Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network. In this post we’ll look at the clues left behind by “Babam,” the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years.
Since the beginning of 2020, Babam has set up numerous auctions on the Russian-language cybercrime forum Exploit, mainly selling virtual private networking (VPN) credentials stolen from various companies. Babam has authored more than 270 posts since joining Exploit in 2015, including dozens of sales threads. However, none of Babam’s posts on Exploit include any personal information or clues about his identity.
But in February 2016, Babam joined Verified, another Russian-language crime forum. Verified was hacked at least twice in the past five years, and its user database posted online. That information shows that Babam joined Verified using the email address “firstname.lastname@example.org.” The latest Verified leak also exposed private messages exchanged by forum members, including more than 800 private messages that Babam sent or received on the forum over the years.
In early 2017, Babam confided to another Verified user via private message that he is from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than by using the Cyrillic alphabet. This is common among cybercriminal actors for whom Russian is not their native tongue.
Cyber intelligence platform Constella Intelligence told KrebsOnSecurity that the email@example.com address was used in 2016 to register an account at filmai.in, which is a movie streaming service catering to Lithuanian speakers. The username associated with that account was “bo3dom.”
A reverse WHOIS search via DomainTools.com says firstname.lastname@example.org was used to register two domain names: bonnjoeder[.]com back in 2011, and sanjulianhotels[.]com (2017). It’s unclear whether these domains ever were online, but the street address on both records was “24 Brondeg St.” in the United Kingdom. [Full disclosure: DomainTools is a frequent advertiser on this website.]
A reverse search at DomainTools on “24 Brondeg St.” reveals one other domain: wwwecardone[.]com. The use of domains that begin with “www” is fairly common among phishers, and by passive “typosquatting” sites that seek to siphon credentials from legitimate websites when people mistype a domain, such as accidentally omitting the “.” after typing “www”.
Searching DomainTools for the phone number in the WHOIS records for wwwecardone[.]com — +44.0774829141 — leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexpay[.]com. A different UK phone number in a more recent record for the wwwebuygold[.]com domain — 44.0472882112 — is tied to two more domains – howtounlockiphonefree[.]com, and portalsagepay[.]com. All of these domains date back to between 2012 and 2013.
The original registration records for the iPhone, Sagepay and Gold domains share an email address: email@example.com. A search on the username “bo3dom” using Constella’s service reveals an account at ipmart-forum.com, a now-defunct forum concerned with IT products, such as mobile devices, computers and online gaming. That search shows the user bo3dom registered at ipmart-forum.com with the email address firstname.lastname@example.org, and from an Internet address in Vilnius, Lithuania.
Devrian27@gmail.com was used to register multiple domains, including wwwsuperchange.ru back in 2008 (notice again the suspect “www” as part of the domain name). Gmail’s password recovery function says the backup email address for email@example.com is firstname.lastname@example.org. Gmail accepts the address email@example.com as the recovery email for that devrian27 account.
According to Constella, the firstname.lastname@example.org address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456“.
Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including email@example.com. Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.
At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the firstname.lastname@example.org used two passwords at that site: lebeda1 and a123456.
A reverse WHOIS search on “Vytautas Mockus” at DomainTools shows the email address email@example.com was used in 2010 to register the domain name perfectmoney[.]co. This is one character off of perfectmoney[.]com, which is an early virtual currency that was quite popular with cybercriminals at the time. The phone number tied to that domain registration was “86.7273687“.
A Google search for “Vytautas Mockus” says there’s a person by that name who runs a mobile food service company in Lithuania called “Palvisa.” A report on Palvisa (PDF) purchased from Rekvizitai.vz — an official online directory of Lithuanian companies — says Palvisa was established in 2011 by a Vytautaus Mockus, using the phone number 86.7273687, and the email address firstname.lastname@example.org. The report states that Palvisa is active, but has had no employees other than its founder.
Reached via the email@example.com address, the 36-year-old Mr. Mockus expressed mystification as to how his personal information wound up in so many records. “I am not involved in any crime,” Mockus wrote in reply.