4 Bulletproof Hosting Provider Administrators Sentenced


Cybercrime, Cybercrime as-a-service, Fraud Management & Cybercrime

Bulletproof hosting service has supported Zeus, SpyEye and Citadel Malware, according to FBI

Mathew J. Schwartz (euroinfosec) •
October 21, 2021

How did criminals get banking Trojans like Zeus, SpyEye, and Citadel, as well as attack tools like the Blackhole Exploit Kit, to prey on victims?

See also: Live Webinar | A buying guide: what to consider when evaluating a CASB

Many were users of a rock-solid hosting service which, according to US officials, was run in part by four men from Eastern Europe and helped criminals facilitate numerous malware, botnets and networks. other online attack programs, including sending out large amounts of spam loaded with malware.

Bulletproof hosting refers to the infrastructure provided to criminals to help them launch online attacks. Typically, bulletproof hosting servers are run by administrators who ask few questions and do not respond to takedown requests or court orders – for example, if a foreign ISP or a law enforcement agency traces malware attacks, botnet hosting or spam to service servers or requests evidence to build a case.

The hosting service that is the subject of this case has not been named by the authorities or in court documents.

The four suspects were extradited last year from Eastern Europe to stand trial in the United States. Authorities say other “known and unknown” suspects who were part of the operation are still at large.

Conviction pending

Two of the men – Pavel Stassi, 30, of Estonia, and Aleksandr Skorodumov, 33, of Lithuania – were respectively sentenced to two years and four years in prison by Chief Justice Denise Page Hood of the United States District Court of eastern district. of Michigan, according to the US Department of Justice.

The two entered into plea deals with prosecutors earlier this year and agreed to plead guilty to one count of conspiracy against racketeers and corrupt organizations, or RICO, conspiracy, carrying a sentence of up to ‘to 20 years in prison.

Stassi was sentenced on June 28 and Skorodumov was sentenced on Wednesday.

Two co-defendants, Aleksandr Grichishkin and Andrei Skvortsov, both 34 years old and of Russian nationality, also pleaded guilty to one count of RICO conspiracy. Sentencing of all defendants was originally scheduled to end in September, but has been delayed, no doubt in large part due to slowdowns caused by the ongoing COVID-19 pandemic.

The indictment charged the four men with not only one count of RICO, but also one count of bank fraud conspiracy, which appears to have been dropped.

“Over many years, the defendants have facilitated the transnational criminal activity of a vast network of cybercriminals around the world by providing them with a safe haven to anonymize their criminal activities,” said Special Agent in Charge Timothy Waters from the FBI office in Detroit. . “This resulted in millions of dollars in losses for American victims.”

Roles and responsibilities

The two Russians – Grichishkin and Skvortsov – started the service and owned it, the former acting as a “day-to-day boss,” according to a replacement indictment against the four men filed in February 2020 and unsealed on March 4. , 2020.

According to court documents:

  • Grichishkin “oversaw advertising on online forums, set prices for hosting services, negotiated and interfaced with clients, managed the hiring and compensation of employees, and oversaw the work of system administrators and other employees.” .
  • Skvortsov “served as a benchmark for the organization on online cybercrime forums, where companies’ success depended on their reputation and connections.” He also referred clients and helped fine-tune the business and resolve any issues faced by clients – especially VIPs.
  • Skorodumov, the Lithuanian, was a system administrator from at least December 2009 until May 2012.
  • Estonian Stassi “handled customer relations and administrative services” from at least November 2010 to September 2014, and also helped Grichishkin filter orders, support customers and provide technical support.

Administrators used fake or stolen identities to register the infrastructure they were using and create PayPal accounts to fund services, so they could better evade detection by law enforcement officials.

Customer service for malware operators

Administrators also monitored “sites used to block technical infrastructure used for crime,” such as Spamhaus and ZeusTracker, and move any “flagged” content to another part of their infrastructure to keep it online, authorities say. .

Extract from the replacement indictment against the four defendants filed in February 2020 and unsealed on March 4, 2020.

The bulletproof hosting service also announced “free, within reason”, 24-hour support to customers through ICQ and Jabber, according to court records.

The group has also reportedly worked to forge links with cornerstones of the cybercrime-as-a-service ecosystem. For example, in April 2010, ‘under the leadership of Skvortsov, Grichishkin contacted the developer of the banking Trojan SpyEye,’ offers[ing] collaborate ”and offering“ you can refer clients to us and I will pay a fixed amount for each of them, ”” according to court documents.

Security experts claim SpyEye was the dominant malware toolkit used by cybercriminals from 2009 to 2011 (see: Two doomed SpyEye Malware brains).

Explosion of the cybercrime past

The historical nature of the case is evidenced by some of the malware and banking Trojans that the defendants helped take care of, as well as facilitate the use of the Blackhole exploit kit, all of which have experienced a sharp drop in use in recent years.

Exploit kits are automated attack tools that identify vulnerabilities in a user’s system – usually in their browser – then exploit those vulnerabilities to install malware. Malicious links, legitimate websites that have been hijacked, and malicious attachments are all common ways to use these toolkits to attack users.

But the use of exploit kits has declined dramatically since their heyday in the early 2010s, thanks in large part to the developers of the most targeted software – including Microsoft’s Internet Explorer browser and Flash and PDF plugins. ‘Adobe – adding automatic update capabilities to their software and forced removal of obsolete versions. These and other measures have helped reduce the attack surface once posed by obsolete and vulnerable software running on millions of PCs.

When it comes to malware attacks, banking Trojans have been largely supplanted by crypto-locking malware and then by cryptocurrency mining malware. More recently, ransomware has regained popularity, although miners still remain popular (see: Should cryptocurrency mining malware make a comeback?).

Building folders takes time

In other words, this case has taken a considerable amount of time to build, as has the bringing of the suspects to justice. In particular, the men are accused of crimes they committed from August 2008 to at least November 2015.

But authorities say long delays are not unusual for building cybercrime cases, which can be complex and time-consuming undertakings, and even more so if they are international in scope. This case, for example, was investigated by the FBI, supported by law enforcement in Germany, Estonia and the UK.

“Given their international nature and the anonymity of the Internet, cybercrime investigations often take years,” says Saima Mohsin, acting US attorney for the Eastern District of Michigan. “They require the resources of multiple law enforcement agencies, the cooperation of multiple governments, skilled interpreters, and cumbersome extradition procedures.”


Leave A Reply