Dmitry Fedotov from Togliatti,
Russia.
The first story in the Western media
about Paunch’s arrest came on Oct. 8, 2013 from Reuters, which quoted an
anonymous former Russian police detective. But the initial news of
Paunch’s arrest appears to have broken on Russian news blogs several days
earlier. On Oct. 5, Russian news outlet neslushi.info posted that
a hacker by the name of Dmitry Fedotov had been arrested the night
before in Togliatti, a city in
Samara Oblast, Russia. The story noted that Fedotov was wanted for
creating a program that was used by various organized crime groups to siphon
roughly 26 billion rubles (USD $866 million) from unnamed banks. Another story
from local news site Samara.ru on Oct. 8 references a Dmitry F. from Togliatti.
This is an interesting lead; last
week’s story on Paunch cited information released by Russian forensics firm Group-IB,
which did not include Paunch’s real name but said that he resided in Togliatti.
Fast-forward to this past week, and
we see out of the Russian publication Vedomosti.ru a story stating that Paunch
owned his own Web-development company. That story also cited Group-IB saying
that Paunch had experience as an advertising manager. This Yandex profile includes
a resume for a Dmitry Fedotov from Togliatti who specializes in Web programming
and advertising, and lists “hack money” under his “professional goals” section.
It also states that Fedotov attended the Volga State University of Service from
2003-2005.
That Yandex profile for Fedotov says
his company is a site called “neting.ru,” a Web development firm. The
current Web site registration records for that domain do not include an owner’s
name, but a historic WHOIS record ordered from domaintools.com shows that
neting.ru was originally registered in 2004 by a Dmitry E. Fedotov,
using the email addresses box@neting.ru and tolst86@mail.ru.
A cached contact page for neting.ru
at archive.org shows the same box@neting.ru email address and includes an ICQ
instant messenger address, 360022. According to ICQ.com, that address
belongs to a user who picked the nickname “tolst,” which roughly
translates to “fatty.”
A user who picked the nickname
“tolst” or “fatty” posted this image of his new Porsche Cayenne in March 2013
This brings up something I want to
address from last week’s story: Some readers said they thought it was
insensitive of me to point out that Paunch himself called attention to his most
obvious physical trait. But this seems to be a very important
detail: Paunch had a habit of picking self-effacing nicknames.
The pictures of Paunch released
by Group-IB show a heavyset young man, and Paunch seems to have picked
nicknames that called attention to his size. One email address known to
have been used by the Blackhole author was “paunchik@googlemail.com”
(“paunchik” means “doughnut” in Russian). Blackhole exploit kit users who wished
to place their advertisements in the crimeware kit itself so that other
customers would see the ads were instructed to pay for the advertisements by
sending funds to a Webmoney purse Z356971281174, which is tied to the Webmoney
ID 561656619879; that Webmoney ID uses the alias “puzan,” a variant of the
Russian word пузо, or “potbelly.”
Turns out, “tolst” was a common
nickname picked by Paunch. We can see a user who picked that same “tolst”
nickname posting in a Russian car forum in March 2013 about his new ride: a
white Porsche Cayenne. According to this photo released by Group-IB, Paunch
also owned a white Porsche Cayenne.
Neting.ru’s archived FAQ points to an official
payment page at virtual currency Webmoney, which includes the name Dmitry
E. Fedotov and the ICQ number 360022. That same Webmoney account shows up on wmid.name,
a site that lists account holders who have a reputation for being late with
promised payments. The last account on the bottom of that page is an entry that
lists the same Webmoney ID, along with Dmitry Evegeny Fedotov‘s date of
birth (Nov. 6, 1986), passport number (3606578837), and physical address. It’s
not clear when Fedotov was added to this list, but it’s possible he was simply
unable to pay for promised transactions due to his early October arrest and
detention.
This Odnoklassniki profile for a
Dmitry Fedotov from Togliatti also puts his birthday at Nov. 6, and says he
attended Volga State University of Service from 2003 to 2005.
Early on, Fedotov appears to have
made a living by writing and selling Web scripts for various online currency exchange
sites. But by 2009, this young man was growing more interested in computer
security — specifically Web browser vulnerabilities.
The Web community Fido20.ru
includes a member named “tolst” from Togliatti who gives his name as Dmitry
Fedotov and was very active in discussions about network security, privacy and
hacking. In this post from 2009 titled “Vulnerabilities in browsers
and their plugin-ins,” Fedotov can be seen warning users about unspecified new
vulnerabilities in Apple’s Quicktime and Microsoft’s DirectX versions 7 through
9.
In another thread, Fedotov
encourages the sharing of browser exploits and provides links to several
vulnerability archives. He also tells fellow forums members that they are
asking to get hacked if they leave various browser plugins activated.
“As I have done before, I am asking
all the users as well as IT Security professionals to disable all plug-ins and
add-ons in their browsers,” Fedotov warned forum members. “Do not think that if
you are not users of Internet money (web money), there is no danger of being
infected. In this case, the infected PCs are turned into socks proxies,
spam/ddos bots and all the bad activity is done under your name, so that law
enforcement can place all the blame on your shoulders. Safe surfing and
good luck to you.”
Source: Krebson Security
No comments:
Post a Comment