
‘Evil Corp,’ a $100M Cybercrime Menace - panarky
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/
======
munk-a
Just to clarify - why the hell didn't the FBI task someone to do what Brian
was doing?

> So, each day for several years my morning routine went as follows: Make a
> pot of coffee; shuffle over to the computer and view the messages Aqua and
> his co-conspirators had sent to their money mules over the previous 12-24
> hours; look up the victim company names in Google; pick up the phone to warn
> each that they were in the process of being robbed by the Russian Cyber Mob.

Just assigning an agent to that seems like a dead simple way to really quickly
curtail that operation.

~~~
krebsonsecurity
I can attest that the FBI has in fact been tracking these guys for more than a
decade, and some of them were indicted previously. What I can't understand is
why it took so long for this latest, more broad action, and why there is such
a huge time gap between the victims referenced in the indictments. There are
victims listed from 2010 and 2011 and then some this year (2019), but hardly
any in between.

That said, the FBI is not in the pre-crime business (with few exceptions), so
they're not really set up to warn businesses like I did for so many years.

~~~
bryanrasmussen
>the FBI is not in the pre-crime business (with few exceptions),

I guess those pre-crime exceptions are the ones were the agent convinces the
malcontents they're embedded with to try a little terrorism?

~~~
Melting_Harps
> I guess those pre-crime exceptions are the ones were the agent convinces the
> malcontents they're embedded with to try a little terrorism?

That's the exception, you have to justify your job and budget somehow. And
nothing loosens purse-strings like the 'T-word' post 9/11\. Although to be
fair, the first attempt to bomb the WTC was a failed FBI Sting:

[https://www.nytimes.com/1993/10/28/nyregion/tapes-depict-
pro...](https://www.nytimes.com/1993/10/28/nyregion/tapes-depict-proposal-to-
thwart-bomb-used-in-trade-center-blast.html)

------
throwaway5752
The US Treasury dropped sanctions on three companies related to Evil Corp
after Lavrov's recent visit:
[https://twitter.com/dcpoll/status/1205544785446129664](https://twitter.com/dcpoll/status/1205544785446129664)
(which references
[https://twitter.com/jeffstone500/status/1205539378019360768](https://twitter.com/jeffstone500/status/1205539378019360768))

~~~
52-6F-62
I linked this article a while back. Didn't gain any traction here, but it's
worth a read to understand some of the scale:

[https://arstechnica.com/information-
technology/2019/12/membe...](https://arstechnica.com/information-
technology/2019/12/members-of-evil-corp-the-cybercrime-group-that-lived-in-
luxury-are-indicted/)

~~~
cosmodisk
Well,I'm sure I'd be living large as well,if I was running criminal enterprise
of this scale for the government...

------
golergka
This writeup misses a lot of information about this group's ties to FSB,
here's a better source: [https://meduza.io/en/feature/2019/12/12/the-fsb-s-
personal-h...](https://meduza.io/en/feature/2019/12/12/the-fsb-s-personal-
hackers)

Basically, it's founder married a daughter of a high-placed FSB official and
enjoys full immunity for his actions.

~~~
cosmodisk
Schemes like this, especially of this scale, rarely,if ever,run without any
suport from these type agencies. So while the guy's face is all over the
internet for being 'the leader' of the org, I'm pretty sure there are quite
few people above him that will never ever end up on any DoJ lists.

~~~
SAI_Peregrinus
The people above him are over the authority of the DoJ, they're in the domain
of the CIA & Department of State to deal with. At a certain level prosecuting
people starts international diplomatic incidents, and the DoJ tends to avoid
those without DoS authorization.

------
cortesoft
> Needless to say, the victims that spun their wheels chasing after me usually
> suffered far more substantial financial losses (mainly because they delayed
> calling their financial institution until it was too late).

That really rubs me the wrong way... someone doubts the random phone call
telling them they are being robbed and he acts like it was their fault for
doubting?

~~~
BoorishBears
That comment ended very differently than I expected it to.

What rubs me the wrong way is that they'd doubt the call. It'd take seconds to
process "how can the attacker benefit from this" and come up empty.

After all it's not like he was calling them and offering to fix the issue, he
was literally giving them a heads up, the worst that could happen is a wasted
call to the bank.

~~~
jonas21
> the worst that could happen is a wasted call to the bank.

Well, no. The worst (and probably very likely) thing that would happen is they
would call the bank, the bank would block withdrawals from their payroll
processor, and they would miss payroll for that period. This could also have
severe financial consequences for the company's employees, given how many
people live paycheck to paycheck.

Small businesses are constantly inundated with all varieties of scam calls, so
it's not at all unreasonable to be suspicious of someone who calls you out of
the blue and says, "Your payroll accounts have been hacked, and you’re about
to lose a great deal of money. You should contact your bank immediately." The
odds of ever getting a call from a good samaritan like Brian Krebs are
vanishingly small, while you're probably getting called by scammers every day.

~~~
BoorishBears
That's not true though...

He says right there, the fraudulent payroll payments were many times the
normal amount and not part of the normal cycle.

In fact, from what he described, even the bank would have picked up on the
fraudulent transactions upon human review.

Small businesses are not going to confuse out-of-cycle payroll payments with
normal ones, cash flow is way too tight for mistakes like that. -

I'm also not saying it's unreasonable to be suspicious of the call, but after
that initial suspicion, it's unreasonable not to hang up immediately on the
scammer... then make a "sanity call" to bank/payroll processor/both

~~~
perl4ever
This is like asking why people crash planes when one of their instruments is
telling them bad information and the others are all working fine. Once you
_know_ something important isn't trustworthy, it's easy and likely to become
very disoriented as to what you can trust. This is why people reflexively
doubt anything particularly out of the ordinary - it might rarely be wrong,
but it's far better than becoming paranoid at every drop of a hat.

------
erik_landerholm
omg..this part: "Here’s where it got interesting. Each of these mule
recruitment sites had the same security weakness: Anyone could register, and
after logging in any user could view messages sent to and from all other users
simply by changing a number in the browser’s address bar. As a result, it was
trivial to automate the retrieval of messages sent to every money mule
registered across dozens of these fake company sites."

Amazing....

And the picture of the Russian tool in question, with his cat and his clothes.
Could he be anymore more stereotypical Russian Goon looking?! He looks like
the evil character in an Austin Power's movie...

~~~
LilBytes
Can write and run malware at an international scale.

Cannot run a simple PHP forum securely.

------
ufmace
What I wonder about these schemes - why don't any of these "Money mules" just
keep all of the money? If these guys had any enforcement capabilities in the
US, they presumably wouldn't need money mules.

~~~
PeterisP
The mules are never in posession of "all of the money" \- they handle a couple
payments, after that they get the next ones. Sure, some of them might "keep"
the money (they can't keep it, the victims have claim on that money and the
mules aren't anonymous or protected) and not forward it, so the scammers need
to recruit new mules.

------
jonesnc
The name Evil Corp is a reference to the show Mr. Robot right?

~~~
dmix
Yes, obviously it was added later on. They've been doing this for at least a
decade well before the show existed.

------
reti
is Brian Krebs the beneficiary of this $5 million bounty through this
investigation?

------
dmje
It's f######g 2019! Why isn't Kreb's website mobile friendly, ffs?

~~~
kovach
It's 2019, why are using a mobile browser without a Reader View button? (Hint:
Firefox)

------
dmamills
Name Flyman.

Arrest Flyman.

------
asdfman123
It's true, distributing Evil Corp information is prohibited and will be
punished to the fullest extent of the law -- it didn't specify _who_ would be
in legal trouble, though.

I actually enjoy the hackers' questionable taste and extravagant lifestyle --
it's like Russian hackers are becoming self aware and having fun with it. They
seem like they'd be cool to hang out with if you were interested in also
defrauding millions from innocent people (which, alas, I am not).

