Smilex: Dangers of Poor OpSec
October 27, 2015
On 13 Oct 2015, it was revealed in an indictment on the US department of Justice website that Dridex (AKA Bugat and Cridex) activity had been disrupted and charges filed against a Moldovan administrator known as Andrey Ghinkul, AKA Andrei Ghincul AKA Smilex. The arrest and disruption of activity are reported to have been conducted by the United Kingdom and United States as part of wider, international cooperation.
Ghinkul was part of a group that disseminated Dridex – used to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of keylogging and web injects. It was estimated by the Federal Bureau of Investigation (FBI) that at least $10 million USD in direct loss to the United States is attributable to Dridex.
A Facebook profile belonging to a Moldovan man named Andrey Ghinkul may provide some light.
According to his Facebook profile, he has a technical degree from the Technical University of Moldova. The url of his profile itself is a likely reference to GH Construct, of which he is named Director. Information on a LinkedIn account corroborates this.
Ghinkul appears to have a comfortable life, having recently travelled to Thailand and France on holiday. Images also suggest he possesses a Lincoln Navigator vehicle. Judging by his social media, Ghinkul was leading a luxurious life from his base in Moldova.
Location check-ins listed on Ghinkul’s Facebook profile
A picture from Ghinkul’s Facebook profile, showing a car with a ‘777’ number plate – a number associated with the hacking community, denoting full system access.
Ghinkul and Smilex
His social media presence, by any standards, is very open. Of course, this information does not necessarily mean that the Andrej Ghinkul identified here is Smilex. But it is possible to dig deeper and draw some links. For example, Ghinkul’s Facebook timeline has not been updated since 25th August – 3 days before his arrest. Prior to this, Ghinkul would update his profile several times a month.
Further open source research reveals that an Andrej Ghinkul sought a job on an online Moldovan job board. Crucially, in this post, he used the email address email@example.com. A look-up of this email address on my.mail.ru suggests it belongs to Andrej Ghinkul, born on 7 July 1985. This would make Ghinkul 30, which is stated in the court documents.
A screenshot of details registered to firstname.lastname@example.org
A picture posted on his Facebook from 9th July of a birthday cake from his wife suggests his birthday falls around this time. Moreover, his profile on ok.ru corroborates this, after receiving a digital gift on 7th July 1985.
A picture from Ghinkul’s Facebook profile, showing a picture of a recent birthday cake. Dated 9th July 2014.
Criminals invariably make mistakes and the recent indictments show it has cost Ghinkul. Such an open social media account shows poor operational security. Indeed, the combination of Ghinkul’s name, location, technical background and link to the Smilex email address does enough for us to consider the link.