Two men have been found guilty of charges relating to the operation of Scan4You, a scanning service that allowed malware authors to check if their creations were detected by security products. The men were arrested overseas last year. Symantec assisted the case by testifying in court for the prosecution.
Jurijs Martisevs pleaded guilty in March to charges of conspiracy and aiding and abetting computer intrusions. Ruslans Bondars was found guilty in a Virginia court yesterday of conspiracy to violate the Computer Fraud and Abuse Act; conspiracy to commit wire fraud; and computer intrusion with intent to cause damage, and aiding and abetting. Sentencing is scheduled for September.
The maximum penalties for conspiracy are five years in prison, a fine of $250,000, full restitution and forfeiture of any proceeds of the crime. The maximum penalties for computer intrusion are 10 years in prison, a fine of $250,000, full restitution and forfeiture of any proceeds of the crime.
Scan4You ran from at least 2009 until 2016. Advertised on underground forums used by the cyber crime community, it was used by at least 30,000 customers. Bondars was responsible for the technical side of the service, maintaining its infrastructure and website. Martisevs took care of customer support, usually via email or instant messaging.
The FBI investigation found that one Scan4you customer used the service to test malware that was then used to steal approximately 40 million credit and debit card numbers from a string of U.S. retailers. One retailer alone lost approximately $292 million from the attack.
Scan4You was also used to develop the notorious Citadel financial Trojan which infected over 11 million victims worldwide and was used to steal over $500 million from victims.
Symantec’s Vikram Thakur was called by the prosecution as an expert witness during the case. Thakur explained how legitimate malware scanning services work by analyzing submitted files and listing which security software vendors flag the file as malware and what they detect it as. After a file is scanned, the scan results are publicly available to all vendors who subscribe to the service. This, Thakur said, was the crucial difference between legitimate services and their underground equivalents, whose results are shared with no one other than the person submitting the file.
In order to run an underground malware scanning service, its operators would need to acquire security software from multiple vendors. Thakur told the court that use of Symantec products in any such service would be in violation of our End User License Agreement (EULA).
“It’s important to distinguish between legitimate services, which allow the information security community to share information and protect customers, and illegal services which simply help malware authors try evade detection,” said Thakur. “Symantec is always happy to assist law enforcement agencies in prosecuting cyber crime.”