Original publication in the Security Affairs

Group-IB researchers have detected a new botnet named Kangoo that infected more than 150 000 machines mainly targeting Australian banks.

Group-IB researchers have detected a new botnet named Kangoo that infected more than 150 000 machines, specialists dubbed it «Kangoo» due the presence of a kangaroo logo on the WEB-interface of the C&C administrative panel. The botnet mainly targeted Australian banking with an emphasis on online-banking theft, customers of the leading AUS banks, such as Commonwealth Bank, Bank of Queensland, Bendigo and Adelaide Bank and ANZ, were affected.

According to the information provided by Group-IB, ANZ and Bank of Queensland reacted on the fraud alert immediately and the specialists from Group-IB shared with them information extracted from the botnet with the details of compromised customers, following some data collected by Group-IB Bot-Trek system.

Who is responsible for the banking theft? Is it the bank’s fault?

One of the most important issues currently facing the bank is the incident response related to banking trojan infections of its customers, the procedure is still quite complicated, many banks prefer to notify the infected customer and ask for online-banking credential reset. Unfortunately this practice is absolutely not efficient because the malware is often still present in the victim’s PC and could capture a new credential a second time and forward to a controlled server.

«The bank can suggest to the customer that their PC may be infected, but it is not their prerogative to insist the customer clean any possible malware” – said Dan Clements, Group-IB US Managing Partner.

What to do if your customers were infected?

«We recommend the banks to create an incident response action plan as well as to develop a customer awareness program with practical recommendations, what they need to do if they were notified by the bank that their banking account was compromised and their computer may be infected by the banking malware» – said Andrey Komarov, the Head of international Project, CERT-GIB CTO.

Previously, Group-IB has published a recommendation paper with action plan helping the Russian banks to gather all the most important digital evidences from the compromised PC. Reinstalling of the OS may not help, due the use of so called «bootkits» in modern banking malware which infect the MBR (Master Boot Record), such as Carberp 2 and new types of TLD, and affect BIOS. The presence of an antivirus product helps but not represents a complete solution, the majority of new banking trojans can not be detected by AV because the implementation of AV avoidance techniques.

Most common evasion techniques make use of stolen digital certificates from trusted partners, various obfuscators, encryption and new kernel levels of security solutions bypass, and in same rare cases the exploiting of OS vulnerabilities.

Group-IB recommends for the banking fraud and cybercrime analysis departments to proceed with the following steps:

1. To block the compromised customer from online-banking access and to change his credentials. Account block will help to prevent the potential theft during the incident response actions and investigation procedure.
2. To contact the compromised customer by phone and explain him the reason why his credentials are invalid right now and why they were changed by the bank. It is important to not use the e-mail, because of the cybercriminals may have the access to it and the banking Trojan can make graphical screenshots from the infected PC to intercept the customer’s actions, which tips off the cybercriminals and makes an investigation more difficult.
3. To use another reserve PC, which is not infected, or to reinstall OS. The infected PC may be provided to the computer forensics laboratory or LEA with the bank’s help for further investigation. Some big banks have own computer forensic laboratories, some use third parties expert companies, which can help to create an image of the infected PC and then to research it in order to create necessary digital evidences for the reporting such as:

• Extracted malware sample for further analysis, it’s time of installation on the system, the source of installation;
• C&C used to send intercepted data from the infected PC.

Sometimes, such kinds of reports are widely used by an LEA and courts for successful cybercriminal prosecution, as today the legislation in cybercrime field is still quite weak, unfortunately, cyber criminals often go unpunished.

In many cases the customer request the support of experts specialized in computer forensics to produce such kind of expertise for the court after online-banking theft, the client requests to recover stolen funds from the bank side but it is a complicated dispute as well. Banks use flexible customer agreements that sometimes clearly declare that the banks have no responsibility for the customer’s safety and security against unauthorized access to his PC, malware and other cyber threat are considered a customer’s side event and due this reason out of Bank control.

Another possible approach is passive, no response action follows the alert or the incident, the bank can just receive the information about compromised customer and then to monitor it’s activity until suspicious transfer will be created (can be characterized by new transfer destination, suspicious amount and time of the transfer; IP and PC details are useless, as the most part of modern online-banking thefts are going from the same IP of infected customer through remote administration by VNC spawning techniques or patched RDP for multiple remote connections from the hacker’s side). Such approach is very efficient during cybercrime chain investigations, when it is important to get information about all the personalities involved in it such as “money mules”, botmaster and ISP that is maintaining it, of course the approach takes some efforts from the bank’s side.

Are there any «money mules» in Australia? Yes!

«Money Mule» services have increased during the period 2010-2012, the following picture shows that the majority of money mules services of AUS work on sharing margin (fifty-fifty).

Following the translation:

«Good day. We provide drops in Australia, for 2k and 5k transfers. We make drops by unique methodologies, use only own “projects” for it, and don’t use public solutions. All employees are passing special instruction and control. You will obtain special access to specialized system for controlling them. Work 50/50, costs on cashout are not included. The first contact – in PM.»

Group-IB experts found that blackmarket of banking theft for Australian banks is very well developed nowadays and can become one of the key targets for modern cybercriminals in 2013-2015

Translation:

«Need money mules in AU. Will transfer any amounts. 50% – my share from the transferred amount. Private message.»

One of the reasons Australia is a target is a favorable time zone for Eastern European cyber criminals to facilitate bank transfers.

Perspective of customer’s security

Even though a customer can execute any malicious program, which may compromise their online bank account, the bank is more or less in a partnership with its clients on the financial accounts, sharing some liability. It is in the banks best interest to insure programs and policies that keep the customer happy and retain its loyalty.

“We were really impressed with the time frame of ANZ Bank reaction. A specialized cybercrime analysis representative official responded immediately, and we have provided all the necessary information about the compromised customer credentials with IPs”, said Andrey Komarov of Group-IB. “It seems the ANZ bank understands the value of getting all of their customers compromised information today, as opposed to moving slowly where more financial losses can affect the bottom line of both the customer and the bank.”

In the specific Kangoo case the investigation suggests that the botnet owners possibly locate CIS countries (former USSR) and use several WEB-injects methods for hidden automatic hijacking of the transfer’s destination.

WEB-injects is the main weapon of modern cyber criminals, which helps them to make a huge profit without any handy work. The market of WEB-injects nowadays is quite impressive.

In the above picture http://westpac.com.au personal and business online-banking accounts grabber based on WEB-inject and virtual keyboard interceptor.

The pricing on it is different and starts from 50$ to 500$, depending on the quality of WEB-inject. Some of it is traded in private communities where the programmer will receive % from all successful thefts. Many of the injects are developed for the well-known banking Trojans such as Citadel, Carberp and Zeus, as well as for quite private malware such as Andromeda.

Commonwealth Bank, Teachers Mutual Bank, DefenceBank, WestPac, Suncorp, BankWest, NAB – cybercriminals developed WEB-injects for the most famous banks in AUS

Group-IB is cooperating with the banks on this issue, as the cybercriminals are not still arrested, and the investigation is in the progress. The C&C and the personalities involved in the crime were detected and shared with the banks on a confidential basis for collaboration with Australian LEA. All the compromised data and customers IPs for finding botnets were imported into Group-IB Bot-Trek for further investigation and cyber intelligence sharing.

Original publication in the Security Affairs

“Securing Cyberspace in a borderless world: Vision 2015 and Beyond” is the title of a High Level Dialogue that was held during The World Summit on the Information Society Forum (WSIS) 2013.

The World Summit on the Information Society Forum (WSIS) represents the world’s largest annual gathering of the ICT for development community, the event is organized by ITU (INTERNATIONAL TELECOMMUNICATION UNION) and during the last edition it was held a high level session dedicated to the topic “Securing Cyberspace in a borderless world: Vision 2015 and Beyond”.

I find the topic very interesting for all cyber security professionals, the dialogue at WSIS was moderated by Mr Kim Andreasson, Managing Director of DAKA advisory AB and editor, Cybersecurity: Public Sector Threats and Response.

The WSIS Forum 2013 was held from the 13-17 May 2013 at the ITU Headquarters in Geneva. This year the Forum attracted more than 1800 WSIS Stakeholders from more than 140 countries. Several high-level representatives of the wider WSIS Stakeholder community graced the Forum with more than 60 ministers and deputies, several ambassadors, CEOs and Civil Society leaders contributing passionately towards the programme of the Forum.

Several key panelists from different expert fields have taken part in the WSIS meeting:

• Dr Hamadoun Touré, Secretary-General, ITU
• H.E. Mr Diego Molano Vega, Minister, Ministry of ICT, Colombia
• H.E. Amb. Dr. Theodor H. Winkler, Director, DCAF, Switzerland
• Ms Ingrid Deltenre, Director General, EBU, Switzerland
• Mr Chris Painter, Cybersecurity Coordinator, Department of States, USA (http://www.state.gov/r/pa/ei/biog/161848.htm)
• Mr Stuart Carlaw, Chief Research Officer, ABI Research, United States
• Mr Ilya Sachkov, CEO, Group IB, Russian Federation (http://group-ib.com)
• Mr John Carr, Secretary, Children’s Charities’ Coalition on Internet Safety, United Kingdom

I suggest to read the paper prepared by Dr Hamadoun Touré, Secretary General ITU which covers different problems, trends and views on the cybersecurity situation in the world, as well as key principles of ITU for making trust and peace in the modern world.

Dr.Hamadoun I. Toure also mentioned that according to the most recent statistics annual losses of over 100 billion dollars are being caused by cybercrime, and that some 550 million people are being targeted by cyberattacks every year. In financial terms, this is the equivalent of the entire GDP of a country like Morocco, Slovakia or Bangladesh. In population terms, it is the equivalent of more than all the inhabitants of Europe. Every second, 18 adults become a victim of cybercrime, resulting in more than 1.5 million cybercrime victims each day on a global level.

I decided to interview the Group-IB CEO, who was one of the representatives from the private sector during the WSIS meeting. Group-IB is one of the leading companies in fraud prevention, cybercrime and high-tech crime investigations and that often support me in my analysis on security issues.

1) Ilya, what were the most interesting topics of discussion during the high-level dialogue organized during WSIS 2013?

The panelists shared their opinions on modern cybersecurity problems, starting from reducing the risks of harmful use of ICT to the child protection in WEB. I can say, that such dialogue on high level can help the governments, private sector of different countries and society to get an actual view on the situation in the field.

2) What key problems in modern cybersecurity can you figure out?

One of the most important question is that private sector should collaborate with governments more closely, as the most actual and interesting information for reducing the cybersecurity risks is in private sector hands. Some countries have some political barriers of cooperation which makes cooperation absolutely not clear and impossible, as well as the same problems within own country. The role of private and non-commercial expert companies and organizations is increasing each day and one the best way is to link it with government efforts to make the cyber world safer.

Many private companies with cybercrime solutions are cooperating on the back-end by sharing data on cyber threats anonymously via signatures in a so called “Eco Systems”. This allows their big data analysis programs to flag malware and threats before damage is done to networks.

3) What do you think about the role of governments, along with intergovernmental bodies such us UN and the ITU in modern cybersecurity?

I have already mentioned it a bit in the previous point, but it will be important to say that private-public partnership shows good results. In regard of Russia and former USSR countries, CERT-GIB (Group-IB’s CERT) acts in very close cooperation with international LEA, domain registers, ISPs and hosting provers to reduce cyber security threats .RU, .РФ, .SU and shows efficient results in botnets tracking and cyberthreat intelligence each day, operating 24x7x365.

Law enforcement agencies, such as FBI and Russia’s FSB, are seeing threats to national critical infrastructures like power grids and banking sectors, and are making overtures about “Sharing” data and intelligence with relevant private partners. Even some newly proposed cyber security laws and new agencies are reflecting this change from traditional law enforcement culture.

4) As far as I know Group-IB is a member of IMPACT-ITU, what benefits or advantages you have in this plan? Is this structure efficient for reducing the cybersecurity risks? What is your role there?

Yes, we are very proud and happy, that Group-IB and its CERT are members of IMPACT-ITU. I can say, that it is one of the most powerful and expert organizations in the world, organized with the support of ITU. We share cyber threat intelligence information within IMPACT-ITU member community, targeted for public and critical infrastructure sectors.

The security in the cyberspace is a global need, the cyber threats are increasing in recent months, as has happened before, and the trend is to a relentless growth, to mitigate the risks it is necessary an approach on a global scale that request the participation of governments and private companies that must share information of principal cyber menaces and define a global recognized law framework … only in this way we can reduce risks to an acceptable level.

29.04.2013, Argentina, Buenos Aires - The company Group-IB participated in the 7th Annual International Summit on Cybercrime (http://apwg.org/apwg-events/cecos2013/agenda), held from April 23 to 25 in Argentina, - CeCOS VII.

The summit was attended by leading experts in the computer security industry and high-tech crime investigation, including members of law enforcement agencies.

Dan Clements, Director of Group-IB in the United States, gave a presentation on the subject of current trends and dynamics of cybercrime, including highlighting the successful experience of Group-IB for 2011 and 2012 in the investigation of incidents in the financial and banking sector and e-commerce .

Also, with the participation of experts, Group-IB helped design the Analytical Report «Mobile Financial Fraud & The Underground Marketplace Overview - an APWG White Paper», describing the modern threats to information security for mobile devices and malicious activity on the implementation of fraud in the networks of mobile operators.

Download the report is available on the website of the working group APWG anti-fraud networks of cellular operators - Anti-Phishing Mobile Working Group (http://apwg.org/resources/mobile):

• White Paper: Mobile Financial Fraud April 2013 (http://docs.apwg.org/reports/mobile/APWG_Mobile_Report_v1.9.pdf) (Jart Armin, Andrey Komarov, Mila Parkour, Raoul Chiesa, Bryn Thompson, Will Rogofsky);
• Cybercrime Supplement: Mobile Market April 2013 (http://docs.apwg.org/reports/mobile/APWG_Mobile_Report_supp_1_underground_05.pdf) (Jart Armin & Andrey Komarov);
• Mobile Threats and the Underground Marketplace – 2 page summary (English) (http://docs.apwg.org/reports/mobile/APWG_Mobile_Fraud_Overview_v03.pdf).

About Group-IB

Group-IB – one of the leading companies in fraud prevention, cybercrime and hi-tech crime investigations.

Key activities of our company: Cyber Intelligence and Threat Prevention,Information Security, Assessment and Vulnerability Research,Computer Forensics,Cybercrime and Hi-Tech crimes investigations,Innovative software products development for monitoring, detection and prevention of emerging cyberthreats.

In the technologies field, it is imperative that our team members are on the cutting edge. That is why our employees have earned several certificates: CISSP (Certified Information Systems Security Specialist), CISA (Certified Information Systems Analyst), CEH (Certified Ethical Hacker), Extreme Networks Administrator, A+ Certification, Net+, MCP (Microsoft Certified Professional), and MCSA (Microsoft Certified Systems Administrator).

We have more than 90 employees serving customers in more than 25 countries. Our clients include various banks, financial institutions, oil and gas companies, software and hardware vendors, telecommunications service providers from Australia, Argentina, Brazil, Canada, EU, Russian Federation, UK, USA and Ecuador.

Group-IB employees participate in key IT-security conferences such as e-Crime, Cardex, APWG:Counter-eCrime Operations Summit (CeCOS), Cyber Intelligence Asia and the SCADA Security Summit.

April 26, 2013, UK, LONDON - Group-IB has taken part in one of the largest IT-security exhibitions – Infosecurity Europe (UK, London - http://www.infosec.co.uk/en/Exhibitors/183148/Group-IB).

This year's event attracted more than 300 exhibitors from all over Europe, including the leading players in the global security market.

Group-IB experts presented their products and services within a particular sector of the exhibition, organized with the support of the Government of Moscow. Among the participants of the Moscow exposition were: Group-IB, NPO Echelon, LLC "SURITEL», RusGuard, ITV Group and others.

Group-IB was represented by Andrey Komarov, the head of international projects department, who introduced the visitors to Group-IB Bot-Trek (http://group-ib.com/bot-trek)– a real-time botnet and cyber intelligence service that provides a direct access to compromised data and helps to prevent fraud.

The company also participated in the round table on "Best practices and anti-fraud technology", which shared there expert opinion of best practices and the interaction with the banks to curb theft in the systems of RBS and security analysis.

About Group-IB

Group-IB – one of the leading companies in fraud prevention, cybercrime and hi-tech crime investigations.

Key activities of our company: Cyber Intelligence and Threat Prevention,Information Security, Assessment and Vulnerability Research,Computer Forensics,Cybercrime and Hi-Tech crimes investigations,Innovative software products development for monitoring, detection and prevention of emerging cyberthreats.

In the technologies field, it is imperative that our team members are on the cutting edge. That is why our employees have earned several certificates: CISSP (Certified Information Systems Security Specialist), CISA (Certified Information Systems Analyst), CEH (Certified Ethical Hacker), Extreme Networks Administrator, A+ Certification, Net+, MCP (Microsoft Certified Professional), and MCSA (Microsoft Certified Systems Administrator).

We have more than 90 employees serving customers in more than 25 countries. Our clients include various banks, financial institutions, oil and gas companies, software and hardware vendors, telecommunications service providers from Australia, Argentina, Brazil, Canada, EU, Russian Federation, UK, USA and Ecuador.

Group-IB employees participate in key IT-security conferences such as e-Crime, Cardex, APWG:Counter-eCrime Operations Summit (CeCOS), Cyber Intelligence Asia and the SCADA Security Summit.

April 22, 2013,MOSCOW — Group-IB reports on investigative collaboration with «K» Department of Russian police. As a result of performed investigation, an individual involved in more then 5000 thefts from remote banking systems of Russian banks, was apprehended. Specifically, this individual employed a malware which allowed bypassing payment confirmations sent via text message.

The forensics conducted by Group-IB experts at the request of Sberbank of Russia revealed that the perpetrator used the Carberp malware, which would install itself on the computer of a user of an online banking system without their knowledge or authorization, and use web-inject technology to acquire personal information. When a user would load a site targeted by the Carberp malware with a browser, the malware would introduce external HTML code into the displayed page. An example of a page modified in this manner is shown in Fig. 1, where the telephone field is extraneous.

Fig. 1: Page modified by malware

Thus, completely unaware, the potential victims disclosed not only their login information, but also their cellphone numbers. Using this information in addition to social engineering methods, the perpetrator then proceeded to clone SIM cards, which allowed bypassing payment confirmations sent via text message.

As a result of the investigation conducted by the Department K agents with the assistance from Group-IB and Sberbank, the identity of the creator of the web-injects and the administrator of the servers collecting stolen information was established: a forty year old Togliatti resident, engaged in criminal activities since August 2011.

“The investigation of this case — from the first moment when Group-IB received a complaint from a victim to when the perpetrator was apprehended — was conducted in record time, in less than six months. Thus, we managed to prevent thefts from Russian banks on the amount of 1 Billion Roubles ($34 Million)” noted Ilya Sachkov, CEO of Group-IB. “This was the first case investigated within the European Cyber Security Federation (ECyFed) union, which includes Group-IB, CyberDefcon, and CSIS.”

About Group-IB

Group-IB – one of the leading companies in fraud prevention, cybercrime and hi-tech crime investigations.

Key activities of our company: Cyber Intelligence and Threat Prevention,Information Security, Assessment and Vulnerability Research,Computer Forensics,Cybercrime and Hi-Tech crimes investigations,Innovative software products development for monitoring, detection and prevention of emerging cyberthreats.

In the technologies field, it is imperative that our team members are on the cutting edge. That is why our employees have earned several certificates: CISSP (Certified Information Systems Security Specialist), CISA (Certified Information Systems Analyst), CEH (Certified Ethical Hacker), Extreme Networks Administrator, A+ Certification, Net+, MCP (Microsoft Certified Professional), and MCSA (Microsoft Certified Systems Administrator).

We have more than 90 employees serving customers in more than 25 countries. Our clients include various banks, financial institutions, oil and gas companies, software and hardware vendors, telecommunications service providers from Australia, Argentina, Brazil, Canada, EU, Russian Federation, UK, USA and Ecuador.

Group-IB employees participate in key IT-security conferences such as e-Crime, Cardex, APWG:Counter-eCrime Operations Summit (CeCOS), Cyber Intelligence Asia and the SCADA Security Summit.

17.04.2013 Moscow – Group-IB has found a new kind of malware, targeting the stock brocking application QUIK. It was detected during several targeted attacks starting in November 2012 where the cybercriminals started to gather detailed information on the respective owner accounts.

Traditionally the hacker’s key interests were private and corporate banking accounts where online systems could be exploited and funds stolen. Corporate accounts are higher targets because of higher balances.

In the last year, Group-IB has received several incoming incident fraud requests on some famous online trading and stock brokerages where systems were possibly hacked. Our research has shown it was done without any kind of malware, but directly through untrusted or fake partners.

In the previous month, Group-IB has detected the first professional malware, targeted at a specialized trading software named QUIK (Quik Broker, Quik Dealer) from ARQA Technologies and FOCUS IVonline from EGAR Technology, used by many large banks of the Russian Federation, specifically national banks “Sberbank”, “Alfa-Bank” and “Promsvyazbank”.

Both of the applications are used for trading on MICEX (http://rts.micex.ru/en/ ), one of the leading Russian stock exchanges and the biggest trading venue in Eastern Europe. MICEX offers companies-issuers a wide variety of services including placing and trading stocks, listing services, and helping execute initial public offerings (IPOs). Exchange clients can trade in securities of such prominent issuers as Gazprom, Sberbank of Russia, LUKOIL, Rosneft, VTB Bank, Surgutneftegaz, Transneft, RusHydro, Mobile TeleSystems, etc.

The initial act of the malware is to check the presence of these applications in the OS, then begin to monitor the user’s actions and extract information about his activity by capturing screenshots and intercepting credentials which are then sent to the C&C server.

Some of such data was extracted by elite Group-IB specialists in handling the C&C servers, and then some monitoring by Group-IB Bot-Trek returns victim information.

It is very important to note that QUIK software is used not only in Russian Federation for online trading, but many entities in other countries, such as BrokerCreditService (Cyprus), Otkritie (GB / RU) InstaForex and many others.

About Group-IB

Group-IB is one of the leading companies in global cybercrime prevention and hi-tech crime investigations.

Key activities of our company: Cyber Intelligence and Threat Prevention, Information Security, Assessment and Vulnerability Research, Computer Forensics and Cybercrime and Hi-Tec Investigations. Also, innovative software products development for monitoring, detection and prevention of emerging global cyber threats.

In the technologies field, our team members are on the cutting edge. Our employees have earned several certificates: CISSP (Certified Information Systems Security Specialist), CISA (Certified Information Systems Analyst), CEH (Certified Ethical Hacker), Extreme Networks Administrator, A+ Certification, Net+, MCP (Microsoft Certified Professional), and MCSA (Microsoft Certified Systems Administrator).
We have more than 90 employees serving customers in more than 25 countries. Our clients include various banks, financial institutions, oil and gas companies, software and hardware vendors, telecommunications service providers from Australia, Argentina, Brazil, Canada, EU, Russian Federation, UK, USA and Ecuador.

Group-IB employees participate in key IT-security conferences such as e-Crime, Cardex, APWG:Counter-eCrime Operations Summit (CeCOS), Cyber Intelligence Asia and the SCADA Security Summit.

Georgiy Pulyaevskiy Group-IB PR-manager
pulyaevskiy@group-ib.com
+7 495 661-55-38 доб. 092
+7 965 399-17-92

03.04.2013, Moscow Group-IB: New age of POS malware – cashpoints are in the hacker’s interest, major US banks are compromised

According to the statistics of Group-IB, one of the leading security and computer forensics company, modern cybercriminals started to use specific malware for ATMs and POS for targeted attacks.

Most of them are organized with help of insiders in face of staff, who has access to the POS to maintain or update it’s software locally. Only few infections were detection with help of targeted remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

Previously McAfee security researcher, Chintan Shah, has notified the banking community about vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them.

At the end of 2012, Israel based company Seculert notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Several days ago, Group-IB has found new type of POS malware, «DUMP MEMORY GRABBER by Ree[4]”, written on pure C++ without use of any additional libraries. IT supports all Microsoft Windows versions including x64 versions and use mmon.exe for RAM memory scanning on tracks and credit cards data.

The malware has own intellectual functions to delete third-party information to make the POS malware logs only with compromised credit cards data

According to the description of the author, it adds itself to the autorun with default timeout in 3 hours. The log with intercepted dumps is transferred through FTP gateway with the date. This variant can be changed on e-mail notification upon customers request.

Dump Memory grabber Admin Panel

Group-IB and it’s CERT (CERT-GIB) has found private video with demonstration of admin panel of this new POS malware.

Customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware, here are some segments of the data extracted from the uploaded video on one of the most famous underground forums:

In the following image an exclusive screensot related to thousands of credit cards were compromised, the screenshot of «BlackPOS» admin panel, 23th March 2013

About Group-IB
Group-IB is Russia and the CIS’s (Commonwealth of Independent States) leading computer security company, specializing in the investigation of computer crime, information security breaches, computer forensics, and global threat intelligence gathering. On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. CERT-GIB provides the client with comprehensive support in minimizing informational risks, consisting of technical, organizational, and legal advice. Group-IB has residency at the Skolkovo Innovation Center. As part of the Skolkovo innovative projects, Group-IB is creating The CyberCop, a global counter-cybercrime system. The system is an effective tool which will allow the law enforcement agencies in Russia and around the world to combat cybercrime during the most difficult stages of the investigative process: evidence gathering, information analysis, and perpetrator finding.

28.03.2013, Moscow — Leading Russian computer security company Group-IB, and it's CERT (CERT-GIB), has entered into a strategic partnership with the International Multilateral Partnership Against Cyber Threats (IMPACT), the cybersecurity executing arm of the International Telecommunication Union (ITU).

The partnership between ITU-IMPACT and Group-IB will enable cooperation through information sharing and exchange of expertise as well as facilitating collective efforts in global cybersecurity capacity building. The addition of Group-IB to the ITU-IMPACT coalition will enable a further strengthened endeavour towards helping countries identify, mitigate, and respond to cyber threats worldwide.

“As cyber threats against nations continue to escalate at a pervasive rate, no country or organisation can contain this single-handedly. Cooperation and collaboration is vital in today’s connected world to prevent, defend and respond to cyber threats. Having Group-IB on board will strengthen the coalition that currently spans across 145 countries in enhancing their cybersecurity readiness. Group-IB will bring across its expertise, experiences and resources in ITU-IMPACT’s efforts globally”, said Philip Victor, Director for Policy and International Cooperation, IMPACT.

“Joining IMPACT allows Group-IB to obtain a new level of international cooperation on cybersecurity, and a transparent exchange of information on current cyber threats. In turn, Group-IB's regional and cultural opportunities will allow other members of the alliance to receive substantial expert support and cyber intelligence data," States Andrey Komarov, the head of international projects, audit and consulting department, CERT-GIB CTO. – End-

About Group-IB

Group-IB is Russia and the CIS’s (Commonwealth of Independent States) leading computer security company, specializing in the investigation of computer crime, information security breaches, computer forensics, and global threat intelligence gathering. On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. CERT-GIB provides the client with comprehensive support in minimizing informational risks, consisting of technical, organizational, and legal advice. Group-IB has residency at the Skolkovo Innovation Center. As part of the Skolkovo innovative projects, Group-IB is creating The CyberCop, a global counter-cybercrime system. The system is an effective tool which will allow the law enforcement agencies in Russia and around the world to combat cybercrime during the most difficult stages of the investigative process: evidence gathering, information analysis, and perpetrator finding.

About IMPACT

The International Multilateral Partnership Against Cyber Threats (IMPACT) is the cybersecurity executing arm of the United Nations' specialised agency - the International Telecommunication Union (ITU). As the world’s first UN-backed comprehensive alliance against cyber threats, IMPACT brings together governments, academia and industry experts to enhance the global community’s capabilities in dealing with cyber threats. Based in Cyberjaya, Malaysia, IMPACT is the operational home of ITU’s Global Cybersecurity Agenda (GCA). IMPACT provides ITU’s 193 Member States access to expertise, facilities and resources to effectively address cyber threats, as well as assisting United Nations agencies in protecting their ICT infrastructures. For more information, please visit impact-alliance.org

19 March 2013, Moscow. Group-IB has become a member of the OWASP project (Open Web Application Security Project) – the world’s largest community of experts in the field of security analysis and audit of the information security of applications. The contribution by experts from Group-IB is aimed at enhancing the security of industrial systems – OWASP SCADA Security Project (https://www.owasp.org/index.php/OWASP_Scada_Security_Project).

“We were able to create a project under OWASP, which was approved and adopted by the expert community. We believe that participation in this global project will have a positive impact on the company’s development”, – Andrei Komarov, Head of International projects, Audit and Consulting Department, CERT-GIB CTO.

The main objective of the project, which, today joins representatives from the Federal Office for Information Security (BSI) and the National Computer Security Incident Response of Japan (JPCERT/CC), is to accumulate data on the following areas:

• remote detection of elements of automated process control systems and SCADA (supervisory systems, programmable logic controllers, communications processors, telemetry devices, control and measuring equipment);
• identification of vulnerabilities in the software of automated process control systems and SCADA, which include WEB applications;
• development of applied configuration measures and ways of enhancing the security of industrial infrastructures and networks against hacking.

About Group-IB

International company Group-IB is the leader in Russia’s market of investigation and prevention of computer crimes. It is a resident of the Skolkovo Foundation. The complex of consulting services offered by the company are used to successfully find, prevent and investigate any cyber security incidents. The company’s experts are equipped with unique skills in the investigation of the security of Web applications, business applications, remote banking service systems and corporate network infrastructures. Group-IB is licensed (GT No. 0064472, registration number 4490) by the Federal Security Service of Russia to work with state secret information.

For more information, please contact:

Anna Grigorieva
Marketing & PR director, Group-IB
Phone: +7 915 288-59-90
E-mail: grigorieva@group-ib.ru

18 March 2013, Moscow. Group-IB has participated in the largest conference – Cyber Intelligence Asia 2013 – dedicated to the information security of the Asia-Pacific region (http://www.intelligence-sec.com/events/cyber-intelligence-asia/speaker-biographies). The conference was held in Kuala Lumpur (Malaysia).

Due to a global increase in cyber attacks, it has become critical for many governments to re-evaluate their cyber security systems. Experience has proven that international cooperation is vital to coping with the emerging challenges of this kind.

Securing critical infrastructure, aspects of computer and technical examinations, international cooperation and strengthening of cooperation in responding to cyber security incidents and potential threats were the major topics discussed at the event.

In his report, Andrei Komarov, Head of International projects, Audit and Consulting Department, CERT-GIB CTO, highlighted some features of protection and analysis of the security of built-in industrial systems, as well as methods of investigating possible incidents using real-time systems.

“The security of automated process control systems is currently attracting increased attention from both business structures and national security services of many countries due to the fact that many critical facilities use them for process automation. They are under attacks both from modern cyber attackers and from terrorist organizations that prepare to sabotage oil transportation facilities, metallurgical bases and energy complexes with the use of high technology”, Andrei Komarov noted in his speech.

Howard Schmidt, a former Cybersecurity Coordinator and Special Assistant to the U.S. President, Marco Obiso, ITU Cybersecurity Coordinator, representatives of the Ministry of National Security of Azerbaijan and Information Security Agency of Oman delivered their reports and presentations at the conference, organized with the support of the Ministry of Science, Technology and Innovation of Malaysia (MOSTI) and CyberSecurity Malaysia (CERT-MY). Delegations from ID-CERT (Indonesia), JPCERT/CC (Japan), CamCERT (Cambodia), the staff of the German Embassy in Malaysia, the staff of the U.S. Embassy in Malaysia and the National Police of Hong Kong all gave their competent opinions on the issues discussed.

About Group-IB

International company Group-IB is the leader in Russia's market of investigation and prevention of computer crimes. It is a resident of the Skolkovo Foundation. The complex of consulting services offered by the company are used to successfully find, prevent and investigate any cyber security incidents. The company's experts are equipped with unique skills in the investigationg of the security of Web applications, business applications, remote banking service systems and corporate network infrastructures. Group-IB is licensed (GT No. 0064472, registration number 4490) by the Federal Security Service of Russia to work with state secret information.

For more information, please contact:

Anna Grigorieva
Marketing & PR director, Group-IB
Phone: +7 915 288-59-90
E-mail: grigorieva@group-ib.ru

November 7, 2012

NEWYORK — There is new vulnerability in Adobe X which helps to execute its own shellcode with help of malformed PDF-documents with specially crafted forms.

The vulnerability is also included in new modified version of "Blackhole Exploit-Kit”, which is used for the distributing the banking Trojans (Zeus, Spyeye, Carberp, Citadel) with the help of exploitation different vulnerabilities in client-side software.

Andrey Komarov, the Head of International Projects Department of Group-IB: «The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.».

The end price on this vulnerability on black market is approximately 30 000 – 50 000 USD. For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exloitation methods.

Dan Clements, Managing Partner of Group-IB US: «As more and more of these unpatchable zero day threats pop up in application software and operating systems, it provides bot authors more opportunities to design more creative methods to get their malware loaded into a victims computer».

The POC of the zero-flaw found in Adobe X was published in YouTube by Group-IB US threat intelligence team: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

Media Contacts:

Dan Clements 818.455.5969, D.Clements(at)group-ib(dot)com

October 24, 2012

MOSCOW — Twenty-four-hour computer security incident response center CERT-GIB launched the new project — Antiphishing.ru. It will help to stop cyber-threats such as phishing and malware distribution. As a key advantage, the project will gather the information about infringements directly from internet users. All data will be referred to law enforcement agencies and this will help to hold malefactors criminally liable.

The wide distribution of phishing resources all over the Internet, including its Russian segment, leaded to the birth of Antiphishing.ru. The project was developed for rapid gathering and processing of the information about every site suspected by users. It was implemented by specialists from CERT-GIB with assistance of Yandex, Web of Trust and Mail.Ru Group. The initiative was supported by Coordination Center for TLD RU/РФ.

Antiphishing.ru offers comfortable web interface for users. Every internet user, who assumes a malicious site, can initiate a validation. He needs just to upload URL or IP address of the suspected resource. Further, the system automatically collects additional information and thoroughly examines it. The analysis allows defining acceptable measures for the certain resource. All users’ actions are detailed in «Statistics».

“The Coordination Center pays high attention to the safety of Russian internet users, and Antiphishing.ru gives us another one tool for cleaning up the Internet. Importantly, the project involves every internet user: such approach allows discovering more malicious resources and brings the fight with cybercrime to the next level,” – said Andrey Kolesnikov, CEO of the Coordination Center for TLD RU/РФ.

For the users who have the whole list of suspicious sites, there’s a way for mass registration of several records — they need just to press the button «Add several links» under the input field. In addition anyone can register himself and take part in “antiphishing” competition to win valuable prizes.

«Before this project was launched, the major part of neutralized malicious resources was discovered by information exchange with our partners, — said Alexander Kalinin, official representative of CERT-GIB. — But only with assistance of the users, who face different cyber threats every day, we could significantly rise the volume of actual information and react to the incidents more efficiently. I’m sure that our initiative will get the high response by internet community, sensible for information security violations”.

«We are happy to see a specialized antiphishing project in Russia. The information security is very important for Yandex, and we constantly prevent fraud sites, first of all phishing sites, from influencing on search results relevance and bothering our users, — said Denis Rogachevsky, Yandex project manager. — We are ready to provide information about such sites to all the partners interested in ecosystem cleanness also with our Safe Browsing API”.

About CERT-GIB

CERT-GIB is a Computer Security Incident Response Team, based on Group-IB, the leading Russian company in incident response business. CERT-GIB provides free around-the-clock information security assistance and response for incidents occurring in the Russian-speaking segments of the Internet.
In accordance with the agreement (http://cctld.ru/en/registrators/competent/) signed with ccTLD.ru, CERT-GIB has been designed to actively combat the illicit use of Russian domain names as used for phishing, gaining unauthorized access to third-party information systems, malware distribution, and botnets administration.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru.

October 8, 2012

Internet security companies team up on cross border global solutions and initiatives.

Group-IB, the leading Russian IT security company, has agreed to a consulting and services partnership with CloudeyeZ, a global virtual lost and found that looks for compromised intellectual property. In addition, CloudeyeZ Team Member Dan Clements has been named Managing Partner of Group-IB US.

As NASA has partnered with the Russian Space Federation in real space, CloudeyeZ has partnered with Group-IB US in cyberspace on shared intelligence, threat assessment, adversary profiling, and joint co-operation with international cybercrime investigations.

“I'm pleased to become the Managing Partner of GIB US, which will allow our companies to drill down on cyber intelligence to help determine which adversaries have compromised computer systems”, states Dan Clements, former founder of CardCops and current Team Member and Spokesperson for CloudeyeZ.com. “Group-IB US has cultural and deep technical advantages that may help assess what was taken and possibly retrieve lost Intellectual Property or data for our clients.”

Group-IB offers a full range of security services, from preemptive internal and external security assessments to creating layered defenses to 24/7 incident responses with complete forensic lab analysis. “Our partnership with CloudyeZ will allow our companies to work together to demystify the anonymous adversaries and provide better cloud intelligence to corporations, financial institutions, and law enforcement,” said IIya Sachkov, CEO of Group-IB. “The basis of this global intelligence allows us to better design security systems to protect digital assets and help thwart attacks from malious programs.”

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

About CloudeyeZ:

CloudeyeZ.com is a group of international security professionals who have teamed up to offer a progressive solution of possibly recovering lost property from the cloud. Some team members are well known in the press, others are not. CloudeyeZ is united in the belief that cloud based computing and storage on multiple servers that cross global jurisdictions, is absolutely insecure.

For years team members have been involved in security compromises where companies deny hacks, call in law enforcement, maybe fess up, and then blame some third party. This process doesn't confirm what was actually hacked, with very few hackers actually going to jail, and the company may suffer a goodwill loss. This negative protocol usually doesn't allow for any chance of getting the property back. Team members have worked with global banks, Fortune 500 companies, and the investigative units of many governments. It was here it was learned the traditional methods of security investigation and enforcement have proven not to be a deterrent to people who may pose a security threat. Hacking seems to be on a global rise. Since companies and governments lose property every day, this alternative model helps get their property back.

For additional information contact:
Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru,
Dan Clements, at 818.455.5969, or Dan@CloudeyeZ.com, D.Clements@group-ib.com .

September 18, 2012

Within the framework of the Agreement with Coordination Center on counteraction to unauthorized use of domains .RU and .РФ Company Group-IB reported on the results of activity as a competent organization for the period from January to June 2012. As a result of activity it was possible to neutralize 775 malicious domains and collect a significant amount of information which helped the police to dispose of 4 major groups of cybercriminals.

The area of competence of Group–IB includes counteraction to the use of domain names of the second and further levels of .RU and .РФ for the purpose of phishing, an unauthorized access to information systems of third parties, spread of malicious programs and operation of malicious programs (bot-nets). Besides tracking and neutralizing domains – abusers specialists of the company provide forensic investigation and detailed processing of data about intruders who once created and used malicious resources. From the side of Group–IB the processes of tracking and counteraction are carried out by CERT-GIB, a subdivision that handles information security incidents 24 hours a day.

For half a year that passed from the date of the Agreement signing CERT-GIB specialists managed to reveal 896 malicious domain names threatening the security of the users of the Russian segment of Internet. In parallel with monitoring domain zones .RU and .РФ there were mastered the procedures of interaction with accredited Russian registrars to speed up and improve the quality of response for the requests of the competent organization. On the whole, for the accounting period registrars by the request of CERT-GIB refused delegation of 86% of revealed malicious domain names including the managing center of bot-net Slenfbot consisting of 600 000 bot-infected computers . All bot-infected users were identified and cut off the bot-net without an opportunity to change the command center.

In should be separately noted that for the accounting period the CERT-GIB specialists not only performed the events to decrease the general level of malicious activity in the Russian segment of Internet but also constantly assisted as a competent organization to law enforcement bodies in collecting proof of illegal activity of a number of criminal groups. Company experts searched for information about intruders who used domain–abuser, recorded evidence of their illegal activity and made further comprehensive analytical processing. This data as well as the results of forensic investigations of used malicious programs were sent to law enforcement bodies. That all contributed to the liquidation of 4 major groups of fraudsters specialized on stealing money through Internet–banking.

“The initiative suggested by Coordination Center resulted in decreasing the general level of malicious activity and allowed to resist violations in Runet on a new quality level. Due to this initiative the Russian segment of Internet ceased being shelter for cybercriminals and the international community obtained an accessible interface for urgent applications concerning dangerous and malicious domain names in zones .RU and .РФ” , said CEO of Group-IB Iliya Sachkov. “Our common task is to make Internet cleaner and safer. The report of Group –IB shows how combined efforts help to address the problem effectively and increase the security of Russian domain zones”, noted CEO of Coordination Center Andrey Kolesnikov.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru.

June 22, 2012

MOSCOW — Group-IB is announcing it has provided assistance and expert support to the Department K of the Ministry of the Interior (MVD) of Russia and the Center for Information Security of the Federal Security Service (FSB) of Russia during the actions against the organizer of a criminal group, which had been under an extensive investigation, resulting in his arrest by the MVD’s Department K.

Department K agents, along with the Center for Information Security and the Department of Internal Affairs for the Southern Administrative District of Moscow, raided the hacker’s place of residence and seized computer hardware, digital media, and documents evidencing his involvement in criminal activity. His group had been engaged in theft of online banking funds for over three years. Group-IB experts detected one of the largest botnets employed by the perpetrators, which was built on the Carberp malware. Particularly, this version of the malware made it possible to steal so-called vouchers from foreign Facebook users.

This criminal group was formed in 2009 by an individual known by his online nicknames Germes and Arashi. Using the Hodprot malware, the organizer created a multimillion banking botnet, which became known in hacker circles as Origami. It existed until the middle of 2011, when it evolved into another, more sophisticated botnet, built on the Carberp malware.

Origami’s control panel is shown below:

The perpetrators were the first to use the RDPdoor malware as auxiliary means of conducting theft of funds directly via the computers of banking clients. Its control panel was created by Germes himself, and it is shown below:

Germes called upon a lot of people to work on this botnet, which became similar to running an affiliate program. During its existence, the criminal group’s membership comprised as many as 25 people, not including those cashing the stolen funds. The participants constantly changed.

The perpetrators were the first to use the version of Carberp with a bootkit, which made this malware practically immune to anti-virus tools. In May 2012, a test server with this version of Carberp comprised 1.2 million computers.

In 2012, to increase the number of infected computers, the perpetrators switched from BlackHole exploits to Nuclear Pack. Whereas in October 2011 the botnet’s main control server had approximately 700,000 infected computers, this number doubled in less than two months, and in May 2012 stood at 6 million. At the same time, the number of active infected computers was approximately 70,000.

Group-IB experts estimate that these cybercriminals have made over 150 million rubles (approximately $4.5 million), but the actual amount of stolen funds may be tenfold. The victims were clients of both Russian and foreign banks. To facilitate interaction with various types of international financial systems, the perpetrators used different botnet control servers.

“As this criminal group grew, its organizer began to carry out coordination functions, greatly complicating the process of gathering evidence against him,” said Ilya Sachkov, CEO of Group-IB. “Group-IB took part in investigative actions against this group, and conducted forensics of computers of the affected individuals and companies.”

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, the CERT-GIB computer emergency response team operates around the clock. Group-IB is part of LETA Group.

For additional information contact Irina Zubareva, Group-IB’s PR Manager, at +7 (910) 468-58-72, or zubareva@group-ib.ru.  

June 13, 2012

MOSCOW — Group-IB is announcing a partnership agreement with the Ukrainian company UALinux. Now, for the first time, Ukraine will have access to the full range of commercial services for IT security incident and cybercrime investigation.

As per the agreement, UALinux has become a partner, officially offering the Ukrainian market the full range of services provided by Group-IB, including cybercrime investigation, computer forensics, and legal support. Additionally, both companies have agreed to participate in joint counter-cybercrime projects. Particularly, this means a joint effort in detecting, preventing, and investigating IT security incidents.

“This agreement was the first of its kind in the history of Group-IB. Prior to this, we never had resellers abroad,” noted Ilya Sachkov, CEO of Group-IB. “We are actively developing our partnerships in Russia, but at the same time we are seeing increased demand for services related to cybercrime investigation on the markets of our neighboring countries. This is why we are pleased to befriend Ukraine’s UALinux, and together we will implement extensive projects in that country.”

“Our company possesses vast experience in working with the Ukrainian law enforcement and security agencies,” said Vladimir Popov, Acting Director of UALinux. “So it is not surprising we became the first company on the Ukrainian market in this segment. Sharing of information, development of counter-cybercrime techniques, and conducting joint actions with Group-IB is all aimed at reducing the level of criminal activity in Ukraine.”

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, the CERT-GIB computer emergency response team operates around the clock. Group-IB is part of LETA Group.

About UALinux

A young but rapidly growing company, UALinux was founded in 2009, and today is one of the leading service providers in developing and implementing licensed GNU/Linux-based software in Ukraine. UALinux is actively involved in developing and promoting freeware for the both the public sector and learning institutions, participates in the development of the cyber-security concept for Ukraine, and works on specialized GNU/Linux-based software for the law enforcement agencies.  

For additional information contact Irina Zubareva, Group-IB’s PR Manager, at +7 (495) 661-5538 ext. 303, zubareva@group-ib.ru, or Vladimir Popov, UALinux’s Acting Director, at +38 (094) 995-4425, vpopov@ualinux.com.  

June 05, 2012

Group-IB has announced it assisted Russian law enforcement agents with an investigation, ultimately resulting in the apprehension of yet another prominent cybercriminal group. The Hodprot group had been active for over four years, engaged in theft of funds from online banking systems via the use of banking malware. The group's activity yielded damages of over 125 million rubles (approximately $3.7 million) for the online banking users.

The arrest of the six members of the Hodprot group was carried out by the Office of Economic Security and Counter-Corruption of the MVD in Moscow. This operation was part of the investigation instituted on the facts of theft of funds via the Sberbank online banking system.

The Hodprot group had been operating since 2009, specializing in stealing money from corporate bank accounts. In the beginning, the criminals were using the Hodprot malware, switching to Carberp, another banking malware, in 2011.

This group was directly involved in four cases targeting Sberbank clients, with damages totaling more than 13 million rubles (approximately $500,000), along with numerous instances of theft from the accounts of other banks, totaling over 110 million rubles (approximately $3.3 million).

"This is the second Carberp group neutralized by Russian law enforcement agents with our active involvement within the past three months," said Ilya Sachkov, CEO of Group-IB. "In this particular case, we provided special expertise and assistance in identifying the criminals, and establishing their roles and relationships within the cybercriminal group. Subsequent investigation by our forensics lab confirmed the involvement of these criminals to the specific cases of theft of funds."

Despite the geographically distributed use of the command and control servers in Holland, Germany, France, and the United States, all group members have been arrested and the group is neutralized. The arrest procedure was carried out simultaneously in several regions of Russia with the direct participation of the experts from Group-IB's forensic lab.

"Thanks to the organized interaction with Group-IB, we have put a stop these illicit activities. In particular, those related to the theft of funds from the Bank of Moscow and funds from other commercial online banking system," said Mikhail Kamordin, Deputy Director of the Security Bank of Moscow. "Together, we have managed to clamp down a dangerous and mobile group of criminals employing the most technologically sophisticated methods of theft."

Group-IB would like to express its special appreciation to the Moscow branch of Sberbank for their funding, information sharing, and assistance while working with the law enforcement agencies. Thanks also to the ESET Centre of Viral Studies, who assisted us in analyzing the malware used by this group.

The Hotprod group members are currently being prosecuted by the Investigation Department of the MVD and are facing charges under Article 159 (fraud), 273 (creation, dissemination, and use of malicious software), and 272 (unauthorized access to computer information) of the Russian Criminal Code.

The grounds for criminal prosecution and apprehension have been made available as a result of the verification made by the Office of Economic Security and Counter-Corruption of the MVD as per the request of Sberbank, along with the expert analysis and research prepared by Group-IB and the Office of Security of Sberbank in Moscow, in cooperation with the Department of the Information Security of Sberbank of Russia.

The official press release of the Russian Ministry of the Interior (MVD) regarding this case is available at http://www.mvd.ru/news/show_106992/ and http://uebmoscow.ru/1338791106.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru.

All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem.

How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB and CSIS in Denmark. The Global Security Map displays global hot spots for cybercriminal activities based on geographic location. It was first presented at the Anti-Phishing Work Group (APWG) meeting in Prague on April 25 by leading community researcher Jart Armin, editor of HostExploit, and is now on general release along with the accompanying Global Security Report.

Download the English report (PDF) here.

The Global Security Map is the outcome of extensive research on Autonomous Systems (ASNs) – servers, ISPs, and networks routed publically via their respective IP (Internet Protocol) addresses. It has been the long-held vision of HostExploit, heading a group of respected independent community researchers, to be able to provide a tool to aid hosts, registrars, Internet Service Providers (ISPs), researchers, law enforcement, academics and other parties, interested in tracking Internet security-related issues worldwide.

HostExploit established a method of rating levels of malicious activity on all ASes worldwide (currently 40,909), known as the HE Index, which is used to compile data for its widely respected quarterly reports. The statistics used for the ‘Top 50 Bad Hosts & Networks’ reports and tables are applied now to countries as a whole (based on registration information and routing locations) to create a ranking order by level of malicious activity (1,000 = highest).

At the time of the report, Lithuania ranks at #1 with the highest levels of malicious activities in the world while Finland at #219 has the cleanest servers and networks.

With this information in place, the next step is to consider realistic mitigation methods or plans that can help reduce levels of malicious activity.

So, what makes the difference between the country identified as the “worst”, #1 Lithuania, and the “best”, #219 Finland? Some positive solutions were identified in a recent Net-Security article by reporter Mirko Zorz who interviewed Security Manager of TeliaSonera’s CSIRT in Finland, Arttu Lehmuskallio. TeliaSonera’s mindset of zero tolerance towards abuses is a good example of how being proactive against cybercrime reaps returns both morally and economically.

The Global Security Map is in a rapid stage of development and at the start of a long-term research cycle. Work is well under way on further enhancements to the tool, which will enable users to drill down seamlessly from world level, to region, to country, to internet exchanges, to ASes and ISPs, and finally to IPs, domains and URLs. We believe this to be a unique tool for its combination of detail and high-level visualization and will appeal to a wide cross-section of users.

When calculating levels of ‘badness’ at country level, the accuracy of identifying the countries serving specific activity is of course critical. One of the reasons that there has been a lack of research into the geographic distribution of cybercrime is that it is difficult to accurately determine where anything is physically hosted on the internet, let alone where everything is.

This should not be a deterrent to research. Rather, it should encourage more research, as inconsistencies found in data, when publicly released, will put pressure on the relevant internet authorities to enable better methods of quantification. If no one attempts to quantify to begin with, nothing will change. It should be noted too, that the Global Security Map, its related resources and data are not intended as a declaration that any government or country is actively involved in, or a supporter of, cybercriminal activities.

To find out more, download the report (also available in Russian), visit the Global Security Map website and sign up to the mailing list to keep in the loop.

About HostExploit 

HostExploit provides open source intelligence on cyber security issues and cybercriminal operations. In providing analysis of all the public Internet servers worldwide the quarterly Top Bad Hosts reports and daily SiteVet updates aim to maximize the awareness for hosts, registrars, governmental and cyber security researchers.

About Group IB 

Group-IB is Russia and the CIS’s (Commonwealth of Independent States) leading computer security company, specializing in the investigation of computer crime, information security breaches, and computer forensics.

On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. CERT-GIB provides the client with comprehensive support in minimizing informational risks, consisting of technical, organizational, and legal advice.

Contact

Bryn Thompson

Bogdan Vovchenko

May 2, 2012

MOSCOW — Group-IB, the leader of the Russian cybercrime investigation market, is launching an exclusive service called Social Pentest. As opposed to the traditional penetration testing, this service allows you to informally assess the protection status of your corporate IT infrastructure, as well as the conscientiousness of your employees in unorthodox ways.

Social Pentest is a set of events closely approximating life situations. It was developed using the data obtained by Group-IB specialists during incident investigation, and in many ways mirrors the actions taken by actual intruders in obtaining various information. This new service helps business owners understand how well the company is protected against real threats.

The test takes 30 calendar days to conduct, and the actions are not limited to using software. At the core of Social Pentest are people, including experienced psychologists and professional investigators and actors. An exclusive scenario is developed for each company, taking into consideration its business field, as well as location, staff, business features, and much more. In the end, a 170-point scenario is developed in preparation for the test. Professional actors and specialized equipment are selected. The scenario is developed with the help of psychologists and intelligence specialists, and contains several strategic branches depending on the reactions of the subjects to the first event.

“Our test has been in development for several years,” says Ilya Sachkov, Group-IB’s CEO. “Reconnaissance veterans from Russia and the countries of the former Soviet Union, as well as consultants from the United States and Israel all had a hand in its creation, making this the best test of its kind in Russia at the moment. It takes into account Russian specifics, as well as the experience of our foreign colleagues.”

For more information regarding this service, please visit the promotional website http://pentester.ru/.

About Group-IB

Founded in 2003, Group-IB is an international company, the leader of the Russian cybercrime investigation market. Group-IB provides comprehensive cybercrime investigation services, from rapid incident response to post-incidental consulting. As part of the company, a computer forensics and malware research lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, the CERT-GIB computer emergency response team operates around the clock. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s PR Manager, at +7 (495) 661-5538 ext. 151, or vovchenko@group-ib.ru.

Russian Mafia Organizes Russian Cybercrime Market, Doubles in Size

MOSCOW – April 24, 2012 – Group-IB, a leading Russian cybercrime investigation and computer forensics company and LETA Group subsidiary, today announced a 28-page report on the Russian cybercrime market in 2011.  Analysts from Group-IB’s computer forensics lab and its CERT-GIB unit prepared the report.

The report outlines the main risks associated with various types of hacker activities, analyzes the main trends in the development of the Russian cybercrime market, estimates the shares and the financial performance of the Russian segment of the global cybercrime market, and forecasts market trends for this year.

A summary infographic is available at http://group-ib.com/images/media/Group-IB_Cybercrime_Inforgraph_ENG.jpg and the report itself is available at http://group-ib.com/images/media/Group-IB_Report_2011_ENG.pdf.

Key Trends in 2011:

• Russian Cybercrime Doubles: The global cybercrime market was more than $12.5 billion in 2011.  The global Russian speaking component of that market was more than $4 billion; and the Russian national cybercrime market was $2.3 billion, essentially doubling last year’s number of $1.2 billion.

• Mafia Professionalizes Russian Cybercrime: Traditional crime syndicates are beginning to organize the previously disorganized Russian cybercrime market. In addition, these crime syndicates are beginning to work more closely together, sharing compromised data, botnets, and cashing schemes.

• Online Fraud and Spam Account for More than Half of Russian Cybercrime: In 2011, the largest type of Russian cybercrime was online fraud at $942 million; followed by spam at $830 million; cybercrime to cybercrime, or C2C (including services for anonymization and sale of traffic, exploits, malware, and loaders) at $230 million; and DDoS at $130 million.

• Criminal profiles: In its report, Group-IB specialists and CERT-GIB analysts profile details of 5 cyber criminals caught in 2011: Vladislav Khorokhorin, Oleg Nikolayenko, Yevgeniy Anikin, Maksim Glotov, Andrey Sabelikov.

Group-IB suggests that Russian laws are critical in getting traction against the global Russian Cybercrime market. Although Group-IB feels there has been progress with recent laws introduced by Russian President Dmitriy Medvedev and enacted by the Russian State Duma, these laws do not yet go far enough.

Steps For Reducing Russian Cybercrime:

The report recommends steps that will significantly improve the number of solved computer crimes, change the existing law enforcement practices, and establish proper international cooperation in this field. These recommendations include:

• Clarify language of new laws: Amend the law with an additional conceptual apparatus related to issues of information security and information technologies. For example, the term “botnet” needs to be introduced, perhaps under a different name, which remains and will remain for the foreseeable future the main tool for committing the majority of cybercrimes. In addition, change the term “computer information” in the existing law, which does not fully reflect the nature of computer information, leading to possible incorrect interpretations of this term.

• Increase penalties: Make the penalties for crimes committed using computer technologies more severe.

• Update, amend and augment criminal procedures:  Create more effective criminal procedures around gathering “digital evidence” such as describing the procedures and actions related to procuring, securing, and investigating; and creating a separate definition for the crime scene of a cybercrime and establish a specific place of investigation of such crimes.

• Improve Law Enforcement: Organize federal and regional training programs for the judicial, prosecutorial, investigative, and law enforcement agencies, including seminars regarding the issues of cybercrime investigation.

• Improve International Coordination: Develop a document for submission to the UN, establishing the principles of international interaction against cybercrime, while also respecting the sovereignty of the member states, as opposed to the Budapest Convention.

“The cybercrime market originating from Russia costs the global economy billions of dollars every year,” said Ilya Sachkov, Group-IB's CEO. “Although the Russian government has take some very positive steps, we think it needs to go further by changing existing law enforcement practices, establishing proper international cooperation and ultimately improving the number of solved computer crimes.”

About Group-IB:

Founded in 2003, Group-IB is an international company and the leader of the Russian cybercrime investigation market. Group-IB provides comprehensive cybercrime investigation services, from rapid incident response to post-incidental consulting. Group-IB’s computer forensics and malware research lab provides independent computer forensic investigations and works with corporations, as well as Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB is the first private emergency response team in Russia operating around the clock. Group-IB is part of LETA Group.

April 03, 2012

MOSCOW — InfoWatch and Group-IB introduce the first joint comprehensive Data Loss Prevention solution aimed at preventing and mitigating corporate data leakage and ensuring information security incident investigations.

For the first time in Russia, InfoWatch and Group-IB customers are now able to:

• protect information and keep track of all events related to confidential data;
• keep copies of transferred documents;
• investigate cases of illegitimate use of the archived data generated by the DLP system;
• provide legal evidence during court proceedings regarding the incident.

The solution is focused on large companies that use DLP or are planning to implement such systems. It is designed to minimize the risks and consequences of incidents by using technical and organizational measures and legal instruments. As a result of the project, the customer receives constant protection from leaks (the DLP system is based on the InfoWatch Traffic Monitor Software) as well as qualified service support during incident investigation, conducting forensic examinations, and detection and prosecution of criminal offenders provided by Group-IB.

“In this information age we are living in, any leakage of confidential data is becoming a serious issue that requires detailed analysis,” says Ilya Sachkov, Group-IB’s CEO. “We are pleased to combine our expertise in the field of cybercrime investigation with the advanced technology of Infowatch to provide an efficient solution against data theft. This step is completely in line with our strategy of preventing violations by means of legal tools."

The process of implementing the protective measures is conventionally divided into three stages: Pre-DLP, DLP, and Post-DLP. At the first stage, InfoWatch and Group-IB experts will audit the client’s information security system and develop a guideline package for working with information. The restricted data is detected and categorized semi-automatically by the InfoWatch Autolinguist module. The client company enacts the “Commercial Classified Information” policy (or conducts an internal audit of its current “Commercial Classified Information” policy), allowing further protection of the company’s interests, pursuing offenders, and bringing them to justice.

The second stage involves the introduction and extensive use of technical means of protection, such as a leak prevention system (DLP) and detection and prevention of the external intrusion solutions (IDS/IPS). The actual result of the second stage is the company’s automated monitoring system for circulating information. Data on all misconduct, including violations of security policies, the evidence of leaks and intrusions, are aggregated into a single information repository called the InfoWatch Forensic Storage.

The third stage includes activities aimed at identifying the violations, the elimination of the incident, and bringing those responsible to justice. Legally, a significant evidence base is generated by Group IB’s computer forensics, based on the information collected in the repository. In the future, this information is used both for investigating the incident, and as part of litigation.

“Until recently, DLP was talked about as a software product to protect against leaks. We suggest revising this approach while presenting a unique market solution to protect both the information and the interests of the information’s owners. As part of a joint solution, InfoWatch and Group-IB have organically combined the advantages of a better product for the prevention of data leakage and improved expertise in the field of cybercrime investigation,” said Natalya Kaspersky, CEO of InfoWatch.

About InfoWatch

InfoWatch combines several organizations working in the field of information security, protection of corporate information, and linguistic analysis: InfoWatch, Kribrum, and EgoSecure.

The product portfolio includes the SC InfoWatch solutions for large corporate customers (InfoWatch Traffic Monitor Enterprise with encryption technology, the flagship product to protect against leaks, and InfoWatch KRIBRUM, a cloud monitoring service for statements made online), as well as solutions for small and medium-sized businesses (InfoWatch Traffic Monitor Standard for data leakage protection, and InfoWatch EgoSecure, the system for protecting workstations).

JSC InfoVotch, the parent company, was founded by Kaspersky Lab in 2003. Today, InfoWatch is the leading Russian developer of integrated solutions to protect corporate data on the basis of its own technology of linguistic analysis, taking up about 50% of the market for DLP systems, actively entering the international markets of Europe, the Middle East, and Asia. The company is headquartered in Moscow, with over 100 specialists and experts in the field of design, implementation, integration, sales, and promotion of its products and technologies.

EgoSecure develops solutions to ensure operational safety of sensitive data in corporate networks, as well as data protection while using external storage media. The company’s flagship product allows you to control access to external devices of any type, to filter by file type, securely delete files, and automatically encrypt all data on external and internal carriers.

In 2010, InfoWatch and Ashmanov & Partners founded Kribrum. Its key development is KRIBRUM, a system for monitoring and analyzing social media for online reputation management.

InfoWatch has extensive expertise and experience in implementing projects of any complexity in the sectors of finance, telecommunications, energy, and the public sector. Among the customers of InfoWatch are banking institutions of the Russian Federation (Vneshtorgbank, Bank of Moscow, Bank Vozrozhdenie, CJSC Raiffeisenbank, AKB RosEvroBank), the nation’s largest mobile operators, Ministry of Emergency Situations of the Russian Federation, Federal Customs Service of Russia, OJSC AK Transneft, OJSC Sukhoi Company,Gazprom VNIIGAZ, JSC RusEnergoResurs Holding, JSC RusHydro, and more than 150 other major companies in different industries.

About Group-IB

Group-IB is the first and only non-governmental organization in Russia and the former Soviet Union providing comprehensive consulting services in the field of information security and incident investigations. On the basis of Group-IB, CERT-GIB operates around the clock as Russia’s first private computer emergency response team. Its mission is to implement data collection about incidents and coordinate response activities in order to reduce financial and reputational damages.

For additional info: 
Sergey Hairuk
+7 (926)-566-55-46
pr@infowatch.com
Bogdan Vovchenko
+7 (916)-570-89-39
vovchenko@group-ib.ru

March 20, 2012

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security is announcing the results of its joint investigation with the Federal Security Service (FSB) and the Ministry of the Interior (MVD) of Russia, culminating in the suppression of the criminal activities carried out for the past two years by a group engaged in online banking fraud. Clients of over a hundred banking institutions worldwide suffered losses due to the activities of these criminals, who, just in the last quarter, managed to steal over 130 million rubles.

For the first time in international practice it was possible to establish the entire criminal chain, including the head of this group and owner of a botnet, those conducting fraudulent transactions, and those directly involved in cashing the stolen funds. In all, a total of eight individuals comprised the group. It should be noted that in addition to stealing funds from bank accounts, the criminals were also involved in carrying out distributed denial of service (DDoS) attacks.

The criminals hacked websites actively using accountant services in their operations, as well as popular news media websites and online stores, infecting them with malware. Having established remote access to the computer of a potential victim, and having detected online banking details on that computer, the criminals created a fraudulent payment order to transfer funds to a specially prepared account. Then the stolen funds were cashed via bank cards, established for dummy individuals or legal entities. In order to have a comfortable working environment, an office was opened by the criminals, functioning as a data recovery company.

“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialized banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” noted Ilya Sachkov, Group-IB CEO. “The investigations conducted by our Forensics Lab confirmed the use of the Win32/Carberp and Win32/Rdpdor malware by the criminals in order to carry out theft of funds.”

Group-IB experts first encountered the activities of this group in November 2010, and in January 2011 the head of the criminal group was identified. However, a vast amount of effort was devoted to documenting his activities and identifying his accomplices. The investigation was complicated by the fact that the individual was constantly on the move throughout the country, and often was outside the Russian Federation.

The investigation of the botnet and its servers, obtained as a result of interaction with specialized organizations in various countries, including Holland and Canada, helped prevent theft of funds from clients of over a hundred banking institutions worldwide.

Group-IB expresses special gratitude to Sberbank of Russia for their funding of these works and providing necessary information, as well as to the Dutch company FOX-IT for its assistance throughout the many stages of this investigation.

To date, all members of this criminal group have been detained, and a criminal case has been instituted under the articles 158 (larceny), 273 (creation and distribution of malicious software), and 272 (unauthorized access to computer information) of the Criminal Code of the Russian Federation.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru.

March 14, 2012

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security is announcing it provided assistance at secure facilities to a special MVD unit in suppressing the activities of a criminal group engaged in unlawful online distribution of unlicensed software. The participation by Group-IB experts will ensure that an evidentiary base will be assembled on the basis of the committed acts of unlawful software code modification.

These cybercriminals created ten online resources passed off as official sites of the developer, offering users to download the supposedly licensed Navitel Navigator software. However, it was established that the program was modified in such a way as to function without a license and a certificate after downloading. For the year of the existence of these resources, the modified software was downloaded over 38,000 times.

After installing the program, the user had to send a text message to a short code in order to receive the activation code. The cost of this message was 300 rubles, while the cost of the legally sold product is 2,400 rubles. Thus, the rights owner sustained damages in excess of 90 million rubles.

In addition to the fact that the unlicensed software did not function properly, when installed on smartphones it carried out malicious functions, such as sending covert text messages to short codes resulting in regular unauthorized debiting of funds from accounts.

A criminal case was instituted under Article 146 of the Criminal Code of the Russian Federation (copyright infringement). The members of the criminal group, three residents of Saratov, have been identified and are currently in custody. Computers and software discs seized during the raid were transferred to Group-IB’s Forensics Lab. According to the forensic results, the suspects may not only face prosecution for copyright infringement, but also for crimes committed in the field of computer information.

“Unfortunately, computer criminals are increasingly using popular brands for personal gain,” said Ilya Sachkov, Group-IB’s CEO. “A company with credibility on the market always has consumer confidence, allowing various criminals to offer in the name of this company counterfeit products which not only function improperly, but also carry the risk of infecting the user’s computer with malicious software. The user is attracted by the low price, but financial losses are ultimately sustained not just by the company, but the user as well.”

See the official press release from Russia’s Ministry of the Interior in Moscow at the following link: http://www.petrovka-38.org/news/8374.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, the CERT-GIB computer emergency response team operates around the clock. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s PR Manager, at +7 (495) 661-5538 ext. 151, or vovchenko@group-ib.ru.  

February 24, 2012

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security has announced its assistance to Management K of the Russian Ministry of the Interior (MVD) in disrupting the activities of a criminal group involved in theft and sale of confidential information. Thanks to the participating Group-IB criminologists, the necessary evidence was collected to begin criminal proceedings.

In November 2011, Management K specialists forwarded software samples for investigation to Group-IB’s computer forensics lab. Allegedly, cybercriminals used this software to gain unauthorized access to email servers, social networks, and other websites.

As a result of the investigation, Group-IB criminologists established that the software was in fact malicious, and the criminals used it for phishing attacks. The program redirected users to a fraudulent website, similar in appearance to a legitimate. Information entered on this website was retained via embedded scripts by the criminals, who were subsequently selling it, or using it for spam purposes.

Based on the investigation conducted by Group-IB, criminal proceedings were initiated under the article 273 of the Criminal Code of the Russian Federation (creation, use, and distribution of malicious software).

The dismantling of the criminal group occurred simultaneously in two cities. The organizers responsible for the development of the unlawful business were apprehended in Moscow, and in Almetyevsk apprehended was the group’s technical executive, whose bank accounts contained over 10 million rubles. At present, the criminals have been taken into custody.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru.

January 31, 2012

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, is announcing the launch of “Online Banking Client Workstation Protection”, a new service aimed at ensuring security for computers used to access online banking systems. This service is unique in that it combines the technical solutions and around the clock monitoring of Group-IB’s situational center.

The “Online Banking Client Workstation Protection” service is a set of technical and organizational measures designed to enhance the level of informational security for bank customers who use online banking services. This unique set of solutions includes around the clock security level auditing of the client’s workstation by Group-IB’s situational center personnel. Controlling the degree of protection allows monitoring and analyzing of each information security event. In case of an incident, the response center immediately notifies the client and provides organizational, technical, and legal support.

“With the number of targeted attacks directed at online banking systems continually growing, security providers face an arduous task of protecting the end user,” says Ilya Sachkov, CEO of Group-IB. “Therefore, we have decided to apply our experience gained investigating cases of online banking fraud and develop our own solution. This service provides not only traditional protection against cyber threats, but also enables the attacked side to provide appropriate counteraction with a timely response. Additionally, our experts will be on hand to ensure comprehensive support.”

Data regarding information security incidents is collected by agent software which transmits the accumulated information to Group-IB’s situational center for further analysis. In addition to the monitoring agent, workstation protection is also achieved by implementing such technological tools as antivirus software, additional authentication systems, trusted boot modules, intrusion prevention systems, firewalls, unauthorized access protection systems, etc.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or vovchenko@group-ib.ru.

January 24, 2012

HostExploit’s report for Q4 2011 on the ‘Top 50 Bad Hosts and Networks’ focuses on malicious internet activity served from nearly 40,000 public Autonomous Systems worldwide. Featured this quarter is the regular table of Bad Hosts with special reports on the ‘Pocket Botnet’, the Dirt Jumper and Armageddon DDoS botnets, and DeepEndResearch.org.  

HostExploit’s (HE) Q4 2011 ‘Top 50 Bad Host and Networks’ report, released today, provides a quantitative analysis of all hosts and networks worldwide on the basis that all cybercrime is hosted, served, and transmitted by a host or a network operation. It is co-published with Group-IB, who operates CERT-GIB – the first private computer emergency response team in Russia.

Throughout 2011, internet users faced numerous threats as organizations large and small fell foul to attacks on their systems leading to several commentators branding 2011 as ‘the year of the data breach’. There were some truly shocking revelations about large-scale data breaches with many questions still outstanding on the ‘who, where and why.’ The year ended as it began with yet another data breach of epic proportions, with more than 75,000 credit card numbers and 850,000 usernames and passwords being stolen from strategic forecaster ‘Stratfor’.

New threats in 2011 included the appearance of the first smartphone infections with botnet-like attributes to bring the reality of a ‘pocket botnet’ ever closer. 2012 will see more of the same as the continuing popularity of the smartphone as the device of choice for accessing the internet ensures that cybercriminals will make it their target in pursuit of financial gain. There is a special feature on this subject in HE’s Q4 2011 report.

Featured too in the report is an overview of the analysis performed on the ‘Dirt Jumper’ DDoS botnet by newly-formed security group DeepEnd Research – a fusion of independent, experienced and highly-respected  researchers including founder Andre’ M. DiMino with members Mila Parkour, Jart Armin, Yuriy Khvyl, Marnie King, Rosanno Ferraris and Chris Lee.

As a regular feature, the HE Bad Hosts report identifies which hosts have the most malicious activities in terms of delivering botnets, spam, phishing, exploits, viruses, etc., via their servers. Each category has its own clearly reported analysis which, when combined, gives an overview on where internet badness is located.

Highlights from the Q4 2011 report include a new “#1 Bad Host”: Lithuanian (LT) AS47583 Hosting Media supporting some of the worst types of threats including several botnet-related activities such as Zeus as well as C&C servers, exploit servers, phishing servers, malware and badware.

Publicizing information in this fashion helps service providers to gauge their own levels of ‘badness’, to compare their performance against other providers and serves as an alert or early warning about a problem that time-pressured hosting providers may have overlooked.

HE believes it makes sense for hosting providers to be proactive and to engage in self-regulation. After all, it makes no economic sense to gain a bad reputation.

By highlighting the ‘bad’ hosts, who put money before concern for the safety of Internet users, we can raise awareness among webmasters and domain owners. Armed with this information they can make an informed decision about where to host their websites. Hosting providers will thus be provided with an incentive to stay clean in a highly competitive market.

Note: Live results can be found at www.sitevet.com. The figures contained here were correct at the time of the end of year analysis.

For a full copy of The Q4 Top 50 Bad Hosts & Networks report, please visit: http://hostexploit.com/downloads/viewdownload/7-public-reports/35-top-50-bad-hosts-a-networks-2011-q4.html.

About HostExploit 

HostExploit provides open source intelligence on cyber security issues and cybercriminal operations. In providing analysis of all the public Internet servers worldwide the quarterly Top Bad Hosts reports and daily SiteVet updates aim to maximize the awareness for hosts, registrars, governmental and cyber security researchers.

About Group IB 

Group-IB is Russia and the CIS’s (Commonwealth of Independent States) leading computer security company, specializing in the investigation of computer crime, information security breaches, and computer forensics.

On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. CERT-GIB provides the client with comprehensive support in minimizing informational risks, consisting of technical, organizational, and legal advice.

Contact

Bryn Thompson

Bogdan Vovchenko

MOSCOW - Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, and the Coordination Center for TLD RU are announcing the signing of the Agreement to combat cyber threats within .RU and .РФ domain names.

Under this agreement, Group-IB will monitor for phishing attacks, unauthorized data access, and malware proliferation emanating from domains within the .RU and .РФ zones. Whenever these violations are detected, Group-IB will analyze the data and transfer it to the registrars, who, in turn, will be able to remove the offending domain names from delegation, under the guidance of the new regulations for registering .RU and .РФ domain names. It should be noted that the incoming registrar notification will be advisory in nature.

This new agreement ensures the Russian segment of the Internet will become safer, because Group-IB will assist the registrars in responding more promptly to possible violations by the domain name owners.

“Our experts possess impressive experience in around the clock detection of malicious resources, allowing the registrars to receive the necessary information quickly,” comments Ilya Sachkov, CEO of Group-IB. “This new partnership enables us to combat cyber threats occurring on the Russian segment of the Internet on a completely new level, helping to protect Russian Internet users against the actions of cybercriminals.”

“The capabilities and the technologies of Group-IB available for the detection of cyber threats will increase the level of security of the national domain zones in Russia. The methods used to achieve these results include a comprehensive set of tools for analyzing various facts and signals in order to determine the severity of the threat and implement effective countermeasures,” says Andrei Kolesnikov, Director of the Coordination Center. “Our common goal is to make the Internet cleaner and safer, and the joint agreement with Group-IB will help us attain it.”

Earlier, the Coordination Center entered into a similar agreement with the Friendly Runet Foundation, a division of the Safe Internet League.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

About the Coordination Center

The Coordination Center for TLD RU (CC for TLD RU) is the administrator of national top level domains .RU and .РФ (national registry). CC for TLD RU´s principal task is to ensure resilient and stable functioning of the domain name registration system and DNS infrastructure of the Russian segment of the Internet.

For additional information contact Bogdan Vovchenko, Group-IB´s PR Manager, at +7 (495) 661-55-38, or vovchenko@group-ib.ru; or Olga Aleksandrova-Myasina, CC for TLD RU´s Chief Information Officer, at +7 (499) 254-88-94, or oa@cctld.ru. 

December 16, 2011

MOSCOW - Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, is announcing the release of Ariadne, a unique deobfuscator. This tool is unprecedented, allowing reverse-engineering experts to quickly and effectively investigate software algorithms that have been protected against analysis.

Ariadne is a versatile set of tools, a framework that contributes to significant time saving during investigations of the operating principles of various software. By using Ariadne, one can read and modify executable files, translate their machine code into symbolic notation, and even convert parts of the code into an intermediate representation, convenient for analysis. The new framework is very simple to use, and can be easily integrated into other products. For instance, a plugin for IDA, a popular disassembler, is already available.

However, the main feature of Ariadne is having a number of proprietary optimization algorithms, using which can greatly simplify the code being protected by means of obfuscation. AIR Wave Deobfuscation Technology, a unique technology not based on any structural code templates, allows for flushing out of useless sets of instructions and variables used by the program´s creators for the purposes of source code obfuscation. This ensures the high level of deobfuscation without resorting to prohibitive computational resources. The code unraveling technology was developed specifically with regard to the need for practical application on varied PC configurations.

Thus, the Ariadne framework incorporates several tools, enabling reverse-engineering professionals to rapidly analyze operational algorithms of the programs being investigated. Ariadne can also be used in creating new software solutions or software protections.

«Until today, the market lacked a widely available universal deobfuscator,» says Ilya Sachkov, CEO of Group-IB. «The Ariadne framework was created as an advanced software to be used for research in computer forensics. This is the first phase of our innovations of forensic software. I hope that Ariadne will indeed be that thread, which leads Group-IB´s other software and hardware solutions onto the market.»

«During our ongoing research of the functionalities of malware, we are constantly confronted with the fact that the virus writers use a variety of methods to protect the code against analysis,» notes Alexander Matrosov, Director of ESET´s Center for Virus Research and Analytics. «Therefore, one used to be forced to apply an individualized approach in every case, or resort to developing new internal tools. With the advent of Ariadne, the code deobfuscation issues can be resolved more efficiently, and the framework can easily be integrated with the internal infrastructures of forensic and antivirus laboratories.»

To receive more information about this product and to see examples of its deobfuscation capabilities, please visit Ariadne´s official site at ariadne.group-ib.ru.

About Group-IB

Group-IB is the first company in Russia and the CIS working professionally and comprehensively in cybercrime investigation. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB´s PR Manager, at +7 (495) 661-55-38, or vovchenko@group-ib.ru.

November 14, 2011

MOSCOW С Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, is announcing the naming of Andrey Komarov as the head of Group-IB´s Audit and Consulting department.

Andrey Komarov, who previously served as technical director of the Stankoinformzaschita Research and Development Center, will create and implement Group-IB´s auditing and consulting plans in the field of IT security services. This step is intended to strengthen Group-IBХ´ ability to provide a complete range of cybercrime investigation services. The specialists working in this department conduct comprehensive auditing, studying the level of security and performing penetration testing, in addition to developing and implementing various IT security solutions.

«Andrey has significant experience, going from a junior vulnerabilities analyst to an IT security solutions development and integration task manager,» noted Ilya Sachkov, Group-IB´s CEO. «Not only is he well-versed in IT security technologies, he is also a productive manager who knows the industry and the needs of our clients. His appointment as the head of our Audit and Consulting department adds energy to the growth in this area, elevating this department´s quality of services.»

During his time with Stankoinformzaschita, Mr. Komarov was in charge of the R&D´s technical division, responsible for the development and certification of IT security solutions. Prior to that, Andrey worked at the research institutes of Russia´s Federal Service for Technology and Export Control (FSTEC), and the business units of Russia´s Ministry of Industry and Trade.

Mr. Komarov is the author of more than thirty publications in peer-reviewed periodicals, such as Inside: Information Protection, Information Security, Hacker, ITSpec, Open Systems, and hackin9. Representing Russia, he is currently involved in developing the Penetration Testing Execution Standard (PTSE).

About Group-IB

Group-IB is the first company in Russia and the CIS working professionally and comprehensively in cybercrime investigation. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB´s PR Manager, at +7 (495) 661-55-38, or vovchenko@group-ib.ru.

November 9, 2011

Moscow - Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, is announcing it has become the main sponsor of the second international conference entitled «Antifraud Russia: Prevention and Counteraction».

The conference will take place in Moscow on November 30, 2011. Organizing the event are the Academy of Informational Systems (AIS), and the Chamber of Commerce and Industry of the Russian Federation (CCIRF). This is the second consecutive year Group-IB has been the main sponsor of the event. One of Group-IB´s key services is comprehensive investigation of IT fraud.

At the conference, representatives from various departments of the government, law enforcement agencies, industry associations, and businesses will discuss the legal, organizational, and technical aspects of combatting cybercrime. The participants will consider the issues of effective interaction during cybercrime investigation, and share practical counter-cybercrime experience. Independent experts in the field of IT security incident investigation and anti-fraud counteraction will describe their vision of the situation and means of solving the questions.

This conference is intended for information and economic security managers, internal control and audit services, risk management specialists, and department heads responsible for the development of online business.

«Each year the number of targeted attacks on the financial sector by organized cybercriminal groups in Russia is increasing. For example, in the last year the volume of online banking theft has risen to 200%,» said Ilya Sachkov, Group-IB´s CEO. «Because of this, it is imperative to conduct events aimed at joining the effort for more effective counter-cybercrime activities. That is why, for the second consecutive year, we are happily supporting the initiative of the Antifraud Russia conference organizers in order to develop practical measures to prevent and investigate IT security incidents and online fraud.»

«The effectiveness of counter-cybercrime measures depends not only on the implementation of modern IT security technologies, but most importantly on the knowledgeable methodical training of the personnel facing these threats,» noted Yuriy Malinin, president of the AIS. «We conduct regular conferences and seminars in order to develop new training programs addressing the technical, organizational, and legal aspects of combatting fraud and hacker attacks.»

For more information about the conference and the participation requirements, or to register, please visit www.antifraudrussia.ru.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

About the Academy of Informational Systems (AIS)

The Academy of Informational Systems (AIS) was founded in 1996 as part of the Stins Coman Group and is the leading Russian educational center for managers and specialists in the field of IT security. In 2006, the AIS received certification and state accreditation, thereby solidifying its educational programs and learning environments as conforming to the high national standards of the Russian Federation. One of the most important activities of the AIS is organizing conferences. Since 2001, the Academy´s events have brought together various specialists in the IT security field for the exchange of ideas and experiences in order to develop the solutions for the industry´s current issues.

For additional information contact Bogdan Vovchenko, Group-IB´s PR Manager, at +7 (495) 661-55-38, or vovchenko@group-ib.ru, and Tatyana Yakovleva, Head of the AIS PR Department, at +7 (495) 231-30-40 ext. 378, or TYakovleva@stinscoman.com.

October 24, 2011

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, is announcing the launch of CERT-GIB, the first private computer emergency response team in Russia.

CERT-GIB is a computer emergency response team created on the basis of Group-IB. Its mission is to promptly assist organizations and individuals in responding to incidents. Notably, CERT-GIB not only cooperates with clients being served in accordance with existing contract terms, but can also provide these services to any other organization or individual as part of its information gathering and response coordination.

CERT-GIB provides the client with comprehensive support in minimizing informational risks, consisting of technical, organizational, and legal advice. Incident response services are countermeasures aimed at identifying the nature of the incident and neutralizing it, restoring the operational functioning of the information systems, analyzing the causes of the incident, identifying those responsible, and prosecuting them. The financial and reputational damages resulting from the incident are reduced by the correct and rapid incident response. A continuous operational cycle in information gathering and incident response is carried out around the clock by Group-IB’s experts located in Moscow, New York, and Singapore.

For more effective service delivery, Group-IB is actively engaged with other incident response teams in Russia and around the world, as well as with developers of security software, law enforcement agencies, and other members of the worldwide anti-cybercrime community.

“In the United States there are at least sixty-two computer emergency response teams active right now. There are seven in Denmark. In Russia, the largest country in the world, there is only one,” points out Ilya Sachkov, Group-IB’s CEO. “There is a long overdue need in another organization capable of quickly, professionally, and effectively dealing with information security issues arising in Russia, or involving Russian companies. Thanks to the experience and competence of our experts, CERT-GIB will become a credible tool in the fight against organized cybercrime.”

To learn about the full range of services offered by CERT-GIB, please visit the team’s official site at www.cert-gib.com.

About Group-IB

Group-IB is the first company in Russia and the CIS working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s PR Manager, at +7 (495) 661-55-38, or vovchenko@group-ib.ru.

October 20, 2011

This year has been characterized by frequent reports of hacks and data breaches with little change in Q3 2011 in a seemingly never ending outflow of data from organizations struggling to cope with the demands of ever changing technologies.

Social engineering is now acknowledged as a leading threat to organizations and businesses of all sizes with many the lacking the resources to control this multi-faceted problem. The rise of personal gadgets used within the workplace too brings its own set of problems. Key to countering cybercrime in its many forms and guises is raising awareness and educating users/employees/IT personnel about current threats and the places that they are likely to come from.

The HostExploit ‘Top 50 Bad Hosts’ series and related quarterly reports is our way of contributing to the fight against cybercrime. Our aim is to raise awareness about where badness is being hosted and to provide a means for hosts to benchmark the cleanness of their service against others in the industry.

HostExploit analyzes all 39,056 currently advertised and commercial hosts (ASNs) with the results represented in a number of ways. The main findings are available for download on the HostExploit website. For the second time, we are pleased to announce that this report is also published in Russian, due to a collaborative partnership with Group-IB Moscow.

More detailed information on individual ASeS is available on our sister site, SiteVet. Here it shows, for example, whether the badness detected is botnet activity, badware, exploit kits, spam etc. Historical information is available too to give further insight to the longer term performance of all hosting providers. This is additionally beneficial in deciding on the reputation of a particular host.

In Q3 2011, there were several changes in the top positions in the ‘Top Bad Hosts’ table:

• The title of #1 Bad Host (Overall Category) now goes to AS33626 Oversee.net, a monetizer of domain names, for high levels of hosting malicious URLs, badware, Zeus botnet servers and infected sites.
• The US share of the Top 50 has dropped from 23 in Q2 to 16 In Q3 although 5 of the Top 10 are still hosting from the United States including the #1 spot.
• #1 in the most important category, Exploit Servers, in the analysis of malware, phishing or badness as a whole, is AS47583 Hosting-Media, hosted in Lithuania.

Discussed also in this quarter is the rise of GHOSTing, or Bulletproof Cybercrime Hosting in the Cloud as a way serving malicious material and yet remaining under the radar. This type of operation gives the impression of clean and responsible hosting as no obvious sign of criminal activity is detected on the providers’ servers. This is achieved through the legitimate offering of VPN or VPS services to those clients who wish to host illicit or objectionable badness e.g. malware, botnet C&Cs, phishing, spam operations or even images of child sexual abuses. In this way hosts can feign ignorance or turn a blind eye to their customers’ real intentions. Further details are available in the Q3 report.

In a quarter that included the notorious hack of DigiNotar that left many unanswered question about lax security it can be difficult to find any good news. That is why HostExploit makes a point of including a regular feature called the ‘Good Hosts’ in which we congratulate the most improved hosts. This quarter is no exception and includes at least one familiar name as a former #1 Bad Host and regular in the Top 10 and which has recently shown a significant improvement by dropping just out of the Top 50. Well done to Dutch host AS29073 Ecatel.

For a full copy of The Q2 Top 50 Bad Hosts & Networks report, please visit:http://hostexploit.com/downloads/summary/7-public-reports/32-top-50-bad-hosts-a-networks-2011-q3.html. 

About HostExploit

HostExploit provides open source intelligence on cyber security issues and cybercriminal operations. In providing analysis of all the public Internet servers worldwide the quarterly Top Bad Hosts reports and daily SiteVet updates aim to maximize the awareness for hosts, registrars, governmental and cyber security researchers. 

About Group-IB

Group-IB is the first company in Russia and the CIS working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Group-IB is part of LETA Group.

Contact

Bryn Thompson 
Bogdan Vovchenko

September 21, 2011

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security, announces its residency at the Skolkovo Innovation Center. As part of the Skolkovo innovative projects, Group-IB will be creating CyberCop, a global counter-cybercrime system. As a result, Group-IB will be the third company representing LETA Group at Skolkovo.

CyberCop, the wide-ranging counter-cybercrime system, is an effective tool which will allow the law enforcement agencies in Russia and around the world to combat cybercrime during the most difficult stages of the investigative process: evidence gathering, information analysis, and perpetrator finding. Through correlating data regarding cybercrimes, their methods, and the persons involved, the investigation will be conducted with complete information. Therefore, such technological means will not only contribute to information protection, but also directly reduce cybercrime volume.

The comprehensive CyberCop system being developed consists of four main modules:

1. CyberCop: the central module responsible for storing, processing, and correlating information regarding high-tech crimes. This module is intended for use only by the appropriate law enforcement authorities.
2. BrandPointProtection and AntiPhishing: the module which allows for automated online monitoring for unlawful use of corporate brand names and phishing attacks.
3. FraudMonitor: the subsystem designed to detect and prevent online banking fraud.
4. ForensicSystems: the advanced software and hardware system used to conduct computer forensics and gather digital evidence.

Based on the analysis of the submitted application, the Skolkovo Innovation Center has assigned Group-IB the primary registration number 1110074 as a participant in the Strategic Computer Technologies and Software Project. It is notable that Group-IB is the third LETA Group company which has attained residency at the Skolkovo Innovation Center. The first was ASK Labs, industrial automation solutions developer, and the second was HamsterSoft, mass freeware developer.

“Becoming a resident at Skolkovo allows our company to implement an ambitious development project of a fundamentally new domestic product for the global cybercrime investigation market,” said Ilya Sachkov, CEO of Group-IB. “Creating the CyberCop system is a strategic step in transforming Group-IB from a service provider to a software and hardware developer for the global counter-cybercrime market.”

About Group-IB

Group-IB is the first company in Russia and the CIS working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Group-IB is part of LETA Group.

About LETA Group

LETA Group is a management and investment company in the field of advanced information technologies. LETA Group’s investment strategy is based on creation, acquisition, and asset management in various segments of the Russian IT market. Currently, LETA Group has the following companies under its umbrella: LETA, ESS Distribution, Group-IB, DAMASK, HamsterSoft, ASK Labs, and ASKOM-Stroy. In total, the Group’s companies have over 400 employees. In 2010, LETA Group’s revenue was 3.4 million rubles.

For more information contact Bogdan Vovchenko, Group-IB’s PR Manager, at +7 (495) 661-55-38 or via email at vovchenko@group-ib.ru.

September 6, 2011

MOSCOW — Group-IB, the first Russian company to fully devote its resources to investigating IT security incidents and breaches of information security, announces the opening of its office in the United States. This new division will be responsible for strengthening the company’s positions and expanding the company into the North American market.

The establishment of Group-IB’s first foreign office is another step in the implementation of a strategy of bringing the company’s services to the international cybercrime investigation market. The new office will provide a full range of Group-IB services in North America, including the latest advances in online brand protection and fraud prevention for online banking systems.

Group-IB has appointed Alex Kuzmin to head the new office, located in New York City. Alex was behind the formation of the first private Computer Emergency Response Team (CERT) in France in 2004. Prior to joining Group-IB, Alex was the head of a Canadian CERT since 2007.

“The primary tasks of the new office will be the strengthening of ties with law enforcement agencies and expert communities in the United States, as well as representing the interests of American companies operating on the Russian market in Russia and the former Soviet Union,” commented Aleksey Kuzmin. “Moreover, the specialists of our office will provide remote assistance to Group-IB’s Russian clients, thus providing around the clock operation, and reducing the load on the headquarters.”

“Opening Group-IB’s American office is an important step on our part in strengthening international cooperation against worldwide cybercrime,” said Ilya Sachkov, CEO of Group-IB. “At the same time, the American office will quickly localize our services for the local computer forensics market. I am confident this will be done successfully and in the timeframe provided.”

About Group-IB:

Group-IB is the first company in Russia and the CIS which works professionally and comprehensively with cybercrime investigations, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including to Russian law enforcement agencies. Group-IB is part of LETA Group.

For more information contact Bogdan Vovchenko, Group-IB’s PR Manager, at +7 (495) 661-55-38 or via email at vovchenko@group-ib.ru. 

In a quarter dominated by press stories from self-publicizing hackers such as Anonymous, and LulzSec, matched with DDoS attacks and data exfiltration by others, it is easy to overlook the more widespread problems – as an example, there were around 350,000 website defacement hacks in this quarter and 1.5 million in 2010. Additionally, there are currently 800,000 plus web sites hosting malicious exploits and badware.

The Q2 Top 50 Bad Hosts & Networks report encompasses analysis on all 38,030 currently advertised and commercial hosts (ASNs), focusing on the 50 worst offenders. For the first time, and due to a collaborative partnership between HostExploit and Group-IB, we are pleased to announce the report is published with both English version available as free downloads.

The need for standardization is a recurring theme for this quarter. This conclusion is reached as a result of, and based upon, our observations of the many different ways that blacklists are compiled. Differences in data sets can be explained, in part, by blacklists being produced for specific malicious activity. Rapid expansion of the blacklist community has resulted, in some cases, in an increase in the number of false positives, and often difficulty in their removal within a reasonable period of time.

After consulting with Google about the problem of false positives in relation to domain parking, Google recently made a process change to eliminate many false positives in their Safe Browsing service (used in browsers to protect end-users from malicious websites). For example, HE research shows that the removal of false positives from the Google Phishing list has resulted in a significant reduction (80 per cent) in the listings of AS21740 eNom. For eNom this has proved to be significant, dropping out of the Top 100, and therefore being able to concentrate on cleaning up the real issues. This will also be reflected across other domain registrars and domain wholesalers as well as reducing the problem of false positives that can be associated with domain parking.

In summary other findings from the report show:

• The title of #1 Bad Host (Overall Category) goes to AS33182 HostDime for significant levels of spam, exploit servers, phishing servers and Zeus servers, as well as botnet C&C servers, badware and infected websites.
• Nearly one half (23) of the Top 50 Bad Hosts operate from the United States. Cybercriminals like hosting services that are easy to obtain and which provide false credibility.
• Exploit Servers represents HostExploit’s most important category in the analysis of malware, phishing or badness as a whole. #1 this quarter is AS14585 CIFNet.
• In the Current Events sector, the most up-to-date and fast-changing malicious activities, such as click jacking, counterfeit pharma, new exploit kits, SpyEye, Stuxnet and blended attacks such as MALfi, in #1 position is AS16138 Interia.pl.
• Comparing Q1 with Q2 2011, there are few changes in terms of overall levels of badness being served. Website infections, however, are down on the corresponding period of 2010.

Hosts and corporate networks invariably do not host malicious activity with deliberate intent, but can deliver malware from servers that have been hacked or compromised and added to a network of zombies. Such networks are used to further the outreach of noxious or virulent material by masking its true origin and, thus, helping to avoid detection. For this reason HostExploit considers the category called Exploit Servers to be the most important in its analysis and why it is given added weighting. Full details of the methodology used is available in the full report.

To end on a positive note, some well-known names have shown significant reductions in levels of badness and are deserving entrants to the ‘Most Improved Host’ category. Most Improved this quarter is AS47764 Netbridge, host to the popular mail client Mail.ru, which has shown a drop of 84 percent. The title of overall #1 Good Host for consistent low levels of badness this quarter is AS34744 GVM Sistem, hosted in Romania.

For a full copy of The Q2 Top 50 Bad Hosts & Networks report, please visit:http://hostexploit.com/downloads/viewdownload/7-public-reports/30-top-50-bad-hosts-a-networks-2011-q2.html.

About HostExploit

HostExploit part of CyberDefcon, provides open source intelligence on cyber security issues and cybercriminal operations. In providing analysis of all the public Internet servers worldwide the quarterly Top Bad Hosts reports and daily SiteVet updates aim to maximize the awareness for hosts, registrars, governmental and cyber security researchers.

About Group-IB

Group-IB is Russia and the CIS’s leading computer security company, specializing in the investigation of computer crime, information security breaches, and computer forensics. It was the first and the only company in Russian Federation which specializes on cybercrime investigations, and post incident consulting.

Contact

Bryn Thompson 
Bogdan Vovchenko

Group-IB declares receipt of GCFA certificate by Aleksandr Pisemsky, Deputy General Manager. It is for the first time that the Russian expert was certified at such high level by GIAC program.

The GCFA (GIAC Certified Forensic Analyst) certification, carried out by American the SANS Institute, is for professionals working in the information security, computer forensics, and incident response fields. This certificate testifies that the expert has all necessary knowledge to carry out formal forensic examinations and investigations, as well as skills of advanced persistent threats analyses. Moreover, the certificate is issued not on a permanent basis, but it requires renew every 4 years.

Certification within scope of GIAC (Global Information Assurance Certification) program is considered to be unique as in certification process not only knowledge in a certain professional field is examined but also ability to apply skills in practice. A candidate for GCFA diploma has to pass a four-hour exam and answer 150 questions of theoretical and practical nature in sphere of digital forensics and computer crime prevention legislation. Currently only 2456 computer criminalists all over the world managed to pass it. This year for the first time Russian expert Aleksandr Pisemsky, Group-IB Deputy General Manager, who is the head of Digital Forensics Laboratory, collected this certificate.

“GIAC program certification is highly recommended to information security experts to prove their professional competence, — Group-IB General Manager Ilya Sachkov says. — Availability in our company of the criminalist certified by the SANS Institute shows that Digital Forensics Laboratory conclusions by results of computer and technical expert examination and investigations comply with the highest international standard. In the nearest future all laboratory experts are going to pass this certification. I am sure that the standard set by Aleksandr will become a kind of guideline both for employees of our company and other Russian criminalists”.

For more information please contact:

Bogdan Vovchenko

+7 495 661-55-38

vovchenko@group-ib.ru

About Group-IB

Group-IB is the first and only public company in Russia professionally and fully engaged in consulting in the field of digital crime investigation and computer forensics. It is a part of LETA Group.

Group-IB announces the launch of unique BrandPointProtection service targeted at protection of brands from Internet threats.

BrandPointProtection service represents a unique complex of services involving round-the-clock monitoring, notification and response to cases of brand misuse on the Internet. In the course of response a brand rightholder is given legal defense, including deleting of illegal content, liquidation of phishing or fraudulent sites and calling computer criminals to responsibility.

Appearance of the new independent BrandPointProtection service within scopes of services for response and investigation of IT-incidents is a logical answer to constant increase in quantity of pointed attacks on corporate brands which are present on the Internet. The most typical displays of such attacks are continuing bulk email of spam to company clients, sharp growth of false and phishing sites number, existence of specialized malicious software, as well as increase in cases of well-known brand misuse on the Internet (distribution of counterfeit products, grey and black import, fraud) and “black PR”. Basic danger of such threats lies in aggregate direct financial losses of a company and decrease “reputation costs” of an attacked brand.

‘Our company is engaged in ensuring of safe existence of popular brands on the Internet for a long time, however we have started to carry out the complex service only from the beginning of this year’, Ilya Sachkov ,the head of Group-IB, tells. – In this view there was created an associated expert group possessing knowledge both in sphere of information technologies and in humanitarian fields. In its turn, current projects on brand protection in financial and retailer spheres have shown a demand and efficiency of such unique service that ensure a brand safety on the Internet’.

For more information please contact:

Bogdan Vovchenko

+7 495 661-55-38

vovchenko@group-ib.ru

About Group-IB

Group-IB is the first and only public company in Russia professionally and fully engaged in consulting in the field of digital crime investigation and computer forensics. It is a part of LETA Group.

ESET, an international developer of antivirus software and decisions in sphere of computer security, reports that it took part in international Computer Antivirus Research Organization Conference (CARO 2011) jointly with Group-IB, Russian company, which specializes in investigation of information security incidents.

CARO is an annual information security conference where IS specialists discuss pressing issues related to threats and trends in this sphere, represent their researches, as well as share experience in cybercrime prevention. The event is held behind “closed doors” that implies freer-flowing communication among experts. This year the conference took place in the capital of Czech Republic – Prague, and it assembled more than 100 specialists in sphere of information security.

Within scopes of CARO 2011 ESET specialists jointly with a representative of Group-IB reported on issues related to information security in Russia and tendencies of cybercrime development in the country. Besides, a part of the report was devoted to positive tendencies in sphere of computer crime prevention in Russia: legislation development, popularization of computer forensics and approaches to incident management.

A speech was opened by Dmitry Volkov, Group-IB Deputy General Manager, who made a brief analysis of a state of Russian computer crime market for 2010. As statistical data of Cyber Forensic Laboratory of Group-IB have shown, last year the most popular types of cyber threats were incidents in online banking systems, SMS-fraud cases, DDoS-attacks and unauthorized access to important corporate information. It should be also mentioned a strong growth of number of a new type threat incidents connected with attacks pointed at popular brands on the Internet. Special priority in the report was given to fraud in online banking systems as the most popular type of computer crimes on the territory of the Russian Federation. Distinct interest of foreign experts was aroused by typical schemes of stolen money conversion into cash.

‘We consider it an honour to be invited to CARO 2011’, — Dmitry Volkov speaks. — ‘Events of such scale assemble a great number of highly-skilled experts in sphere of information security and computer crime prevention. It is the place where you can share your practical knowledge, establish partnerships and strengthen international cooperation that is necessary to give an effective answer to cybercrime challenges. We are trying to make it clear that Russia is not a source of cybercriminals and by our example we show that Russian IT-Companies and the state are actively combatting this problem’.

The second part of the report represented by Aleksandr Matrosov, Director of Virus Research and Analytics Center of ESET Russian Resident Office, and Robert Lipovski, ESET Virus Analyst, was devoted to technical aspects of cyber-attack realization in Russian banking sector. In particular, specialists told about malicious software which is used by intruders to steal financial resources through online banking systems.

The most widespread threats for online banking systems became sets of malicious software – Win32/RDPdoor, Win32/Sheldor, Win32/Carberp, Win32/Hodprot and Win32/Qhost correspondingly. Special attention was given to the first three Trojan Horse software that were leading by number of incidents. The most popular in Russia was Win32/RDPdoor backdoor that forms a botnet and uses Microsoft Remote Desktop Protocol to infect a computer. According to ESET, the price of this malicious software among hackers makes about $ 2, 000. To the maximum extend the threat penetrated the territory of Russia, Ukraine and Kazakhstan.

‘Results of our research showed that criminals still succeed in responding to security measures taken by companies and also develop and use new methods to bypass IS systems’, — Aleksandr Matrosov comments. — ‘Command server shutdown is not efficient any more to oppose vigorous growth of cybercrime. The only way to prevent computer crimes today is to join efforts in this sphere on international level and permanent close cooperation’.

For more information please contact:

Bogdan Vovchenko

+7 495 661-55-38

vovchenko@group-ib.ru

About Group-IB

Group-IB is the first and only public company in Russia professionally and fully engaged in consulting in the field of digital crime investigation and computer forensics. It is a part of LETA Group.

Microsoft has published results of a research related to OS Windows pirated copy safety conducted at the beginning of 2011 by Group-IB. Experts have analyzed pirated copies of Microsoft Windows XP, Windows Vista and Windows 7 operational systems.

Scanning of a distribution disk and subsequently a software product version that is installed from it was carried out by means of antivirus tools of several developers. This method allowed to increase probability of malicious software detection. Each software product was analyzed by experts both for a malicious code and general operability. Pirated copies of operational systems available for Russian users through basic distribution channels — in unauthorized points of sale on physical mediums (DVD, CD) and on the Internet (torrents and file hosting services) — were subjects to research.

According to the research, 94 % of all pirated copies contain bypass mechanisms of Windows software products activation that potentially negatively affect stability of system operation. Moreover, in 7 % of all examined operational system copies there was detected software directly intended for password and other personal data stealing.

In 96 % of Windows operational systems available for downloading from torrents and file hosting services an original code is changed – bypass of software activation is carried out that testifies to undesirable or harmful software presence. Viruses and Trojans are present in 6 % of setup files. Most of detected viruses and Trojans can be used for stealing of personal data. 29 % of Windows pirated copies available for downloading on file hosting services appeared to be completely invalid.

In case of Windows OS pirated copy purchase in unauthorized points of sale, danger to become a victim of malicious software and to inform personal information to third parties practically voluntary increases several times. Every fourth (25 %) disk, checked up by the experts, contained malicious software and 12,5 % of disks included programs for user password and personal data stealing. It is remarkable that in some cases CDs bought in three Moscow markets appeared to be beta versions of Windows OS.

‘Recently Russian users are taking advantage of their computers to solve wide range of daily problems more actively, frequently trusting them the most secret information, including, for example, access to their bank accounts. It is the reason for a great temptation of frauds and criminals who use malicious software to gain access to these data’, — Denis Guz, the head of Department for Microsoft Licensed Software Promotion in Russia, tells. — ‘As the research shows, one of widespread methods to implement these criminal plans is counterfeit software with its extensive sale network and millions of potential victims. Microsoft informs the users on risks by which they are exposed when installing programs from doubtful sources on their computers. It is especially fair in case of an operational system which had appeared on a computer before any outside protection is installed which do not always manage to detect a problem in initially modified system even after their installation’.

Basing on the research materials Group-IB experts classified types and allocation methods of potential threats arising from use of piracy distribution disk:

• malicious software built-in in the distribution disk;
• malicious software built-in in activation means;
• existence of a code which is not defined as malicious by anti-virus programs, but which potentially carries out unauthorized actions in the system.

Special attention of the researchers is given to the following point: on preliminary check of the distribution disk by an antivirus absence of obvious threats does not guarantee that after installation there will be no detected malicious programs in it. At the same time, check of installed OS by anti-virus tools cannot always detect presence of malicious or undesirable software. Hence, the pirated software always comprises high level of threat for user.

‘Regular independent software examination for licensing requirement meeting allows to detect existing threats for users’ information security in time, — Ilya Sachkov, Head of Group-IB, mentions. — Piracy causes financial losses not only to legal owners, but also users. In 60 % of incidents which were investigated by our experts, pirated software was one of principal reasons of system discredit and stealing of money resources.’

For more information please contact:

Bogdan Vovchenko

+7 495 661-55-38

vovchenko@group-ib.ru

About Group-IB

Group-IB is the first and only public company in Russia professionally and fully engaged in consulting in the field of digital crime investigation and computer forensics. It is a part of LETA Group.

Analysts of Group-IB in association with experts of ESET Viruses research and analysis center and analysts of LETA company prepare the report about the state of the “Russian” computer crime market. It is estimated that “Russian” hackers earned about 2.5 billion dollars in 2010.

The report contains the survey results of the state of the “Russian” computer crime market in 2010. It focuses on the main threats related to different types of hacker activity, analyzes general services offered by computer mafia, estimates “Russian” segment share in the global cybercrime market and gives predictions on the market development tendencies for this year.

It is significant that analysts research “Russian” computer crime market. In this report the term “Russian” cybercrime market denotes the market of computer crimes committed by the Russian Federation citizens as well as by the citizens of CIS and Baltic countries and immigrants from the Former Soviet Union countries that live abroad. The crimes committed by “Russian” hackers on territory of both their residential country and other countries all over the world will be taken into account when analyzing financial indicators of the industry.

Judging by the results of the analysis of criminal services and prices for the services and based on the data from foreign colleagues, Group-IB experts estimate the global computer crime market turnover at 7 billion dollars while the whole “Russian” cybercrime market share is estimated at 2.5 billion dollars. Russian hackers earned about 1.3 billion dollars in 2010.

Under corresponding factors of information technologies and cybercrime market development it is possible to predict that “Russian” hackers will earn around 3.7 billion dollars as early as this year, and in 2013 they will double this value. Approximately a half of the “Russian” computer crime industry revenue will belong to Russian intruders.

The following general trends in computer crime market development may be marked in 2010:

• increase of professionalism of its participants;
• market expansion due to appearance of new participants;
• decrease of prices for in-demand services;
• growth of the internal cybercrime market. This market includes so called Cybercrime to Cybercrime services (С2C);
• an orientation to a super-monetization.

A consequence of the above mentioned tendencies is the following fact – services offered on the cybercrime market became more accessible that causes growth of hacker attacks’ amount all over the world and increase in financial performance.

The year of 2010 is characterized by activation of computer violators as well as continuing professionalization of the market all over the world. During the studied period the major hacker threats were: галопирующий рост количества и сложности DDoS-атак;

• rampant increase in number and complexity of DDoS-atacks;
• pointed attacks at financial industry and increase of incidents in online banking systems;
• rapid burst of sms-fraud on CIS territory;
• use of social engineering methods for stilling personal information and online-frauds;
• pointed attacks at crucial infrastructure objects.

Within the report scope there were defined the following components of the computer crime market of Russia which are representing the greatest social danger:

• DDoS-attacks: network attacks intended to denial of service;
• frauds in online banking systems: unauthorized sending of electronic payment order to steal money;
• spam: bulk e-mailing;
• traffic selling: services on installation of malware in a large number of computers and services on redirection of users to particular web-sites (related to C2Cmarket);
• partnership programs (illegal sales of medicines, sales of pirated software, downloads, etc.) (related to C2C market).

In the report based on the study Group-IB experts give effective information on reducing “Russian” hackers’ activity. It is necessary to carry out regular improvement of legal frame and increase of competence level of law enforcement bodies that effect crime control in sphere of computer technologies. Also an important factor of cybercrime counteraction is development and introduction of innovative technical means and solutions which enable to implement proactive feedback on information security threads.

«It is sad to say, we fixed “Russian” computer crime market expansion and the grouth of hackers’ incomes. Under corresponding factors we suppose that the problem will exacerbate. Penalty reinforcement, activation of interstate cooperation, engagement of industry associations and promotion of fundamental information security policy will favor the slowdown of contemporary pace of “Russian” cybercrime market growth», — said Ilya Sachkov, the Head of Group-IB.

About Group-IB

Group-IB (www.group-ib.com) is the first company in Russia and CIS which is professionally and fully engaged in investigation of computer crime cases, violations of information security and computer forensics. It is a part of LETA Group.

Bogdan Vovchenko

+7 495 661-55-38

vovchenko@group-ib.ru

Moscow, Sep 14, 2010. Today LETA Group – the Investment Center and the management company operating in the field of advanced information technologies has announced that Group-IB company, the leader in Russian computer crime investigations (CCI) has become its member. Starting from this September LETA Group owns 50% of the Group-IB company assets (in 2009 its turnover amounted to 43 million rubles).

Group-IB is becoming an integral part of the LETA Group and will work closely with LETA IT-company (information security market leader) departments and ESET Center of Virus Research and Analysis (one of the leaders of the national anti-virus software market). Therefore, the Russian market will for the first time have a structure that can provide a full range of services ensuring consistent information security. This will dramatically increase the level of computer crime response, raise the levels of its disclosure, accelerate the collection of evidence and thereby contribute to the implementation of the punishment inevitability principle.

Group-IB Company has been working on the Russian market for more than seven years and since the day it had been founded the company was specializing in investigating computer crimes. During this time the Federal Tax Service, Gazprom and Norilsknikel, Microsoft and British American Tobacco, Uralsib Financial Corporation, Alfa-Bank and Russian Regional Development Bank, Kommersant Publishing House and many other organizations have become the Group-IB clients. Today, the Group-IB experts offer the most comprehensive range of services in the field of digital forensics - from the investigation of RB (remote banking) frauds to legal support and post incident consulting. The unique competence of the company and its tested information bases, best practice techniques and technologies allow it to specialize in the disclosure of the most sophisticated criminal schemes that often involve united cybercrime communities from different countries.

The necessity of uniting the efforts of companies leading in major segments of the Russian computer security market is associated with qualitative changes that have occurred in this area over the past two years.

Earlier Russian cyber criminals were involved mainly in computer crimes against the state agencies and commercial enterprises of economically developed countries. Now the Russian companies are the object of criminal interest and, in fact, there is already a market for professional computer crime – with standard services, promotion avenues, rates, infrastructure, financial schemes, etc. Today, according to expert estimates, the volume of this market amounts to $1 billion per year and it’s constantly growing. Currently the largest part of turnover belongs to botnets (spam, identity theft, etc. - 40%) and DDoS-attacks on Internet resources (20%). In this case large organizations, primarily the banks and vertically-integrated holding companies are at the highest risk. In the long term numerous medium-sized enterprises will become the potential victims of computer crime and the transit areas for criminal actions against large companies. Accordingly, the number of computer crimes like Internet banking system frauds, disruption of information systems, and Internet attacks against brands will dramatically increase.

Structures designed to respond to computer crimes are in a completely different situation. Legislation in this area is far from perfect, the companies’ internal security services do not have the required competence and are not always motivated to collect evidence; moreover, there are virtually no professional providers of IT crime disclosure services in the Russian market. The information security integrators also are also unable to provide consistent information security. All these factors prevent the disclosure of computer-related crimes and, in contrast, offer unlimited opportunities to cybercriminals.

The combination of competencies of LETA Group member companies will help to develop a set of services that are totally new to the Russian market and are a blend of classical IS and computer crime investigation technologies. At the same time, a number of services currently offered by Group-IB will be typified in accordance with best practices of LETA IT-company. “The investigation of computer crimes is our daily work. Seeing the rates of cybercrime growth and the methods it uses from the inside, we clearly understand that it’s necessary to sharply increase our response now, or else it will be too late” - said Ilya Sachkov, the Group-IB CEO. – “The cooperation with LETA Group is the most effective way to solve this problem for our company. But, of course, the scale is not our final objective. Due to resource constraints many organizations today find it impossible to obtain the necessary and timely assistance. The number of such structures will gradually grow bigger. To meet this demand, we need a qualitative leap, and this is where we can’t act alone. So I`m sure we`re doing a timely and important step in the development of our business.”

“Today we are launching a large and, in my opinion, an extremely important project for the Russian business. In fact, the integration of Group-IB into our structure leads to the formation of a new market that I would like to call a consistent and “ideal security” market.” - said Alexander Chachava, President of LETA Group.- “We can now offer our customers the integrated solutions that cover all aspects of computer crime response using high technology. Of course, we clearly understand that this niche has to involve many companies – this is a prerequisite of successful control over cyber criminals. Unfortunately, this path will be long - after all the necessary competence is generated over the years. Therefore, we will prepare specialists for the entire market, actively promoting the concept of “ideal security”. I am convinced that many Russian enterprises with extensive and successful experience in classical information security would like to join us.”

For more information please contact:

Valentin Krokhin, Marketing Vice President 
Tel.: +7 495 984 28 31, +7 495 921 14 10 
E-mail: vkrokhin@leta.ru

About LETA Group 
LETA Group (www.letagroup.ru) is a management and investment company in the field of advanced information technologies. LETA Group`s investment strategy is based on creating, acquiring and managing assets in various segments of the Russian IT market.

LETA Group currently includes the following companies: LETA IT-company, ISET CJSC, Group-IB, DAMASK, MrSoft, GK ASK and ASKomstroy. The group employs over 300 people. Its 2009 revenues amounted to 2,920 million rubles.

The gang members were developing and distributing block viruses that infected PCs when users visited a number of different websites. “The virus completely blocked the work of a personal computer and the monitor displayed a pornographic image and a message about a password that the user could get by sending a paid SMS to the four-digit number that’s necessary for unlocking the computer", - said the representative of the ITAR- TASS agency.

The cost of such message ranged from 300 to 1000 rubles. Using the technology of mass distribution and drawing traffic to these resources the hackers managed to infect tens of thousands of PCs.

According to our source, tens of thousands of Internet users in Russia, Ukraine, Belarus, Moldova and the Baltic countries have become the victims of this gang.

Group-IB Laboratory for Computer Forensics has conducted the most sophisticated computer research, which allowed to sort out the technology of how the malicious code worked, as well as to determine the scheme of work and the payment chain. Group-IB consultants provided technical support and helped to develop the new techniques of investigating computer crimes.

Also, in the course of special investigation activities the specialists of the Group-IB Department of Computer Crime Investigation provided advisory support in conducting searches and other activities. Searches and arrests were held simultaneously in 20 addresses.

Hackers have continued their fraudulent activities for about a year and, according to police estimates, illegally gained more than 500 million rubles.

“We’re dong a good thing that has a specific result - judicial practice and the recession of similar viruses. We always offer any technical and legal support to law enforcement officers and are very happy when things reach a logical conclusion. During this investigation we applied advanced forensic equipment that fully justified itself. I would also like to note well-coordinated and professional work of Directorate for Combating Economic Crimes of Moscow Central Internal Affairs Directorate officers and investigators of the Moscow “K” department.” - said Ilya Sachkov, Group-IB CEO.

Group-IB company was founded in 2003 and became the first computer crime investigation company in Russia and one of the first such companies in the CIS. Group-IB develops methodology for the investigation of modern computer crimes, such as DDoS attacks and remote banking frauds. Group-IB also runs its own computer forensics lab.