- Joined
- May 15, 2016
- Messages
- 10,423
- Likes
- 2,620
- Points
- 1,730
The hacker group Evil Corp is called the most malicious and the most arrogant among cybercriminals. For information about its members, the US government has appointed a reward of $ 5 million, and the media are discussing rumors about their luxurious lifestyle and possible connections with Russian special services. We tried to understand in more detail the history of this hacker group, the way of action and the tools with which it achieved its dubious successes and recognition.
The head of Evil Corp is called Maxim Yakubets. Law enforcement agencies of different countries have been searching for him for more than ten years - back in 2009, he attracted attention by participating under the nickname aqua in stealing money from the treasury of Bullitt County, Kentucky. The crime was reported in the Washington Post, which Brian Krebs then collaborated with as a cybersecurity expert.
Screenshot from the Brian Krebs archive from the DirectConnections forum where aqua shared his experience in 2011
Criminal Zoo: Money Mules and Scapegoats
Already then, the hackers had a worked-out scheme of actions in which Maxim Yakubets was responsible for working with money mules. This is the name of people who withdraw money from the banking system (where all transfers are tracked and can be withdrawn), making irreversible transactions. Traditionally, the Western Union system was used for fraudulent schemes, but recently, Bitcoin cryptocurrency is gaining popularity.
A curious fact
Western Union appears as an intermediary in a huge number of stories with money laundering, fraud and even terrorist financing. Sometimes they pay fines - to the American government half a billion dollars, to the Irish - one and a half million euros. They pay and continue to work, not paying attention to allegations of "insufficiently careful monitoring of suspicious transactions." Why is it getting away with it? No one knows for sure, but perhaps this is somehow connected with their extremely long and fruitful cooperation with the American government. Western Union has been working on defense orders that are related to the creation and management of communications systems. So it goes.
Many people become “mules”, completely unaware of what they are actually doing and what the consequences of their actions may be. In the “Yakubets scheme”, they were recruited into “mules” on absolutely legal sites with vacancies, promising to work from home on behalf of small but respectable-looking companies. Moreover, to test the applicability and reliability of the candidates, they were given preliminary tasks - for example, to correct typos and grammar in the texts, promising to pay $ 8 per kilobyte. The texts were business letters - on behalf of a shell company of hackers addressed to its contractors. So, when people received a letter with the task to make a money transfer, leaving themselves 5% of the amount as payment, they were not surprised and performed such a task.
Of course, they had to be surprised later, when it turned out that now they owe the full amount of the transfer to some bank. After all, the bank can always track and recall erroneous transactions - and will always find who to recover the missing from. Thus, the financial responsibility for the activities of Russian and Ukrainian hackers in the end had to be borne by American and European housewives and retirees.
Beginners and veterans: the trace of Zeus from the Olympus of cybercrime
In the history of the treasury of the Bullitt district, twenty-two-year-old Maxim Yakubets was closely associated with Evgeny Bogachev - already then an extremely famous hacker, author of the Zeus Trojan. For the capture of this character, the FBI appointed an almost as impressive reward as for the Yakubets.
Not a single article mentioning Evgeny Bogachev can do without this photo with a Bengal cat and other attributes of a luxurious life.
It was in connection with this incident that Brian Krebs found out about them. By that time, he had long been a regular in open, half-closed, and completely closed hacker forums. He also had some direct sources that provided him with information from the correspondence of hackers.
Where did the firewood come from?
Of course, both Krebs and the FBI do not disclose the details of their investigations and sources of information. But Krebs’s website provides multiple chunks of logs from Jabber hacker correspondence, and the same correspondence is cited in the FBI documents as important evidence. Correspondence, of course, was conducted in Russian (which Krebs, by the way, has been studying for more than fifteen years) - but what about Krebs’s website, that in the official documents of the FBI it is translated into English. And apparently, Krebs and the FBI have the same translation (the most coherent sentences and carefully translated Russian curses).
That in correspondence, that on forums hackers used the same familiar nicknames. Krebs claims that such negligence is very common in these circles (which pretty much makes it easier for him to track the “career growth” of players he is interested in in the arena of cybercrime). Bogachev was lucky12345 or slavik, and Yakubets was aqua.
Zeus
Zeus is a multi-component banking troy, numbering many modifications. The main function is to steal passwords from banking applications, FTP clients, and other programs. The Trojan can execute commands from the control server, intercept data entered by the user in browsers (keylogging and form grabbing), steal cookies, set digital certificates in the system and delete them, block access to Internet resources specified by cybercriminals, replace the start page in browsers, download and run programs, as well as delete files on your hard drive.
Hackers did not just discuss the purchase from Bogachev of the “basic version” of his Zeus Trojan - they ordered him a modified version, Jabber Zeus, which sent the stolen banking information via the Jabber protocol. This allowed attackers to quickly plan their actions and manage their wide network of trojans - for example, they could receive Jabber messages that some of their potential victims had replenished their bank account.
The Mazafaka forum discusses the use of the standard version of Zeus, which Bogachev widely traded
Yakubets was very proud of working with Bogachev and their original idea, in comparison with which all other Zeus users looked like newbies. But the FBI press release reports extremely interesting details of the investigation, from which it follows that it was the use of the Jabber protocol that failed the hacker group, and for Maxim Yakubets, perhaps this event played an important role in his fate.
Jabber chatterbox - a find for a spy
Watch your hands: now we will tell you how cybercrimes are being investigated! And also you will find out how many small flaws add up to big problems.
So, the new version of the Trojan sends various banking information (logins, one-time passwords, PIN codes, keylogger logs) via the Jabber protocol. This protocol is decentralized, anyone can raise their own server. Analysis of infected computers showed that they all send messages to the same server on the incomeet.com domain.
Then the FBI found out that this domain is hosted on a server belonging to a regular hosting company. And that the office of this company is located in New York. After which, of course, it was not difficult for them to remove the server and study it thoroughly. A huge number of logs remained on the server - and not only the technical messages of the Trojan, but also the usual correspondence! It turned out that the hackers used their Jabber server, including for coordination of actions, and for simple chatter.
The end is a bit predictable. In the correspondence logs, there was a discussion of the same article by Brian Krebs in the Washington Post (that is, a direct admission of the crimes committed), and nicknames that hackers used both in chat and on forums.
In fairness, it must be said that hackers sought to minimize the discussion of personal information. But the investigators tried and were able to find clues. Their best lead was the episode when hackers discussed alternative methods of communication - and aqua (that is, Yakubets) asked him to drop the phone number of his accomplice by e-mail. Then he reported the mail address on mail.ru.
In the yard was July 2009. Relations between the United States and the Russian Federation were relatively warm, and law enforcement cooperation was practiced. The FBI turned to Russian colleagues for help - and received it.
Russian law enforcement authorities have provided the FBI with brief, but very informative reports, from which it follows that Mail.ru actively cooperated with them. It turned out that letters for the aqua hacker (with a proposal to write a virus) and for a person named Maxim Yakubets — who bought tickets at a travel agency and ordered delivery of a baby carriage to a specific address in Moscow, arrived at the specified address.
After this, of course, a visit to the security forces and a search followed at the established address. American colleagues were politely informed that a certain Maxim Yakubets, as well as a woman, whose personal data was also kindly transferred to the FBI, were indeed discovered in this apartment.
This ended the courtesy list. On the American side, however, the work did not end there - they continued to dig in order to collect more convincing evidence. Having demanded cooperation from Microsoft, the FBI found a Skype account registered to the same email address with Mail.ru and addressed to Maxim Ya. A woman was found in the contact list of this account in whom they could identify the person who was present in the apartment during the search.
The same woman applied for an American visa several times. Apparently, her entry into the country was not impeded, but the files were scrupulously kept, paying attention to the change of marriage status from married to divorced, to changing her last name and middle name of the child whom she brought with her to the USA in 2012. Numerous details, including the child’s home address and the coincidence of his birth date with a message from a hacker chat in which aqua boasted that he had become a father, allowed the FBI to verify that it was Yakubets’s first wife and child.
But there was no practical sense in this. The Yakubets (as well as Bogachev and many other wanted hackers) were not going to go abroad to Russia. But Russia was not going to give it away.
If the rumors that talented hackers in Russia sooner or later make “an offer that is impossible to refuse” are true, then we can assume that the visit of security officials and a search of the apartment changed the life of Maxim Yakubets for the better.
Dridex
Dridex is a multi-component banking bot with many versions. The architecture of the troya implies the presence of a set of modules, each of which carries its own functional load. To communicate with the management server, most editions of Dridex use a P2P protocol, a decentralized and peer-to-peer botnet, which makes it difficult to interfere with its operation and intercept control. The data exchanged by the bot with the management server is encrypted.
In the process, Dridex is embedded in browser or browser processes and then executed in the context of these applications. At the command of cybercriminals, the troi can arrange web injections, intercept user input (keylogging and form grabbing), steal passwords, execute incoming commands and steal confidential information on an infected machine.
By 2011, Yakubets had assembled his own hacker group, built around the new Trojan Dridex (also known as Bugat and Cridex). The FBI believes that it was Yakubets who was the developer and main distributor of the trojan, as well as the coordinator of the network of money mules. Things went well with them, of course, not always smoothly - but the FBI indictment indicates one-time theft of sums of a million dollars or more.
The main persons of Evil Corp are Igor Turashov and Maxim Yakubets
This money was spent by Yakubets and his accomplices on expensive cars and other luxury goods, burning life in the style of playboy millionaires. A similar lifestyle allowed Yakubets to enter the narrow circle of Moscow "golden youth", where he met his second wife - Alena Benderskaya. With her, he rested in the most expensive resort of the Crimea and in 2017 played a wedding.
Alena Benderskaya, wife of Maxim Yakubets
But, in addition to happiness in his personal life, a new marriage brought with him extremely useful connections. It’s not that Yakubets didn’t have them at all - apparently, his group Evil Corp consisted of the son of the former mayor of Khimki Vladimir Strelchenko.
However, the marriage of Alena Benderskaya made Yakubets a relative of an even more influential person named Eduard Bendersky, a former FSB commando and president of the Vympel charity foundation of former security forces. According to the information of the Americans, in the year of the wedding, Yakubets already precisely cooperated with the FSB, and in 2018 he received a license to work with information constituting a state secret.
A shot from the wedding video of Maxim and Alena - the groom is being shot all the time, without showing their faces, and they tried to clean the video from the Web - but did not succeed
The successes of a lone shooter
The FBI investigation, ties with Russian security forces, millions of stolen dollars are all extremely large-scale stories affecting a lot of people. But the story of single expert Brian Krebs stands apart because he managed to do something that the FBI could not handle.
His mysterious sources gave him information about the details of the money mule scheme that Yakubets used. To withdraw money from the United States, you needed a sufficient number of “mules” and the ability to quickly contact them, give them instructions and receive their personal and bank data from them. And since many of the "mules" were people with a low level of computer literacy, this method of communication should be fairly easy to use.
Yakubets’s decision was to create a system of sites that resembled corporate human resources portals - with profiles of employees and sending out messages that looked so convincing that people sincerely believed that they were working for a legal, professional business.
General view of the site for working with "mules"
However, there was one flaw in this entire system. Any person who received a link to a site could register on it - and moreover, simply by changing the message number in the address bar, the user of the site would be able to read messages intended for other users!
Login form to one of these sites
And Brian Krebs did this for several years in a row. Every morning he made coffee and sat down to read correspondence for the last day, in which they wrote to the “money mules”: “Good morning,% username! Today, our client will transfer the money to you, after the transfer, withdraw it in cash at your bank and send it to us. ”
Private Messages for Mules
Of course, the “clients” were the next victims - mainly representatives of small businesses with poorly established cybersecurity. But Brian Krebs was the last frontier of their defense. He googled the company name from hacker letters, found their phone number and informed that Russian hackers were robbing the company right now.
“You most likely don’t know me, but here is my site with information about who I am and what I do. Your payroll accounts have been hacked and you could lose a substantial amount of money. You should immediately call your bank and freeze any transfers during the processing process before it is too late. Then you can call me and ask me about how I found out all this - but now, please call your bank, ”Brian wrote to the victims.
Thus, sometimes Brian Krebs was able to prevent the crime right during its commission and save small firms from serious problems. But sometimes, of course, they did not believe him - and Brian had to talk with the police or FBI agents. However, his conversation with law enforcement agencies usually turned out to be short: he is an independent researcher, there is nothing to blame him and the police are not afraid, he can even give a simple police lecture on cybercrime or draw the attention of the FBI to a series of crimes that the agency has not would notice due to the small scale of the victims.
Often, Brian already had to engage in intense conversations with government officials or corporations when they asked him to delay the release of the next investigation or not publish it at all in the interests of the investigation or business. But Krebs, in his online interview on Reddit, claims that law enforcement agencies limited themselves to polite requests, in the execution of which he did not see any benefit for himself. And he does not intend to cooperate with corporations at all. An example of the firmness of his convictions is the story of the Ashley Madison dating site, whose representatives first promised him money for silence, and after the publication of the article they threatened with a court.
So Brian Krebs does not stop in his investigations, although he knows very well that hackers also read his blog, discuss his articles, rejoice at the termination of the contract with the Washington Post and even try to plant drugs over the Internet. Fame is not an easy thing: Krebs writes that once he wanted to register at the next hacker forum under his real name, but the admin took his nickname for a joke. And on another forum, such a nickname was already occupied by some major specialist in the theft of credit card numbers.
It could be assumed that Krebs complicates life first of all with his publications. But practice shows that this is not so. Publications on an American blog can make hackers worry or get proud, but they probably won't change their behavior. In an extreme case, they will try to change the nickname on the forum - but they will still be left with a tail from their old posts, traces of past exploits and characteristic handwriting. Krebs carefully collects all these materials into his archive, with the help of which he conducts such impressive investigations.
But ultimately, as long as there are no agreements between the United States and the Russian Federation on cooperation between law enforcement agencies and extradition of criminals, there is little threat to hackers until they leave the borders of Russia. Krebs writes a lot about the need to combat cybercrime primarily through prudent cybersecurity practices and the wide dissemination of information. That in the modern world they can recruit a twelve-year-old child and a seventy-year-old pensioner into “money mules” - if someone does not explain to them that free cheese happens only in a mousetrap.
conclusions
From these fascinating stories, fairly banal conclusions follow. Attentiveness and observation - as is the case with Brian Krebs, who has been collecting his archives for years and tracking the connections of some hacker attacks with others - is rewarded, and a lone detective gets a chance to prevent a crime that the FBI can only investigate after the fact.
Carelessness in matters of security harms both businessmen who do not trust the alarms “They are robbing you right now!” And hackers who mix up personal correspondence on the same server with the botnet’s management teams. It also harms ordinary people who buy promises of easy money on the Internet.
And as for the special services, brides with connections and Bengal cats - draw conclusions yourself. But try to comply with the law - let the example of you be the glory not of Maxim Yakubets, but of Brian Krebs.
https://xakep.ru/2020/01/31/evil-corp-vs-brian-krebs/
The head of Evil Corp is called Maxim Yakubets. Law enforcement agencies of different countries have been searching for him for more than ten years - back in 2009, he attracted attention by participating under the nickname aqua in stealing money from the treasury of Bullitt County, Kentucky. The crime was reported in the Washington Post, which Brian Krebs then collaborated with as a cybersecurity expert.
Screenshot from the Brian Krebs archive from the DirectConnections forum where aqua shared his experience in 2011
Criminal Zoo: Money Mules and Scapegoats
Already then, the hackers had a worked-out scheme of actions in which Maxim Yakubets was responsible for working with money mules. This is the name of people who withdraw money from the banking system (where all transfers are tracked and can be withdrawn), making irreversible transactions. Traditionally, the Western Union system was used for fraudulent schemes, but recently, Bitcoin cryptocurrency is gaining popularity.
A curious fact
Western Union appears as an intermediary in a huge number of stories with money laundering, fraud and even terrorist financing. Sometimes they pay fines - to the American government half a billion dollars, to the Irish - one and a half million euros. They pay and continue to work, not paying attention to allegations of "insufficiently careful monitoring of suspicious transactions." Why is it getting away with it? No one knows for sure, but perhaps this is somehow connected with their extremely long and fruitful cooperation with the American government. Western Union has been working on defense orders that are related to the creation and management of communications systems. So it goes.
Many people become “mules”, completely unaware of what they are actually doing and what the consequences of their actions may be. In the “Yakubets scheme”, they were recruited into “mules” on absolutely legal sites with vacancies, promising to work from home on behalf of small but respectable-looking companies. Moreover, to test the applicability and reliability of the candidates, they were given preliminary tasks - for example, to correct typos and grammar in the texts, promising to pay $ 8 per kilobyte. The texts were business letters - on behalf of a shell company of hackers addressed to its contractors. So, when people received a letter with the task to make a money transfer, leaving themselves 5% of the amount as payment, they were not surprised and performed such a task.
Of course, they had to be surprised later, when it turned out that now they owe the full amount of the transfer to some bank. After all, the bank can always track and recall erroneous transactions - and will always find who to recover the missing from. Thus, the financial responsibility for the activities of Russian and Ukrainian hackers in the end had to be borne by American and European housewives and retirees.
Beginners and veterans: the trace of Zeus from the Olympus of cybercrime
In the history of the treasury of the Bullitt district, twenty-two-year-old Maxim Yakubets was closely associated with Evgeny Bogachev - already then an extremely famous hacker, author of the Zeus Trojan. For the capture of this character, the FBI appointed an almost as impressive reward as for the Yakubets.
Not a single article mentioning Evgeny Bogachev can do without this photo with a Bengal cat and other attributes of a luxurious life.
It was in connection with this incident that Brian Krebs found out about them. By that time, he had long been a regular in open, half-closed, and completely closed hacker forums. He also had some direct sources that provided him with information from the correspondence of hackers.
Where did the firewood come from?
Of course, both Krebs and the FBI do not disclose the details of their investigations and sources of information. But Krebs’s website provides multiple chunks of logs from Jabber hacker correspondence, and the same correspondence is cited in the FBI documents as important evidence. Correspondence, of course, was conducted in Russian (which Krebs, by the way, has been studying for more than fifteen years) - but what about Krebs’s website, that in the official documents of the FBI it is translated into English. And apparently, Krebs and the FBI have the same translation (the most coherent sentences and carefully translated Russian curses).
That in correspondence, that on forums hackers used the same familiar nicknames. Krebs claims that such negligence is very common in these circles (which pretty much makes it easier for him to track the “career growth” of players he is interested in in the arena of cybercrime). Bogachev was lucky12345 or slavik, and Yakubets was aqua.
Zeus
Zeus is a multi-component banking troy, numbering many modifications. The main function is to steal passwords from banking applications, FTP clients, and other programs. The Trojan can execute commands from the control server, intercept data entered by the user in browsers (keylogging and form grabbing), steal cookies, set digital certificates in the system and delete them, block access to Internet resources specified by cybercriminals, replace the start page in browsers, download and run programs, as well as delete files on your hard drive.
Hackers did not just discuss the purchase from Bogachev of the “basic version” of his Zeus Trojan - they ordered him a modified version, Jabber Zeus, which sent the stolen banking information via the Jabber protocol. This allowed attackers to quickly plan their actions and manage their wide network of trojans - for example, they could receive Jabber messages that some of their potential victims had replenished their bank account.
The Mazafaka forum discusses the use of the standard version of Zeus, which Bogachev widely traded
Yakubets was very proud of working with Bogachev and their original idea, in comparison with which all other Zeus users looked like newbies. But the FBI press release reports extremely interesting details of the investigation, from which it follows that it was the use of the Jabber protocol that failed the hacker group, and for Maxim Yakubets, perhaps this event played an important role in his fate.
Jabber chatterbox - a find for a spy
Watch your hands: now we will tell you how cybercrimes are being investigated! And also you will find out how many small flaws add up to big problems.
So, the new version of the Trojan sends various banking information (logins, one-time passwords, PIN codes, keylogger logs) via the Jabber protocol. This protocol is decentralized, anyone can raise their own server. Analysis of infected computers showed that they all send messages to the same server on the incomeet.com domain.
Then the FBI found out that this domain is hosted on a server belonging to a regular hosting company. And that the office of this company is located in New York. After which, of course, it was not difficult for them to remove the server and study it thoroughly. A huge number of logs remained on the server - and not only the technical messages of the Trojan, but also the usual correspondence! It turned out that the hackers used their Jabber server, including for coordination of actions, and for simple chatter.
The end is a bit predictable. In the correspondence logs, there was a discussion of the same article by Brian Krebs in the Washington Post (that is, a direct admission of the crimes committed), and nicknames that hackers used both in chat and on forums.
In fairness, it must be said that hackers sought to minimize the discussion of personal information. But the investigators tried and were able to find clues. Their best lead was the episode when hackers discussed alternative methods of communication - and aqua (that is, Yakubets) asked him to drop the phone number of his accomplice by e-mail. Then he reported the mail address on mail.ru.
In the yard was July 2009. Relations between the United States and the Russian Federation were relatively warm, and law enforcement cooperation was practiced. The FBI turned to Russian colleagues for help - and received it.
Russian law enforcement authorities have provided the FBI with brief, but very informative reports, from which it follows that Mail.ru actively cooperated with them. It turned out that letters for the aqua hacker (with a proposal to write a virus) and for a person named Maxim Yakubets — who bought tickets at a travel agency and ordered delivery of a baby carriage to a specific address in Moscow, arrived at the specified address.
After this, of course, a visit to the security forces and a search followed at the established address. American colleagues were politely informed that a certain Maxim Yakubets, as well as a woman, whose personal data was also kindly transferred to the FBI, were indeed discovered in this apartment.
This ended the courtesy list. On the American side, however, the work did not end there - they continued to dig in order to collect more convincing evidence. Having demanded cooperation from Microsoft, the FBI found a Skype account registered to the same email address with Mail.ru and addressed to Maxim Ya. A woman was found in the contact list of this account in whom they could identify the person who was present in the apartment during the search.
The same woman applied for an American visa several times. Apparently, her entry into the country was not impeded, but the files were scrupulously kept, paying attention to the change of marriage status from married to divorced, to changing her last name and middle name of the child whom she brought with her to the USA in 2012. Numerous details, including the child’s home address and the coincidence of his birth date with a message from a hacker chat in which aqua boasted that he had become a father, allowed the FBI to verify that it was Yakubets’s first wife and child.
But there was no practical sense in this. The Yakubets (as well as Bogachev and many other wanted hackers) were not going to go abroad to Russia. But Russia was not going to give it away.
If the rumors that talented hackers in Russia sooner or later make “an offer that is impossible to refuse” are true, then we can assume that the visit of security officials and a search of the apartment changed the life of Maxim Yakubets for the better.
Dridex
Dridex is a multi-component banking bot with many versions. The architecture of the troya implies the presence of a set of modules, each of which carries its own functional load. To communicate with the management server, most editions of Dridex use a P2P protocol, a decentralized and peer-to-peer botnet, which makes it difficult to interfere with its operation and intercept control. The data exchanged by the bot with the management server is encrypted.
In the process, Dridex is embedded in browser or browser processes and then executed in the context of these applications. At the command of cybercriminals, the troi can arrange web injections, intercept user input (keylogging and form grabbing), steal passwords, execute incoming commands and steal confidential information on an infected machine.
By 2011, Yakubets had assembled his own hacker group, built around the new Trojan Dridex (also known as Bugat and Cridex). The FBI believes that it was Yakubets who was the developer and main distributor of the trojan, as well as the coordinator of the network of money mules. Things went well with them, of course, not always smoothly - but the FBI indictment indicates one-time theft of sums of a million dollars or more.
The main persons of Evil Corp are Igor Turashov and Maxim Yakubets
This money was spent by Yakubets and his accomplices on expensive cars and other luxury goods, burning life in the style of playboy millionaires. A similar lifestyle allowed Yakubets to enter the narrow circle of Moscow "golden youth", where he met his second wife - Alena Benderskaya. With her, he rested in the most expensive resort of the Crimea and in 2017 played a wedding.
Alena Benderskaya, wife of Maxim Yakubets
But, in addition to happiness in his personal life, a new marriage brought with him extremely useful connections. It’s not that Yakubets didn’t have them at all - apparently, his group Evil Corp consisted of the son of the former mayor of Khimki Vladimir Strelchenko.
However, the marriage of Alena Benderskaya made Yakubets a relative of an even more influential person named Eduard Bendersky, a former FSB commando and president of the Vympel charity foundation of former security forces. According to the information of the Americans, in the year of the wedding, Yakubets already precisely cooperated with the FSB, and in 2018 he received a license to work with information constituting a state secret.
A shot from the wedding video of Maxim and Alena - the groom is being shot all the time, without showing their faces, and they tried to clean the video from the Web - but did not succeed
The successes of a lone shooter
The FBI investigation, ties with Russian security forces, millions of stolen dollars are all extremely large-scale stories affecting a lot of people. But the story of single expert Brian Krebs stands apart because he managed to do something that the FBI could not handle.
His mysterious sources gave him information about the details of the money mule scheme that Yakubets used. To withdraw money from the United States, you needed a sufficient number of “mules” and the ability to quickly contact them, give them instructions and receive their personal and bank data from them. And since many of the "mules" were people with a low level of computer literacy, this method of communication should be fairly easy to use.
Yakubets’s decision was to create a system of sites that resembled corporate human resources portals - with profiles of employees and sending out messages that looked so convincing that people sincerely believed that they were working for a legal, professional business.
General view of the site for working with "mules"
However, there was one flaw in this entire system. Any person who received a link to a site could register on it - and moreover, simply by changing the message number in the address bar, the user of the site would be able to read messages intended for other users!
Login form to one of these sites
And Brian Krebs did this for several years in a row. Every morning he made coffee and sat down to read correspondence for the last day, in which they wrote to the “money mules”: “Good morning,% username! Today, our client will transfer the money to you, after the transfer, withdraw it in cash at your bank and send it to us. ”
Private Messages for Mules
Of course, the “clients” were the next victims - mainly representatives of small businesses with poorly established cybersecurity. But Brian Krebs was the last frontier of their defense. He googled the company name from hacker letters, found their phone number and informed that Russian hackers were robbing the company right now.
“You most likely don’t know me, but here is my site with information about who I am and what I do. Your payroll accounts have been hacked and you could lose a substantial amount of money. You should immediately call your bank and freeze any transfers during the processing process before it is too late. Then you can call me and ask me about how I found out all this - but now, please call your bank, ”Brian wrote to the victims.
Thus, sometimes Brian Krebs was able to prevent the crime right during its commission and save small firms from serious problems. But sometimes, of course, they did not believe him - and Brian had to talk with the police or FBI agents. However, his conversation with law enforcement agencies usually turned out to be short: he is an independent researcher, there is nothing to blame him and the police are not afraid, he can even give a simple police lecture on cybercrime or draw the attention of the FBI to a series of crimes that the agency has not would notice due to the small scale of the victims.
Often, Brian already had to engage in intense conversations with government officials or corporations when they asked him to delay the release of the next investigation or not publish it at all in the interests of the investigation or business. But Krebs, in his online interview on Reddit, claims that law enforcement agencies limited themselves to polite requests, in the execution of which he did not see any benefit for himself. And he does not intend to cooperate with corporations at all. An example of the firmness of his convictions is the story of the Ashley Madison dating site, whose representatives first promised him money for silence, and after the publication of the article they threatened with a court.
So Brian Krebs does not stop in his investigations, although he knows very well that hackers also read his blog, discuss his articles, rejoice at the termination of the contract with the Washington Post and even try to plant drugs over the Internet. Fame is not an easy thing: Krebs writes that once he wanted to register at the next hacker forum under his real name, but the admin took his nickname for a joke. And on another forum, such a nickname was already occupied by some major specialist in the theft of credit card numbers.
It could be assumed that Krebs complicates life first of all with his publications. But practice shows that this is not so. Publications on an American blog can make hackers worry or get proud, but they probably won't change their behavior. In an extreme case, they will try to change the nickname on the forum - but they will still be left with a tail from their old posts, traces of past exploits and characteristic handwriting. Krebs carefully collects all these materials into his archive, with the help of which he conducts such impressive investigations.
But ultimately, as long as there are no agreements between the United States and the Russian Federation on cooperation between law enforcement agencies and extradition of criminals, there is little threat to hackers until they leave the borders of Russia. Krebs writes a lot about the need to combat cybercrime primarily through prudent cybersecurity practices and the wide dissemination of information. That in the modern world they can recruit a twelve-year-old child and a seventy-year-old pensioner into “money mules” - if someone does not explain to them that free cheese happens only in a mousetrap.
conclusions
From these fascinating stories, fairly banal conclusions follow. Attentiveness and observation - as is the case with Brian Krebs, who has been collecting his archives for years and tracking the connections of some hacker attacks with others - is rewarded, and a lone detective gets a chance to prevent a crime that the FBI can only investigate after the fact.
Carelessness in matters of security harms both businessmen who do not trust the alarms “They are robbing you right now!” And hackers who mix up personal correspondence on the same server with the botnet’s management teams. It also harms ordinary people who buy promises of easy money on the Internet.
And as for the special services, brides with connections and Bengal cats - draw conclusions yourself. But try to comply with the law - let the example of you be the glory not of Maxim Yakubets, but of Brian Krebs.
https://xakep.ru/2020/01/31/evil-corp-vs-brian-krebs/