26
Mar 15

Who Is the Antidetect Author?

Earlier this month I wrote about Antidetect, a commercial tool designed to help thieves evade fraud detection schemes employed by many e-commerce companies. That piece walked readers through a sales video for Antidetect showing the software being used to buy products online with stolen credit cards. Today, we’ll take a closer look at clues to a possible real-life identity of this tool’s creator.

The author of Antidetect uses the nickname “Byte Catcher,” and advertises on several crime forums that he can be reached at the ICQ address 737084, and at the jabber instant messaging handles “byte.catcher@xmpp.ru” and “byte.catcher@0nl1ne.at”. His software is for sale at antidetect[dot]net and antidetect[dot]org.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Searching on that ICQ number turns up a post on a Russian forum from 2006, wherein a fifth-year computer science student posting under the name “pavelvladimirovich” says he is looking for a job and that he can be reached at the following contact points:

ICQ: 737084

Skype name: pavelvladimirovich1

email: gpvx@yandex.ru

According to a reverse WHOIS lookup ordered from Domaintools.com, that email address is the same one used to register the aforementioned antidetect[dot]org, as well as antifraud[dot]biz and hwidspoofer[dot]com (HWID is short for hardware identification, a common method that software makers use to ensure a given program license can only be used on one computer).

These were quite recent registrations (mid-2014), but that gpvx@yandex.ru email also was used to register domains in 2007, including allfreelance[dot]org and a domain called casinohackers[dot]com. Interestingly, one of the main uses that Byte Catcher advertises for his Antidetect software is to help beat fraud detection mechanisms used by online casinos. As we can see from this page at archive.org, a subsection of casinohackers.com was at one time dedicated to advertising Antidetect Patch — a version that comes with its own virtual machine.

That ICQ number is tied to a user named “collisionsoftware” at the Russian cybercrime forum antichat[dot]ru, in which the seller is advertising software that routes the user’s Internet connection through hacked PCs. He directs interested buyers to the web site cn[dot]viamk[dot]com, which is no longer online. But an archived version of that page at archive.org shows the same “collision” name and the words “freelance team.” The contact form on this site also lists the above-referenced ICQ number and email gpvx@yandex.ru, and even includes a résumé of the site’s owner.

Another domain connected to that antichat profile is cnsoft[dot]ru, the now defunct domain for Collision Software, which bills itself as a firm that can be hired to write software. The homepage lists the same ICQ number (737084).

The ICQ.com profile page for that number includes links to accounts on Russian fraud forums that are all named “Mysterious Killer.” In one of those accounts, on the fraud forum exploit[dot]in, Mysterious Killer lists the same Jabber and ICQ addresses, and offers a variety of services, including a tool to mass-check PayPal account credentials, as well as a full instructional course on click-fraud.

Antidetect retails for between $399 and $999, and includes live support.

Antidetect retails for between $399 and $999, and includes (somewhat unreliable) live support.

Both antifraud[dot]biz and allfreelance[dot]org were originally registered by an individual in Kaliningrad, Russia named Pavel V. Golub. Note that this name matches the initials in the email address gpvx@yandex.ru. KrebsOnSecurity has yet to receive a response to inquiries sent to that email and to the above-referenced Skype profile. Update, 1:05 p.m.: Pavel replied to my email, denying that he produced the video selling his software. “My software was cracked few years ago and then it as spreaded, selled by other people,” he wrote. Meanwhile, someone has started deleting photos and other items linked in this story.

Original story:

A little searching turns up this profile on Russian social networking giant Odnoklassniki.ru for one Pavel Golub, a 29-year-old male from Koenig, Russia. Written in Russian as “Кениг,” this is Russian slang for Kaliningrad and refers to the city’s previous German name.

One of Pavel’s five friends on Odnoklassniki is 27-year-old Vera Golub, also of Kaliningrad. A search of “Vera Golub, Kaliningrad” on vkontakte.com — Russia’s version of Facebook — reveals a vk.com group in Kaliningrad about artificial fingernails that has two contacts: Vera Ivanova (referred to as “master” in this group), and Pavel Vladimirovich (listed as “husband”).

The Vkontakte profile linked to Pavel’s name on that group has been deleted, but “Vera Ivanova” is the same face as Vera Golub from Pavel’s Odnoklassniki profile.

A profile of one of Vera’s friends – one Natalia Kulikova – shows some photos of Pavel from 2009, where he’s tagged as “Pavel Vladimirovich” and with the link to Pavel’s deleted Vkontakte profile.  Also, it shows his previous car, which appears to be a Mitsubishi Galant.

Pavel, posing with his Mitsubishi Galant

Pavel, posing with his Mitsubishi Galant in 2008.

A search on the phone number “79527997034,” referenced in the WHOIS site registration records for Pavel’s domains — antifraud[dot]biz and hwidspoofer[dot]com — turns up a listing on a popular auto sales Web site wherein the seller (from Kaliningrad) is offering a 2002 Mitsubishi Galant. That same seller sold a 2002 BMW last year.

On one level, it’s amusing that a guy who sells software to help Web criminals evade detection is so easily found on the Internet. Then again, as my Breadcrumbs series demonstrates, many individuals involved in writing malware or selling fraud tools either do not care or don’t take too many precautions to hide their identities — probably because they face so little chance of getting into trouble over their activities as long as they remain in Russia.

The above photo of Pavel in his Mitsubishi isn’t such a clear one. Here are a couple more from Kulikova’s Vkontakte pictures.

Vera and Pavel Golub in April 2012.

Vera and Pavel Golub in April 2012.

Pavel V. Golub, in 2009.

Pavel V. Golub, in 2009.

Tags: , , , , , , , , , , , ,

49 comments

  1. I’m not sure I would classify that software as “fraudware” because it has legitimate uses for QA testers and for those testing their browser fingerprinting techniques.

    As with many pieces of software, they can each be used for legitimate and illegitimate purposes.

    • sure it has legit uses. so why is the guy advertising the tool with a video that shows him buying stolen credit cards from carding shops and then buying PC games online with those stolen cards?

      • maybe because he didn’t create the video. many people sell software with stolen videos. It happened with a friend of mine – doesn’t mean it’s his video, just because the guy tried selling with it. Not saying the author stole it, but that the re-seller could’ve very well stolen it and sold the cracked one, using it. It’s not like he has any reason to lie, given first, he’s in Russia, and 2nd, if he were afraid of retribution, he wouldn’t have even admitted thus far, to creating said software…

        • I take that back, the time it was cracked was after the video was put up. But regardless, you can paint the author as malicious, but it doesn’t make the software itself malicious or fraudware.

          It’s like claiming that a mac address spoofer, proxies, and a VPN are so-called “fraudware…”

          • If said mac address spoofer, proxies, and VPN were created, advertised, and distributed specifically for the purpose of committing fraud like this software was, then yes, they would be fraudware. It’s incredibly pedantic and also incredibly incorrect to try to classify it otherwise.

          • The aforementioned domains advertising the product for malicious purposes are linked to the Pavel (author of the software). The response he provided is amusing. His software being cracked years prior and resold by others, doesn’t explain the fact his software has since been updated and provided through his website.

  2. Great work Brian exposing these slime buckets! There is such a thing as Karma and what goes around comes around. So one day his crimes will catch up to him and your exposing him helps tremendously to their one day getting caught. And to Pavel Golub, who I’m sure will be reading Krebs about himself, dude, you are getting fat. You really put on some weight between 2009 and 2012. It’s also obvious you haven’t put on any intellect either since 2006 exposing yourself this way. That pretty little wife is going to leave you one day for someone better looking and more intelligent. Thanks for the laugh.

  3. Is that sweeping arm supposed to illustrate his bursting pride in a Galant? Tells us all we need to know about him and Russia . . .

  4. From a scale 1 to 10 what is the level of crime that he is committed, and how often do such crimes get revealed?

  5. Brian,
    “HWID is short or hardware identification”, you’re missing an F on FOR

    • From a scale 1 to 10 what is the level of crime that he is committed, and how often do such crimes cause confusion and raining down of salamanders?

  6. Why… that’s Uncle Fester and, and Wednesday, my daughter.

  7. That third picture shows one of his meals as well, which appears to be chicken on a stick.

  8. Still can’t get over that weight gain, perhaps he should use some of his proceeds from his fraud detection software to invest in an exercise bike. Just sayn!!

  9. Your investigative work is so impressive. Glad you’re one of the good guys. When does the movie come out and who’s playing you? 😉

  10. People have bad opsec. Get info on someone who people actually care about and it’ll be news worthy.

    • I can assure you many business owners do care about this software. Also, maybe you should check out some of the previous subjects in this series. They include most of the top spam botnet guys and quite a few big time cyber crooks.

      http://krebsonsecurity.com/category/breadcrumbs/

      • I am not this comment’s OP, but I see what he means. This tool is quite literally useless as all he has created is freely available and can be done with a handful of Firefox plugins and some reliable socks5 proxies. It actually amazes me that anyone would ever buy this product.

        A different thing that you should consider is that this could easily be a false breadcrumb trail (though seeing that one post is from 2009, this is unlikely).

      • Hey Brian Keep up the great work my friend ! I just wanted to let you know I’ve got a sample of this software if you’d like to take a look at it. Just let me know.

  11. Another in the series, “Brian finds a Russian”.

    Always interesting stuff, thanks for the break from the daily grind to read about guys who think they can just rip us off and live happily ever after.

  12. Casinohackers is now almost empty and archive only hows the front page, anywhere full site archived?

  13. From a scale one to ten how severe is this criminal act? It seems this would be a normal practise in Russia.

  14. Donald J Trump

    Interesting article

  15. I continue to notice how frequently the countries of Russia and China seem to be named on this site as originators of cybertheft. I also note the comment from Brian that “probably because they face so little chance of getting into trouble over their activities as long as they remain in Russia” as the reason for a certain lack of caution regarding his identity. Both countries have a communist orientation where there is no difference between doing things right or wrong. The end justifies the means. Glad i don’t live in socienties like that where if you are the Russian premier you can just arbitraily assasinate anyone who threatens you or consider cybertheft against the USA as a good thing and actually encouraged. Glad i live here!

  16. Godless Russians. Can you expect these people to have any sense of right and wrong?

    My advise is to ween yourself off the internet, use snail mail and cash at all times. You will sleep easier AND save a lot of money each month due to no internet bills.

    Personally, I plan to write my comments to Brian Krebs with a stamp.

  17. Empedocles_of_Agrigentum

    Brian, the response you got when you asked for live support sounds less like being unreliable and more like a script that scans for the name Krebs and cuts off the conversation, or it flags the conversation and reports it to the operator of the service so he can cut it off.

  18. Are you sure that you have the right person? Because your Pavel Golub looks remarkably like Evgeny Mikhailovich, who the FBI is looking for: http://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev/person_view_multimedia#images

  19. They do look very similar, no doubt. But the links to Golub and his wife in the article are very strong.

    • Brian you have to comment this! It’s obviously the same person shot at different times and angles. Otherwise they are twins. Afterall FBI is paying largest ever reward for Bogachev for 3 million USD for his head.

  20. C’mon. We used to spend billions on our military to keep the Russians where they are. I’m sure today’s approach that lets them skim off 0.2% of our economy, is cheaper overall. It’s a good defensive strategy, one the Swiss used with great success in WWII … nobody in his right mind would attack their bank :).

  21. The tool looks like a poor version of Fiddler, which allows you to do alot more and is regularly used in the security community.

  22. The Security Sleuth

    Great post, really enjoy these kinds of in depth investigation posts.

  23. Hi everyone, don’t you think is a bit too fast to accuse the creator of actually very useful software. I use different types of Emulator’s daily to test how responsive my page is , also to differ organic from non organic users that visit my page. If the creator of Antidetect software can be blamed for creating a such software (which i’m sure is not illegal) then we can go through the Play Market for example on Android and download , User -Agent Switcher / Emulators to use for the same criminal purpose & blame the creator for it (it’s free as well). It’s very obvious that the clever guy like him could easily hide his identity but didn’t which shows the genuine purpose of staying public. I’ve done my part of research , it’s quite few old hacked versions available there which was modified and could be downloaded for any purpose which does not qualify the Soft writer/creator to be liable for any misuse of the software. We can all guess what is been used for but if we all think that way , then we could blame Microsoft for Windows being used amongst Hackers/Fraudsters to attack and steal money. Think wider guys.

  24. Great article Brian, keep ’em coming. For a second I thought this was the guy FBI is paying a $3mil reward to find, Evgeniy Mikhailovich Bogachev – they do look a bit alike. Well, looks like I’m not the first one who saw that. Who knows Golub may be working for FSB, unfortunately there isn’t much difference between criminals and law enforcement in Russia nowadays. I find it ironic that Snowden picked that country as a “safe haven”.

  25. Brian– I attempted this. The IRS could not verify my info although i took it directly off the tax form. when i tried again 24 hrs later — it selected entirely wrong information

    all their phone numbers resulted in phone-tree run-arounds.

    I don’t know if using this service is a very good idea; no telling what it may have messed up.

  26. pavelvladimirovich = Vladimir Pavelovich?

  27. He made a legitimate piece of software. What you use to do with it is your choice and problem. A gun is made to kill , But you cant prosecute the person who made it for making it. Simple

    • Weak analogy. You can prosecute someone for selling a gun if they also sell ancillary services that are designed to make the gun effective at killing a particular target. The guy selling this product is actively involved in doing just that.

  28. Brian,

    Thanks. That’s eye opening cat & mouse. Something to consider for deviceID style detection.

  29. Brian,

    A very fascinating article.

    It would be interesting to know, if possible, what the banks and credit card companies are doing to counteract this software and other similar tools out there that are being used for fraudulent purposes.

    After all I assume they will be the biggest losers in this?

  30. That was cool. I\ve found one guy in a simple way few months ago, but he didn’t reply to me :). Sadly for him. I perosanally don’t find the program so hard to crete, and can’t find why you need it at all for online purchases. You can pay via cc’s also with crome and mozilla and all others changing IP and screen resulution(which is not so important). Using multiple browsers and reinstalling them, or just cleaning the history will do the job.
    For casino cashouts i recomend virtual machines and using a few more pc’s. It’s not that hard anyway.