CSIS Security Group has turned over its findings to law enforcement in several countries.
On the coffee table was a message etched in powder, presumably cocaine: "I really miss you."
The photo was on a social networking profile of a 23-year-old man in Ukraine that analysts with a Danish computer security company believe designed and rents an advanced malicious software program targeting the financial industry, called "Hesperbot."
Hesperbot first emerged in Turkey around 2013. It's an advanced package of tools that can be used by less-skilled cybercriminals to break into online bank accounts, even defeating two-factor authentication systems. It is now being used against banking customers in Germany, France, the U.K., Australia, the Czech Republic, Portugal.
"I bet this [Hesperbot] is going to spread," said Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.
Kruse gave a presentation on his company's findings at the Association of Antivirus Asia Researchers conference in Sydney on Friday. His analysts have extensively studied Hesperbot, and with lots of skill and a bit of luck, they say they've connected Hesperbot's creator back to a real person.
It involved an extensive gumshoe effort, including a deep analysis of how Hesperbot works. Kruse's company has shared its findings with Europol, the European Union's law enforcement agency, Microsoft as well as law enforcement in Germany and the U.K.
Kruse showed a photo of the man during his presentation, but it can't be published due to the ongoing investigation. It's somewhat rare for computer security analysts to connect a cybercrime operation back to real people, as the perpetrators often take extensive precautions to prevent being traced.
From there, it's up to law enforcement to conduct their own investigations, which can be complicated by jurisdictional issues or a lack of cooperation from other countries. Law enforcement is still very much catching up with how to deal with cybercrime, Kruse said.
"It's a new area for them," Kruse said. "It's very complex."
CSIS analysts are currently monitoring 27 online bank account theft campaigns ongoing around the world using Hesperbot, whose infrastructure is rented out to budding cybercriminals.
"You can do a lot of damage," Kruse said later on the sidelines of the conference. "If you hit some of the small to medium size companies with attacks like this, you can really steal a lot of money."
CSIS also gained access to other backend technical information on Hesperbot, which yielded clues that made its creator easier to look for. Kruse said CSIS monitors underground, password-protected forums where cybercriminals trade tools and tips.
The database of one of those forums had at one time been hacked and leaked, which contained information on their Hesperbot man, leading to his identity, he said.
Hesperbot's infrastructure is hosted on a so-called "bulletproof" hosting service in Ukraine, which is the term for an ISP that caters to cybercriminals by providing connectivity services that are hard for authorities to shut down.
CSIS was also able to procure backend technical information on the bulletproof hosting company.
Surprisingly, they found that the same bulletproof hosting company used for Hesperbot was connected with several other well known types of malware, including Cryptolocker. That malware program encrypts a person's files, demanding a ransom from its victims to decrypt them.
The hosting company was also linked to the ZeroAccess botnet, the Andromeda botnet and Gameover Zeus , all malware programs involved in various kinds of financial fraud.