Last week was a bad one to be a cybercrook. Authorities in Russia arrested several men thought to be behind the Carberp banking Trojan, and obtained a guilty verdict against the infamous spammer Leo Kuvayev. In the United States, a jury returned a 33-month jail sentence against a Belarusian who ran a call service for cyber thieves. At the same time, U.S. prosecutors secured a guilty plea against a Russian man who was part of a gang that stole more than $3 million from U.S. businesses fleeced with the help of the ZeuS Trojan.
In August 2010, KrebsOnSecurity broke the news that spam king Leonid “Leo” Aleksandorovich Kuvayev, was being held in a Russian prison awaiting multiple child molestation charges. Late Friday, a Moscow City court judge rendered a guilty verdict against Kuvayev for crimes against the sexual integrity of minors, according to Russian news agency Lenta.ru.
In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.
In an apparent bid to sidestep those charges, Kuvayev fled the United States for Russia. A Massachusetts judge later convicted Kuvayev of CAN-SPAM violations, and ordered him to pay $37 million in civil penalties. FBI officials say that at the time, BadCow was raking in more than $30 million each year.
Russian prosecutors said Kuvayev sexually abused at least 11 girls aged 13 to 18 years, many of them suffering from mental and psychological problems and pupils of orphanages and boarding schools nearby Kuvayev’s business and residence in Moscow.
According to information obtained by KrebsOnSecurity, Russian prosecutors had help from Kuvayev’s old nemesis Microsoft, which had hired a local forensics company in 2010 to keep tabs on his activities. Microsoft’s Samantha Doerr confirmed that Microsoft Russia consulted with Moscow-based cyber forensics firm Group-IB, but said the nature of the investigation was related to Kuvayev’s spamming activities. Lenta.ru reports that it’s not clear when Kuvayev may be sentenced, but that the most serious offense he faces carries a penalty of 20 years in prison.
Group-IB also assisted in another investigation that bore fruit last week: The arrest of eight men — including two ringleaders from Moscow — alleged to have been responsible for seeding computers worldwide Carberp and RDPdor, powerful banking Trojans. Russian authorities say the crime gang used the malware to raid at least 130 million rubles (~$4.43 million USD) from more than 100 banks around the world, and from businesses in Russia, Germany and the Netherlands. Russian police released a video showing one of the suspects loudly weeping in the moments following a morning raid on his home.
The arrests help explain why the makers of Carberp abruptly stopped selling the Trojan late last year. Until recently, Carberp was sold on shadowy underground forums for more than $9,000 per license. In the screen shot below, a lead coder for the Carberp Trojan can be seen announcing on Nov. 1, 2011 that he will be immediately suspending new sales of the malware, and will not be reachable going forward.
Russian authorities are often criticized for failing to pursue cyber crooks who target Western companies and interests, but they do tend to take an interest in Russian cyber thieves who fleece their own countrymen. The guys behind Carberp seem to have ignored a long-observed but increasingly ignored tradition of not targeting companies and individuals in Russian and former Soviet states. According to antivirus maker ESET, computers in Russia and Ukraine comprised about 50 percent of all Carberp infections.
On Friday, authorities in New York announced the sentencing of Dmitry M. Naskovets, a Belarusian who operated a rent-an-accomplice business for bank thieves. Naskovets received a sentence of 33 months in prison after pleading guilty to running CallService.biz, a Russian language site for identity thieves who trafficked in stolen bank account data and other information, Wired.com writes. The service catered to thieves who wanted to conduct fraudulent financial transactions that required phone-based verification — minus the thick Eastern European accent.
Also on Friday, the same New York authorities announced the sentencing of 23-year-old Nikolay Garifulin, a Russian man who was part of a gang of international money mules that helped to steal more than $3 million from dozens of U.S. businesses. Garifulin was among several dozen money mules charged in September 2010, as part of “Operation ACHing Mule,” a global law enforcement sweep against an organized crime gang that used the ZeuS Trojan to fleece hundreds of small and mid-sized businesses. Garifulin was sentenced to two years in prison, forced to forfeit $100,000, and ordered to pay $192,123 in restitution.