Conspirators Indicted In Online Malware Attacks Against Financial Accounts
October 19, 2015
If you enjoy being scared, I guess you can watch one of the
Sharknado movies or maybe go for a marathon session of some zombie television
series. Of course, Halloween is coming up, so maybe just hang in there a few more days. On the other hand, some recent news stories may
scare the crap out of you with just as much effectiveness. Consider the recent announcement by the Department of Justice ("DOJ") that it
had purportedly shut down yet another criminal conspiracy to infect computers
with botnet malware.
Case In Point
On October 13, 2015, DOJ unsealed a nine-count Indictment in
the Western District of Pennsylvania charging Andrey Ghinkul, a/k/a "Andrei
Ghincul" a/k/a/ "Smilex", 30, of Moldova with criminal conspiracy, unauthorized
computer access with intent to defraud, damaging a computer, wire fraud and
bank fraud.Purportedly $10 million in U.S. losses are attributed to the
conspiracy. Ghinkul was previously arrested on Aug. 28, 2015 in Cyprus and is
awaiting efforts to extradite him back to the United States. United States of America v. Andrey Ghinkul (Indictment, 15-CR-00198, WDPA, September 16, 2015)
NOTE: An Indictment merely contains allegations and
defendants are presumed innocent unless and until proven guilty beyond a
reasonable doubt in a court of law.
Botnet Conspiracy
The Indictment alleges that a criminal conspiracy
using Botnets and phishing emails to
infect computers with malware designed to steal confidential personal and
financial information of its victims. The Botnets at issue were designed to
defeat antivirus programs.
The Indictment alleges the conspirators stole their victims
information and used those credentials undertake the fraudulent electronic transfers
of millions of dollars from the victims' bank accounts into the accounts of
so-called intervening "money mules", who then transferred the stolen funds to
other conspirators.
As set forth in the Indictment (footnote omitted):
2) Keystroke logging is the action of recording (for logging) the keys struck on a keyboard. This action is usually done surreptitiously by a computer program (i.e., keylogger) to capture the keys typed on a computer without the typist's knowledge. Malware that uses keystroke logging often will provide the captured keystrokes to the individual who caused the malware to be installed or to a place designated by the individual. Through keystroke logging, individuals ar able to obtain online banking credentials as soon as the user of the infected computer logs into their account. After obtaining this information, these individuals can access the victim's online bank account and execute unauthorized electronic funds transfers ("EFT"), such as Automated Clearing House ("ACH") payments or wire transfers, to accounts they control.
The Nitty Gritty of Malware
The Indictment offers some explanation about one of the
malwares, the Bugat, used in this criminal conspiracy:
8) Bugat malware is generally distributed through a process known as "phishing", where spam emails are distributed to victims.. The emails appear legitimate and are carefully crafted to entice the victim to click on a hyperlink or to open an attached file. In the event a user clicks on a hyperlink, the user is then usually redirected to an exploit kit, which is a web based software program that scans the victim's computer and operating systems for vulnerabilities and upon discovering one, forces the download of a malicious file upon the victim. In the event the victim opens an attached file, he is then directly infected either by the Bugat malware, or bay a loader program, which then downloads the Bugat payload without the victim's consent or knowledge.
9) Bugat, like most modern malware families, is specifically crafted to defeat antivirus and other protective measures employed by victims. As the individual behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called "Cridex," and later "Dridex." . . .
Go Phish
The Indictment offers several examples of the allegedly
criminal transfers that were facilitated by a phishing email sent to a Penneco
Oil employee:
- Dec. 16, 2011, $999,000 transferred from the Sharon, PA, City School District's account at First National Bank to an account in Kiev, Ukraine;
- Aug. 31, 2012, $2,158,600 was transferred from a Penneco Oil account at First Commonwealth Bank to an account in Krasnodar, Russia;
- Sept. 4, 2012, of $1,350,000 from a Penneco Oil account at First Commonwealth Bank to an account in Minsk, Belarus; and
- Sept. 4, 2012, $76,520 transferred from a Penneco Oil account at First Commonwealth Bank to an account in Philadelphia.
In addition to the Indictment, the FBI is now authorized pursuant to a civil injunction to redirect automated requests by victim computers for additional instructions to substitute servers. Victims may use the US-CERT webpage Alert (TA15-286A) Dridex P2P Malware for assistance on how to remove the malware: https://www.us-cert.gov/dridex.
Also READ:
- Doctor, Doctor Give Me The News
- Internet Crime Complaint Center Raises Alarms
- FBI Warns Of Malware Hidden In Photo-Sharing
- Russian Sentenced To Prison In Credit Card Malware Attacks
- Swedish Scareware Scammer Sentenced
- July 4th Fireworks From Unsolicited Emails And Telephone Calls
- FBI Warns About Malware Attacks On Hotel Laptops
- UPDATE: Online Trojan War Ends With Prison For Eastern European Bank Account Thieves
- Belarussian Identity Thief Sentenced in Financial Institution Fraud Ring
- Russians Indicted In Ongoing Malware War Against U.S. Credit Card Holders
- Operation Ghost Clicks Nabs DNSChanger Malware Ring
- Caught in the Spider's Web -- online financial identity theft