of a 23-year-old man in Ukraine that analysts with a Danish computer security company believe designed and rents an advanced malicious software program targeting the financial industry, called "Hesperbot."

Hesperbot first emerged in Turkey around 2013. It's an advanced package of tools that can be used by less-skilled cybercriminals to break into online bank accounts, even defeating two-factor authentication systems. It is now being used against banking customers in Germany, France, the U.K., Australia, the Czech Republic, Portugal.

"I bet this [Hesperbot] is going to spread," said Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.

Kruse gave a presentation on his company's findings at the Association of Antivirus Asia Researchers conference in Sydney on Friday. His analysts have extensively studied Hesperbot, and with lots of skill and a bit of luck, they say they've connected Hesperbot's creator back to a real person.

It involved an extensive gumshoe effort, including a deep analysis of how Hesperbot works. Kruse's company has shared its findings with Europol, the European Union's law enforcement agency, Microsoft as well as law enforcement in Germany and the U.K.

Kruse showed a photo of the man during his presentation, but it can't be published due to the ongoing investigation. It's somewhat rare for computer security analysts to connect a cybercrime operation back to real people, as the perpetrators often take extensive precautions to prevent being traced.

From there, it's up to law enforcement to conduct their own investigations, which can be complicated by jurisdictional issues or a lack of cooperation from other countries. Law enforcement is still very much catching up with how to deal with cybercrime, Kruse said.

"It's a new area for them," Kruse said. "It's very complex."

CSIS analysts are currently monitoring 27 online bank account theft campaigns ongoing around the world using Hesperbot, whose infrastructure is rented out to budding cybercriminals.

"You can do a lot of damage," Kruse said later on the sidelines of the conference. "If you hit some of the small to medium size companies with attacks like this, you can really steal a lot of money."

CSIS also gained access to other backend technical information on Hesperbot, which yielded clues that made its creator easier to look for. Kruse said CSIS monitors underground, password-protected forums where cybercriminals trade tools and tips.

The database of one of those forums had at one time been hacked and leaked, which contained information on their Hesperbot man, leading to his identity, he said.

Hesperbot's infrastructure is hosted on a so-called "bulletproof" hosting service in Ukraine, which is the term for an ISP that caters to cybercriminals by providing connectivity services that are hard for authorities to shut down.

CSIS was also able to procure backend technical information on the bulletproof hosting company.

Surprisingly, they found that the same bulletproof hosting company used for Hesperbot was connected with several other well known types of malware, including Cryptolocker. That malware program encrypts a person's files, demanding a ransom from its victims to decrypt them.

The hosting company was also linked to the ZeroAccess botnet, the Andromeda botnet and Gameover Zeus , all malware programs involved in various kinds of financial fraud.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityCSIS Security Groupmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?