The US Attorney’s Office announced they were able to shut down an international crime ring that used the Zeus malware to steal money from US bank accounts.
…charges against 37 defendants, in 21 separate cases, for their roles in global bank fraud schemes that allegedly used hundreds of false-name bank accounts to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks. […] The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports for the mules, and money mules.
CNN calls it Trojan malware blamed for $3 million bank fraud
I am not a fan of calling things Trojan horse malware because the horse is so often removed, leaving just Trojan malware. That doesn’t sound right. Anyway, back to CNN:
According to complaints unsealed in Manhattan federal court, defendants used the Zeus Trojan program to surreptitiously obtain personal information and then hack into victims’ bank accounts.
The hackers then allegedly made unauthorized transfers of “thousands of dollars” to the bank accounts belonging to co-conspirators. Prosecutors said the malware was typically sent as an “apparently-benign e-mail” that embedded itself in the victims’ computers once it was opened.
The program, officials said, recorded keystrokes and allowed hackers to steal private account information, passwords and other “vital security codes.”
The alleged cybercriminals, based in Eastern Europe, used “money mules” to transport the stolen money overseas. Some of the mules had entered the United States on student visas or by using fake passports, according to the federal complaint. The FBI has already arrested 10 alleged money mules and 17 remain at large.
The attack path, in other words, starts with an email message that has malware attached. The email message is not filtered as spam and the Zeus malware is not filtered as, er, malware.
There are security control failures on many levels. The underlying story here, however, is one familiar in the physical security space — more secure banks means attacks shift towards more vulnerable users.
Thus, online banking security is good enough that attackers find it much easier to get passwords from users and then they use impersonation to get past bank security. Two-factor authentication, imperfect like the other security controls in question here, was the last standing defense that should have stopped this attack path.
Details of the cases are on the New York FBI site:
- United States v. Artem Tsygankov, et al.
- United States v. Artem Semenov, et al.
- United States v. Maxim Miroshnichenko, et al.
- United States v. Marina Oprea, et al.
- United States v. Kristina Svechinskaya, et al.
- United States v. Ilya Karasev
- United States v. Marina Misyura
- United States v. Dorin Codreanu
- United States v. Victoria Opinca, et al.
- United States v. Alexander Kireev
- United States v. Kasum Adigyuzelov
- United States v. Sabina Rafikova
- United States v. Konstantin Akobirov
- United States v. Adel Gataullin
- United States v. Ruslan Kovtanyuk
- United States v. Yulia Klepikova, et al.
- United States v. Alexandr Sorokin
- United States v. Alexander Fedorov
- United States v. Anton Yuferitsyn
- United States v. Jamal Beyrouti, et al.
The DoJ said 21 cases, but I see only 20. Perhaps one is still being prepared.
Ask me about how to better protect against this breach, or just attend my presentation on the Top Ten Breaches, October 13th at the RSA Conference in London.