Smilex: Dangers of Poor OpSec

Michael Marriott | 27 October 2015

Background

On 13 Oct 2015, it was revealed in an indictment on the US department of Justice website that Dridex (AKA Bugat and Cridex) activity had been disrupted and charges filed against a Moldovan administrator known as Andrey Ghinkul, AKA Andrei Ghincul AKA Smilex. The arrest and disruption of activity are reported to have been conducted by the United Kingdom and United States as part of wider, international cooperation.

Ghinkul was part of a group that disseminated Dridex - used to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of keylogging and web injects. It was estimated by the Federal Bureau of Investigation (FBI) that at least $10 million USD in direct loss to the United States is attributable to Dridex.

 

Social media

A Facebook profile belonging to a Moldovan man named Andrey Ghinkul may provide some light.

According to his Facebook profile, he has a technical degree from the Technical University of Moldova. The url of his profile itself is a likely reference to GH Construct, of which he is named Director. Information on a LinkedIn account corroborates this. 

Ghinkul appears to have a comfortable life, having recently travelled to Thailand and France on holiday.  Images also suggest he possesses a Lincoln Navigator vehicle. Judging by his social media, Ghinkul was leading a luxurious life from his base in Moldova.

 

Map 

Location check-ins listed on Ghinkul's Facebook profile

 car

 A picture from Ghinkul's Facebook profile, showing a car with a ‘777’ number plate – a number associated with the hacking community, denoting full system access.

 

Ghinkul and Smilex

His social media presence, by any standards, is very open. Of course, this information does not necessarily mean that the Andrej Ghinkul identified here is Smilex. But it is possible to dig deeper and draw some links. For example, Ghinkul’s Facebook timeline has not been updated since 25th August – 3 days before his arrest. Prior to this, Ghinkul would update his profile several times a month.

Further open source research reveals that an Andrej Ghinkul sought a job on an online Moldovan job board. Crucially, in this post, he used the email address [email protected]. A look-up of this email address on my.mail.ru suggests it belongs to Andrej Ghinkul, born on 7 July 1985. This would make Ghinkul 30, which is stated in the court documents.

 

smilex lookup

A screenshot of details registered to [email protected]

 

A picture posted on his Facebook from 9th July of a birthday cake from his wife suggests his birthday falls around this time. Moreover, his profile on ok.ru corroborates this, after receiving a digital gift on 7th July 1985.

 Birthday cake

A picture from Ghinkul's Facebook profile, showing a picture of a recent birthday cake. Dated 9th July 2014.

 

Summary

Criminals invariably make mistakes and the recent indictments show it has cost Ghinkul. Such an open social media account shows poor operational security. Indeed, the combination of Ghinkul’s name, location, technical background and link to the Smilex email address does enough for us to consider the link.