Investigations on a Cybercrime Hub in Estonia | Malware Blog

February 2012
S	M	T	W	T	F	S
« Jan
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29

Aug26

Investigations on a Cybercrime Hub in Estonia

2:29 am (UTC-7) | by Feike Hacquebord (Senior Threat Researcher)

Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu, employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts.

Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation.

This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company own two networks in the United States.

We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites.

For a detailed analysis, please read our whitepaper: A Cybercrime Hub available at TrendWatch.

Share this article

This entry was posted on Wednesday, August 26th, 2009 at 2:29 am and is filed under Malware, News, Security . Both comments and pings are currently closed.

Tõnu Samuel Says:
August 26th, 2009 at 9:28 am

How in country with 1.4M people can be 1,800,000 Internet users? Plus many more stupid questions. Main question – name of the company you are blaming? I feel bit disturbed naming my country name so many times and meanwhile hiding even IP-s of criminals. Facts we can verify please. If they are still around, we help you to screw these guys for sure.

Tõnu Samuel Says:
August 26th, 2009 at 9:53 am

Ok, we check for more data. Same gang gives job which is “web-chat”: http://www.cvkeskus.ee/view_jobad.php?job_id=129277
Salari is about $500/mo and contact is phone +372 58163020

http://www.smsmoney.ee/est/kontakt is SMS loan service they run. Money laundry in other words.

http://www.cvkeskus.ee/view_jobad.php?job_id=182512&w=1 they offer travel consultant job. Contact is phone +372 53333124

Many other things. In today’s online newspaper Eesti Ekspress chief of CERT Estonia says they are tightly related to Russian mafia.

In case someone wants to go deeper, I can make pretty good data mining. tonu@jes.ee is my contact.

Work At Home Truth Says:
October 3rd, 2009 at 10:04 am

This is scary in and of itself, however, if you couple it with the recent study Griffin University professor Jason Sharman did about how easy it is to set up anonymous corporations tied to secret bank accounts in the U.K. and the U.S. it becomes even more alarming.

He presented a summary of his main findings here:
http://www.step.org/attach.pl/2596/5699/Onshore%20secrecy,%20offshore%20transparency.pdf

The economist did a brief write up of the study here:
http://www.economist.com/businessfinance/displayStory.cfm?story_id=13382279