Is the Infocube firm tied to the Carbanak cybercrime gang?

The security expert Brian Krebs investigated the links between the Carbanak cybercrime gang and the Infocube security firm.

Today I want to share with you the findings of an investigation of the popular cyber security expert Brian Krebs. This time, Krebs investigated the link between a cybercrime gang and a security firm.

The security company is the Russian security firm Infocube, meanwhile the criminal organization it the notorious Carbanak crew.

The criminal crew is named “Carbanak cybergang” because of the name of the malware they used to compromise computers at banks and other financial institutions. According to the experts at Kaspersky, the majority of victims are located in Russia, but many other infections have been detected in other countries, including Japan, Europe and in the United States.

The crew has stolen at least $1 billion from more than 100 financial institutions worldwide. Ron Guilmette analyzed the domains used by the Carbanak cybercrime gang to spread their malware.

He discovered that data related tot he registrations of some of the domains used by the gang, including “weekend-service[dot]com” “coral-trevel[dot]com” and “freemsk-dns[dot]com” contains the same phone and fax numbers for what appears to be a Xicheng Co. [dot]com” “coral-trevel[dot]com” and “freemsk-dns[dot]com” contains the same phone and fax numbers for what appears to be a Xicheng Co. in China — 1066569215 and 1066549216, each preceded by either a +86 (China’s country code) or +01 (USA). All the domain records include the email address “williamdanielsen@yahoo.com“.

The Russian Infokube claims to work with the major security firms.

“According to data gathered by ThreatConnect, a threat intelligence provider [full disclosure: ThreatConnect is an advertiser on this blog], at least 484 domains were registered to the williamdanielsen@yahoo.com address or to one of 26 other email addresses that listed the same phone numbers and Chinese company.” wrote Krebs. “At least 304 of these domains have been associated with a malware plugin [that] has previously been attributed to Carbanak activity,” ThreatConnect told KrebsOnSecurity.”

Giving a close look ar the two numbers, 1066569215 and 1066549216 it is possible to verify that they differ slightly in the middle. Investigating the domains registered to those Chinese phone numbers Krebs discovered a website called “cubehost[dot]biz” that wasn’t used to spread the Carbanak.  The domains cubehost[dot]biz was registered in Sept. 2013 to Artem Tveritinov of Perm, Russia, it appears a dormant site linked to the Russian security firm called Infocube.

Brian Krebs reached out to Artem Tveritinov, Infokube CEO, for a comment. He also noticed that Tveritinov deleted his social media presence after Krebs discovered the link

“Our company never did anything illegal, and conducts all activities according to the laws of Russian Federation,” Tveritinov told Krebs via email. “Also, it’s quite stupid to use our own personal data to register domains to be used for crimes, as [we are] specialists in the information security field.”

Krebs also noticed that Tveritinov deleted his social media presence after Krebs discovered the link.

“I noticed that the Vkontakte social networking profile that Tveritinov had maintained regularly since April 2012 was being permanently deleted before my eyes. Tveritinov’s profile page and photos actually disappeared from the screen I had up on one monitor as I was in the process of composing an email to him in the other.”

Krebs highlighted that InfoKube/Cubehost also runs a range of Internet addresses managed by Petersburg Internet Network (PIN) Ltd., that is a Russian ISP with a very bad reputation.

Do you want know more about the Krebs’s investigation?

Enjoi it on Krebs on Security.

Pierluigi Paganini

(Security Affairs – Carbanak group, Infokube)