When a federal jury in Alexandria, Virginia, convicted a Latvian software developer last week of running an underground clearinghouse for computer hackers, U.S. prosecutors highlighted it as an example of their commitment to combating cybercrime.
“This verdict demonstrates our commitment to holding such actors accountable,” said acting U.S. Attorney Tracey Doherty-McCormick. “I commend the work of the agents and prosecutors both in the United States and in Latvia, who worked together to bring him to justice.”
Not mentioned was the role played by Trend Micro, a Japanese cybersecurity firm that collaborated with the FBI to hunt down the developer, Ruslans Bondars, and an accomplice, Jurijs Martisevs, who jointly operated Scan4You, a site that helped hackers test their malware.
In a report released after the verdict, Trend Micro offered an inside look at how it identified Scan4You in 2012, took a trove of data about the site to the FBI in 2014, and then worked closely with agents as they built a case against the two men.
Trend Micro says it has supported nearly 20 law enforcement cases around the world.
“In this case, our global threat intelligence network and team of researchers provided an invaluable resource for the FBI as it homed in on this notorious [counter antivirus] service,” said Ed Cabrera, chief security officer for Trend Micro.
The case highlights how the FBI and private cybersecurity firms, once wary of working together, have in recent years started teaming up to combat cybercrime, a problem that costs the world an estimated $600 billion a year.
“The value that the private sector brings to law enforcement investigations is almost incalculable,” said John Boles, a director at consulting firm Navigant who previously worked as an assistant FBI director and led the bureau’s global cyberoperations.
A decade ago “there was almost hesitation on both sides of the fence to cooperate, but somewhere along the line as the scales have tipped, everybody realized it’s a global issue,” Boles said.
In 2011, the FBI created the Office of the Private Sector within the Cyber Division, making private-sector collaboration a key pillar of its cybercrime-fighting strategy.
Since then, the bureau has made more than a dozen major arrests in cybercrime cases, many with help from the private sector, according to Boles. While cybercrime investigations are often initiated by the bureau, some start with a tip from the private sector.
Unusual activity
That was the case with the Scan4You investigation.
In 2012, Trend Micro researchers, while investigating a hacker group, noticed a flurry of unusual activity on their threat radar: Somebody using Latvia IP addresses kept checking the company’s web reputation system, a program that blocks malicious websites.
That led them to another discovery: regular checks of Scan4You URLs against Trend Micro’s web reputation system emanating from Latvia. The goal: to determine whether Scan4You’s scanning scripts could detect malware.
“By 2014, we had a deeper understanding [of Scan4You] and began that relationship with the FBI,” Cabrera said.
The collaboration would continue for the next three years as Trend Micro researchers and FBI agents gathered evidence about Scan4You, its operators and its users.
Scan4You was an underground service that allowed hackers to upload their malware to see whether it could be detected by more than 35 antivirus engines. At its peak in 2016, Scan4You was the largest service of its kind, boasting more than 30,000 customers.
The service allowed cyber scofflaws to test all manner of malicious software, ranging from so-called crypters, a type of software used to conceal malicious files, to remote access trojans, programs that allow a remote operator backdoor access to a computer.
‘World’s most destructive hackers’
Among Scan4You’s customers were “some of the world’s most destructive hackers,” according Doherty-McCormick, the Virginia prosecutor.
One customer used Scan4You to test malware that was later used to steal about 40 million credit card and debit card numbers, costing one U.S. retailer $292 million, according to court documents.
A Russian hacker used Scan4You to develop Citadel, an infamous botnet used by cybercriminals to steal $500 million from bank accounts. The FBI worked with Microsoft to break up the network.
But Scan4You was not a very lucrative operation. As researchers dug deeper, they discovered that Bondars and Martisevs were affiliated with “some of the longest-running cybercriminal businesses” and “involved with one of the largest and oldest pharmaceutical spam gangs known as Eva Pharmacy,” according to Trend Micro.
Bondars, a longtime Latvian resident of Ukrainian citizenship, designed and maintained the site.
Martisevs, a Russian national living in Latvia, provided customer service and promoted the site on cybercriminal forums.
The pair’s deep involvement in an assortment of criminal activities gave them something that helped with their scanning service: cyber-cred.
“These threat actors gained the respect of many other cybercriminals who trusted them and used their malware scanning service,” the report says.
The end for Scan4You came with the 2017 arrests and extradition of Bondars and Martisevs to the United States. Shortly after their arrest, Scan4You went dark.
In March, Martisevs pleaded guilty and agreed to testify against Bondars. Last week, Bondars was convicted of three counts related to his role in Scan4You.
Scan4You’s downfall has taken the biggest service of its kind out of commission, but just how big a blow to cybercrime it represents remains to be seen.
Typically, when a site like Scan4You goes offline, its users flee to copycat sites. That has yet to happen, Cabrera said.
“This is a big blow to cybercrime, helping to disrupt countless threat actors and prove there are consequences to their actions,” he said.
…