In one of its biggest strikes yet against cyber crooks stealing corporate and personal financial data, the Justice Department announced June 2nd that a multi-national effort has disrupted the computer malware cited as the leading “Trojan” targeting on-line banking transactions in 2013.
Prosecutors unsealed charges in Pittsburgh and Omaha against a Russian man alleged to have acted as an administrator of the network, while U.S. authorities seized computer servers integral to its operation.
The case offers a glimpse of an increasingly aggressive and sophisticated U.S. strategy for thwarting botnets – malware that infect banking and personal computers worldwide to create powerful networks through which cyber criminals can engage in an array of schemes.
Among them: capturing banking passwords and credentials for use in directing wire transfers to overseas accounts.
Never miss a local story.
The latest cyber enforcement target is the Gameover Zeus Botnet, which allegedly has been used to steal millions of dollars from businesses and consumers. The malware, which silently infects victims’ computers, directs them to reach out to receive commands from other computers in the network and funnel stolen banking credentials back to those who control the software.
Security researchers estimate that between 500,000 and 1 million computers are infected worldwide with the botnet, about 25 percent of them in the United States, the Justice Department said.
Further, department officials said, Gameover Zeus has been used to distribute a second program, known as Crytolocker, that infects victims’ computers and encrypts their files until they pay a ransom – up to $700 for a key that will unlock their computers. By one estimate, Cryptolocker was used to extract $27 million in “ransom” payments in its first two months of operation, department officials said.
Cryptolocker also has been distributed via unsolicited emails containing an infected file, typically purporting to be a voicemail or shipping confirmation.
“We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools, and developed strong working relationship with private industry experts and law enforcement counterparts in more than 10 countries,” Deputy U.S. Attorney General James Cole said.
Robert Anderson Jr. , an executive assistant FBI director, called Gameover Zeus “the most sophisticated botnet the FBI and our allies have ever attempted to disrupt.”
Gameover Zeus, also known as “Peer-to-Peer Zeus” because of its decentralized structure, was first identified in about September 2011, the latest version of Zeus malware that was first spotted seven years ago. The FBI has estimated losses from Zeus’ infiltration of computers at over $100 million.
Gameover Zeus gained the dubious distinction as the top botnet used to target banks in 2013, based on an analysis by Dell SecureWorks Counter Threat Unit.
The department unsealed a 14-count indictment in Pittsburgh accusing Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia, of acting as an administrator for the Gameover Zeus Botnet. He was charged with conspiracy, computer hacking, wire fraud, bank fraud and money laundering.
Bogachev also was charged in a simultaneous criminal complaint filed in Omaha with conspiracy to commit bank fraud related to his alleged role in a prior variant of Zeus, known as “Jabber Zeus.”
In separately seeking a civil court injunction in federal court in Pittsburgh, the government described Bogachev as a leader of a tightly knit gang of cyber criminals based in Russia and Ukraine. The civil filing says he served as a network administrator for both Gameover Zeus and Cryptolocker.
The Justice Department said that U.S. and foreign law enforcement officials collaborated in seizing computer servers central to Cryptolocker’s functioning.
The department said it obtained criminal and civil court orders authorizing it to take measures to redirect victims of Gameover Zeus away from its website to another, https://www.us-cert.gov/, which was created by the Computer Emergency Readiness Team at the U.S. Department of Homeland Security.