Posts Tagged: Yevhen Kulibaba


4
May 12

Microsoft to Botmasters: Abandon Your Inboxes

If the miscreants behind the ZeuS botnets that Microsoft sought to destroy with a civil lawsuit last month didn’t already know that the software giant also wished to unmask them, they almost certainly do now. Google, and perhaps other email providers, recently began notifying the alleged botmasters that Microsoft was requesting their personal details.

Page 1 of a subpoena Microsoft sent to Google.

Microsoft’s unconventional approach to pursuing dozens of ZeuS botmasters offers a rare glimpse into how email providers treat subpoenas for account information. But the case also is once again drawing fire from a number of people within the security community who question the wisdom and long-term consequences of Microsoft’s strategy for combating cybercrime without involving law enforcement officials.

Last month, Microsoft made news when it announced a civil lawsuit that it said disrupted a major cybercrime operation that used malware to steal $100 million from consumers and businesses over the past five years. That legal maneuver may have upset some cyber criminal operations, but it also angered many in the security research community who said they felt betrayed by the action. Critics accused Microsoft of exposing sensitive information that a handful of researchers had shared in confidence, and of delaying or derailing international law enforcement investigations into ZeuS Trojan activity.

Part of the controversy stems from the bargain that Microsoft struck with a federal judge in the case. The court granted Microsoft the authority to quietly seize dozens of domain names and Internet servers that miscreants used to control the botnets. In exchange, Microsoft agreed to make every effort to identify the “John Does” that had used those resources, and to give them an opportunity to contest the seizure. The security community was initially upset by Microsoft’s first stab at that effort, in which it published the nicknames, email addresses and other identifying information on the individuals thought to be responsible for renting those servers and domains.

And then the other shoe dropped: Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint posted at zeuslegalnotice.com, which listed nicknames and other information tied to 39 separate “John Does” that Microsoft is seeking to identify. But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to sources who received the notices but asked not to be named, the Google alerts read:

“Hello,

Google has received a subpoena for information related to your Google
account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v.
John Does 1-39 et al., US District Court, Northern District of California,
1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion
to quash the subpoena (or other formal objection filed in court) via
email at google-legal-support@google.com by 5pm Pacific Time on May
22, 2012, Google may provide responsive documents on this date.

For more information about the subpoena, you may wish to contact the
party seeking this information at:

Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025

Google is not in a position to provide you with legal advice.

If you have other questions regarding the subpoena, we encourage you
to contact your attorney.

Thank you.”

Unlike most of its competitors in the Webmail industry, Google is exceptionally vocal about its policy for responding to subpoenas. This has earned it top marks from privacy groups like the Electronic Frontier Foundation (EFF), which recently ranked ISPs and social media firms on the transparency of their policies about responding to requests for information filed by the government or from law enforcement.

Continue reading →


4
Oct 11

ZeuS Trojan Gang Faces Justice

Authorities in the United Kingdom have convicted the 13th and final defendant from a group arrested last year and accused of running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ZeuS banking Trojan. The news comes days after U.S. authorities announced the guilty plea of the 27th and final individual arrested last year in New York in a related international money-laundering scheme.

Yevhen Kulibaba

Yevhen Kulibaba

According to the Metropolitan Police, the U.K. courts have convicted 13 members of the gang, including four who were profiled last year by KrebsOnSecurity shortly after their initial arrest and charging. The gang is thought to have used the ZeuS Trojan to steal nearly £3 million (USD $4.6M) from banks in the U.K.. They are believed to be responsible for aiding in the theft of at least USD $3 million from U.S. banks and businesses in the past two years.

Karina Kostromina

Among those convicted were the husband-and-wife ringleaders of the gang, 33-year-old Ukrainian property developer Yevhen Kulibaba, and his wife, Karina Kostromina, 34. According to British prosecutors, the two lived a “jet set” lifestyle and spent money on holidays, cars and property. Kostromina was cleared of conspiracy charges but convicted of money laundering, and sentenced this week to two years in prison. Kulibaba is awaiting sentencing on charges of conspiracy to defraud.

Continue reading →


30
Sep 10

11 Charged In ZeuS & Money Mule Ring

Authorities in the United Kingdom on Wednesday charged 11 individuals with running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ultra-sophisticated ZeuS banking Trojan.

Yevhen Kulibaba

The gang is believed to be responsible for stealing more than $30 million from banks worldwide between October 2009 and September 28, 2010, and roughly £6 million (US$9.5 million) from financial institutions in the United Kingdom over a three-month period.

Karina Kostromina, in undated photo.

According to sources close to the case, members of the group also were heavily involved in online banking thefts perpetrated against dozens of small businesses and organizations based in the United States. Eight gang members were charged with money laundering, and 10 were charged with conspiracy to defraud. Police arrested 20 people in a pre-dawn raid on Tuesday; nine were bailed on Wednesday. The Metropolitan Police’s Central e-Crime Unit said those individuals may face charges at a later date. Those charged were due to appear in Westminster Magistrates’ Court court early this morning.

The individuals arrested in the U.K. are thought to be a subset of a global cybercrime operation. The Wall Street Journal now reports that the U.S. Attorney’s office in Manhattan is preparing to announce that 60 people have been charged in connection with a major ZeuS crime ring.

Sources say the ringleader of the U.K. gang, 32-year-old Ukrainian property developer Yevhen Kulibaba (pictured above right), shuttled some of the stolen funds from the U.K. to Ukraine and to Latvia, where he has been building a home with his wife. Information obtained by KrebsOnSecurity indicates that Kulibaba’s wife may be Karina Kostromina (pictured above left), a 33-year-old Latvian woman who was among those charged with money laundering and conspiracy in connection with this case. The U.K. Metropolitan Police declined to confirm or deny whether Kulibaba and Kostromina were married, although their public statement puts the two in the same neighborhood – Nevada Heights, Chingford, Essex.

Yuriy Konovalenko

Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko — also of Nevada Heights — is described by the e-Crime Unit as a self-employed Web designer from Ukraine. Sources say Konovalenko was chiefly responsible for managing a large number of “money mules,” people hired to withdraw, carry or transmit cash stolen by the gang. A review of Konovalenko’s social networking site identities suggests he is a blood relative of Kulibaba’s, but U.K. police declined to confirm or deny this information.

Also charged with conspiracy and stealing money from online bank accounts is Milka Valerij (pictured below), a 29-year-old Ukrainian whom U.K. police say was a building laborer.

Milka Valerij

The oldest alleged member of the group — 34 year-old Georgian Zurab Revazishvili — is facing violations of the U.K. Identity Cards Act of 2005, which makes it a crime to possess false identity documents. The Metropolitan Police statement on the crimes doesn’t specify what Revazishvili’s role was, but sources say he may have been responsible for creating false identity documents for the gang’s money mules.

Continue reading →