|
|
|
Cybercrime takedown! By Mark Clayton
How the Gozi cybercrime gang, responsible for a virus that infected more than a million computers around the world, including some operated by the US space agency and others by banks -- at a cost of Tens of millions of dollars -- was captured
Beginning in 2007, those innocuous-sounding words began appearing seemlessly and immediately on the personal computer screens of thousands of online banking victims in the US and worldwide right after they logged in to their accounts.
Many were duped into entering their mother's maiden name, social security numbers, and other personal data into the neat little labeled boxes.
Little did they know that the moment the personal data was entered, a trojan horse program inhabiting their personal computer immediately sent it to a computer server in California — and from there to a central command-and-control server in the Netherlands. After that, access to the stolen account data was sold to other criminals, who used it to enter the accounts and transfer out cash.
Tens of millions of dollars was stolen this way from online accounts, according to charges filed in a federal court in New York Wednesday against the alleged leading members of the Gozi Gang, cyber bank robber masterminds and creators of the infamous Gozi trojan, one of the world's most notorious and malicious bank-theft software programs.
According to the US attorney for New York's Southern District, the alleged gang leaders, three Eastern European men in US custody, played critical roles in producing and distributing the Gozi virus. They faced criminal charges ranging from conspiracy to commit bank fraud to access device fraud and computer intrusion, and maximum penalties ranging from 60 to 95 years in prison.
Every weekday JewishWorldReview.com publishes what many in the media and Washington consider "must-reading". HUNDREDS of columnists and cartoonists regularly appear. Sign up for the daily update. It's free. Just click here.
Documents released in federal court shed light on the federal takedown of the gang — including the three alleged international cybercriminals suspected of creating and distributing the Gozi virus (really a trojan horse program that creates an invisible digital back door) — as well as the inner workings of the gang.
First, they allege that Nikita Kuzmin, a Russian national, was the mastermind who set out the technical specifications and hired a programmer called only "CC-1" to create the Gozi Trojan in 2005. Mr. Kuzmin was arrested during a visit to the United States in November 2010, later pleading guilty to computer intrusion and fraud charges in May 2011.
Charged yesterday were Deniss Calovskis, a Latvian who goes by the online nickname, "Miami," who is alleged to have written some of the computer code that made the Gozi trojan so effective. He was arrested in Latvia in November 2012. He was indicted on several conspiracy charges, including conspiracy to commit aggravated identity theft.
Also charged was Mihai Ionut Paunescu, a Romanian whose alleged hacker handle is "Virus." Authorities say he operated a so-called "bulletproof hosting" service that enabled Kuzmin and other cybercriminals to distribute the Gozi trojan, the Zeus trojan, and other infamous malware. He was arrested in Romania in December 2012.
"As we have seen with increasing frequency, cybercriminals' bank heists require neither a mask nor a gun, just a clever program and an Internet connection," said Preet Bharara, US attorney for Manhattan, in a statement. "This case should serve as a wake-up call to banks and consumers alike, because cybercrime remains one of the greatest threats we face, and it is not going away anytime soon."
Once the Gozi trojan was coded, the court documents allege, Kuzmin began sharing it with other cybercriminals in exchange for a weekly fee through what he called his "76 Service."
Through the service, Kuzmin made the Gozi trojan's catch available to criminals, who could also configure the program to steal data of their choosing — for instance from a particular country. All the stolen data was stored for them on Mr. Paunescu's bullet-proof servers.
Meanwhile, Kuzmin advertised his "76 Service" on Internet cybercrime forums. Finally, in 2009, Kuzmin began to do what other cyber bank trojan makers had done long before — sell the actual source code to Gozi. The price: $50,000 a copy.
Along the way, Gozi infected 160 computers at NASA, stealing logon credentials there, as well as computers in Germany, Great Britain, Poland, France, Finland, Italy, and Turkey.
"Where Gozi really was a trailblazer was in providing criminal-to-criminal services," says Don Jackson, a senior security researcher with the Counter Threat unit of Dell Secureworks in Atlanta, who first discovered Gozi in 2007.
"The 76 Service was not about selling the source code, but selling access to the infected computers," he says, "reaching out to other criminals and providing live data feeds."
After he first unveiled the workings of Gozi in 2007, the gang backed off of targeting US bank customers and focused instead on European victims. As a result, Mr. Jackson says that for about three years he had a hard time getting the attention of US law enforcement authorities, who were less concerned about European attacks. But that all changed around a few years later when the gang started hitting the US again, he says.
"About 2010, the Gozi gang began targeting US banks almost exclusively," Jackson says. "That's when FBI started calling again asking for information."
Jackson says the capture of Paunescu, the alleged bullet-proof hosting service provider, was a key to ending Gozi.
Unlike Gozi, other major banking trojan malware like Zeus and SpyEye is more user friendly for the criminals, involving point and click systems, thus making those operations more resilient - and even more dangerous, Jackson says.
But because the Gozi gang's inner circle was a tightly knit group, and because the trojan required more technical expertise to operate, he thinks that Gozi is likely to be dead in the long run, even if a few operators of the software try to persist.
"I think in this case they've finally cut off they head of the snake," he says.
Every weekday JewishWorldReview.com publishes what many in Washington and in the media consider "must reading." Sign up for the daily JWR update. It's free. Just click here.
Comment by clicking here.
© 2013, The Christian Science Monitor | ||||||||||||||||
