One of the Kazakh banks asked CyberSEALs to provide cybersecurity services. The bankers have submitted a request for a data breach analysis. Cybersecurity experts checked the information and found on one of the “forums with a shady reputation” an offer to sell the financial data of the bank’s clients. However, the announcement itself was suspicious.
A user called Afonya has been registered on the site since September 2017, but during this time he posted only 4 propositions, 2 of which related to the sale of the Kazakh bank’s database. This indicated the low activity of the hacker.
The experts managed to establish the address that the fraudster used to register on the forum website. This address led to a Facebook page that could potentially belong to the fraudster, and also helped to identify the attacker’s Skype account.
With this information, they began to look for the carder on the “specialized forums”. As it was found, the hacker was registered at the 10 most popular sites for banking data selling. The experts also established the time intervals of the criminal’s activity on such sites and the IP addresses he used on these web resources.
On one of these forums, experts found the attacker’s post, that helped to identify the alternative email address of the attacker and another ICQ profile, which revealed another email of the criminal containing the name and surname in the title. A search using this email confirmed the connections with previously found accounts and email addresses, and a search for information by the name of the person involved in the case led to two accounts in the Russian-language social network. Although they were removed, the expert managed to extract information from the web archive and find out the name of the suspect, establish that he is in Belarus and identify the university where he studied.
“Based on our research, we were able to identify 2 more e-mail addresses directly related to the correspondence of the attacker on carding. One of the addresses had been used by the hacker to register an account in a popular Russian online bulletin board, where he indicated a contact phone number. Analysis of the second email address made it possible to establish that in 2013 the hacker was in Moscow, Russia,” says Ihor Bykov, CyberSEALs analyst.
“The investigation allowed to deanonymize the attacker and develop an evidentiary base to share it with the customer. Based on the report, it can be concluded that the attacker promoted his profiles on darknet forums to create a negative reputation for the bank and mislead users who want to acquire banking information from the bank’s clients. The hacker did not own the real user data,” CyberSEALs explains.