![]() ![]() Russian motor vehicle records show two different vehicles are registered to this person at the same Moscow address. ![]() The document also says Fitis got paid using a WebMoney account that was created when its owner presented a valid Russian passport for a Konstantin Evgenievich Fetisov, born Nov. That document shows Fitis was one of Spamit’s most prolific recruiters, bringing more than 75 affiliates to the Spamit program over several years prior to its implosion in 2010 (and earning commissions on any future sales from all 75 affiliates). One of the leaked documents included a Microsoft Excel spreadsheet containing the real names, addresses, phone numbers, emails, street addresses and WebMoney addresses for dozens of top earners in Spamit - at the time the most successful pharmaceutical spam affiliate program in the Russian hacking scene and one that employed most of the top Russian botmasters. That protracted and public conflict formed the backdrop of my 2014 book - “ Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.” Image: .įitis’s real-life identity was exposed in 2010 after two of the biggest sponsors of pharmaceutical spam went to war with each other, and large volumes of internal documents, emails and chat records seized from both spam empires were leaked to this author. At least my laptop is sure of it.”įitis’s Livejournal account. ![]() My fingerprints change beyond recognition every few days. In November 2009, Fitis wrote, “I am the perfect criminal. The email address was used to create a Livejournal blog profile named Fitis that has a large bear as its avatar. Constella found the password “featar24” also was used in conjunction with the email address which is tied to yet another O.R.Z. Prior to that, was used as the email address for the account “ Fitis,” which was active on Exploit between September 2006 and May 2007. user account - this one on Verifiedru in 2008. ![]() Pivoting off of that password reveals a handful of email addresses, including 471 shows was used to register another O.R.Z. And on most of these identities, Megatraffer has used the email address That same email address also is tied to two forum accounts for a user with the handle “ O.R.Z.”Ĭonstella Intelligence, a company that tracks exposed databases, finds that was used in connection with just a handful of passwords, but most frequently the password “ featar24“. WHO IS MEGATRAFFER?Īccording to cyber intelligence firm Intel 471, Megatraffer has been active on more than a half-dozen crime forums from September 2009 to the present day. Shortly after Russia invaded Ukraine in February 2022, someone leaked several years of internal chat logs from the Conti ransomware gang, and those logs show Megatraffer was working with the group to help code-sign their malware between July and October 2020. More recently, it appears Megatraffer has been working with ransomware groups to help improve the stealth of their malware. Megatraffer has continued to offer their code-signing services across more than a half-dozen other Russian-language cybercrime forums, mostly in the form of sporadically available EV and non-EV code-signing certificates from major vendors like Thawte and Comodo. According to Megatraffer, EV certificates were a “must-have” if you wanted to sign malicious software or hardware drivers that would reliably work in newer Windows operating systems. For some types of software, a digital signature is mandatory.”Īt the time, Megatraffer was selling unique code-signing certificates for $700 apiece, and charging more than twice that amount ($1,900) for an “extended validation” or EV code-signing cert, which is supposed to only come with additional identity vetting of the certificate holder. “Antivirus software trusts signed programs more. “Why do I need a certificate?” Megatraffer asked rhetorically in their Jan. Additionally, newer versions of Microsoft Windows will complain with a bright yellow or red alert message if users try to install a program that is not signed. Megatraffer explained that malware purveyors need a certificate because many antivirus products will be far more interested in unsigned software, and because signed files downloaded from the Internet don’t tend to get blocked by security features built into modern web browsers. One of Megatraffer’s ads on an English-language cybercrime forum.Ī review of Megatraffer’s posts on Russian crime forums shows this user began peddling individual stolen code-signing certs in 2015 on the Russian-language forum Exploit, and soon expanded to selling certificates for cryptographically signing applications and files designed to run in Microsoft Windows, Java, Adobe AIR, Mac and Microsoft Office. ![]()
0 Comments
Leave a Reply. |