Evil Corp Hackers’ Biggest Mistake: Using Gmail

Evil Corp Hackers' Biggest Mistake Might Have Been Using Gmail

If you’re a cybercriminal mastermind and you’re discussing your devilish plans, maybe don’t use email services that can be served with a US government warrant. Take the Evil Corp hacker crew believed to be responsible for the Dridex malware that likely earned them at least $50 million. The suspected members – five have now been named – could well rue the day they chose to use Google GOOGL -0.44% ’s Gmail. According to an affidavit from FBI special agent Brian Stevens unsealed today, the alleged masterminds were all connected to a handful of Gmail accounts. After serving a warrant on Google, the FBI had access to the contents of one key email address: iavorscaia@gmail.com. Within that account, believed to belong to Dridex administrator Smilex, they found a Dridex loader that attempted to download the malware by stitching it together from different websites. Stevens’ account has a number of redactions that make it unclear what accounts were linked together, but it’s apparent backup emails for critical email accounts were also Gmail addresses. The FBI affidavit indicates at least three Gmail addresses were used by the alleged admin of Dridex. They all helped police map out the cybercriminal operation. Crucially, analysis of the contents of one Gmail account revealed 10 emails from a hosting provider for an IP address of interest to the police. Some of those emails were sent in response to complaints from the owner of the Google account, others were abuse notifications sent to the account owner, asking them to remove malicious software from their server. Account details for the encrypted Jabber instant messaging service were also revealed in the Gmail emails. Stevens claimed the FBI were subsequently able to review Jabber messages from Smilex, in which he indicated he was having trouble infecting people through spam messages […]