Researchers explained how they traced a cybercriminal’s tracks through a series of proxies, compromised web servers, and poorly secured routers. The suspect hasn’t been apprehended yet, but could be behind a larger campaign, they said.
Peter Kruse and Jan Kaastrup, researchers with Denmark’s CSIS Security Group, described the hunt in a talk at Kaspersky Lab’s Security Analyst Summit here Monday.
Like most campaigns these days, this one begins with a phishing email, Kruse said. The goal of the emails, of course, is to entice victims into clicking though and entering data–in this case on sites that look like a legitimate bank and Apple websites.
The phishing kit that drives the email attacks is commercially available online and “very simple and straightforward,” according to Kruse.
The rest of the cycle goes as follows, the researchers said: The attacker proxies through the Netherlands and uses a compromised web server. They take tools from a repository server, steal credentials and credit cards, use another proxy in Denmark, and cash out.
Kruse and Kaastrup unearthed the repository server via forensic artifacts and found a file, CACAT, containing links to the attacker’s trade tools: more than 1,000 hacked servers, a list of targets, and spam templates.
One folder on a compromised web server revealed details around the attacker’s Apple phishing site–written in Italian–and drop data.
When it comes time to cash out, Kruse says the attacker proxies traffic through a series of home ADSL routers manufactured by ZyXEL, a Taiwanese telecom. The routers, used all over the world, are shipped with a default username and password, the researchers said, something that makes it easy to exploit.
“[The router company] told us ‘We need to wait until someone complains, it’s too expensive to replace them all,'” Kruse said. “So many ISPs don’t give a damn and it makes my life and your life more complicated.”
Kruse and Kaastrup, however, tracked the creator behind the phishing kit down. They discovered the suspect, a man who goes by the handle L33bo, has an eBay account with the same name. They were also able to deduce that he’s a Romanian living in the U.K. and that he owns a MG ZT car.
Kruse has a knack for tracking down attackers, bit-by-bit, detail-by-detail. At last year’s Security Analyst Summit, the Danish researcher gave a presentation in which he detailed information, such as the Facebook profile and occupation, on what’s believed to be the attacker behind Dyreza, a/k/a Dyre.
Many of the country-specific ADSL routers use the same public SSH key, Kruse said, something that allowed them to see who was using them and in turn, getting tricked into clicking on things they shouldn’t have.
After reviewing a visit log after one hour of the spam campaign, they saw instances of exploited routers all over the world, including many in Switzerland, along with Kruse and Kaastrup’s native Denmark.
“We’re very happy but we’re very naïve, we click on everything,” Kruse joked.
Kruse claims that police were wire tapping L33bo’s proxy server for months but because the surveillance was unauthorized no charges were filed. The attacker has still managed to persevere and find success with the kit however. Now that more information around the attacker has leaked out, that could change however.
“He hasn’t been jailed yet but he’s certainly part of something bigger,” Kruse said, suggesting there could be more to come on the attacker and his campaign.
