ATM Trojan Writers Tried to Set Alight AV Firm’s Offices

A Russian anti-virus firm has revealed that its offices were fire-bombed by malware writers after it published research about an ATM trojan they created to steal card data from cash machines.

Dr Web CEO, Boris Sharov, told blogger Brian Krebs that his firm received an email from a group calling itself the “International Carders Syndicate” soon after it published its findings in December 2013.

It threatened the company to delete all reference to the trojan malware, claiming that by going public with the details, Dr Web could cost the group hundreds of millions of dollars in lost earnings for hundreds of criminal organizations around the world.  

Dr Web published the missive on its site, which continued:

“You have a WEEK to delete all references about ATM.Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads. The final of Doctor Web will be tragic.”

Two arson attacks followed a few months later at the St Petersburg offices of one of the firm’s distributors. Then the AV company received a second threat which repeated the Syndicate’s demands and warned it “will destroy Doctor Web’s offices throughout the world.”

It continued:

“In addition, syndicate will lobby the Prohibition of usage of Russian anti-viruses Law in countries that have representation offices of the syndicate under the pretext of protection against Russian intelligence service.”

The distributor then suffered a third arson attack, while Dr Web detected three attempts to break in to its own offices in Moscow “and to do something bad,” Sharov claimed.

He told Krebs that the suspects were malware writers that had already sold the trojan to several cybercriminal gangs but not yet delivered it, so they were desperate to avoid the likely repercussions if the product was found to be blocked by Dr Web’s ATM Shield offering.

Sharov also claimed that that the arsonists were most likely goons-for-hire, whom the malware writers had contacted via a Darknet site or similar.

A Moscow bank subsequently informed him that the group behind the trojan hailed from the Ukraine.

What’s Hot on Infosecurity Magazine?