Feeds

'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

NASA systems among 1,000,000 computers suspects accused of infecting

The essential guide to IT transformation

US prosecutors have accused three people of using a bank-account raiding Trojan to infect at least one million computers and steal millions of dollars.

Russian national Nikita Kuzmin, 25, Latvian resident Deniss Calovskis, 27, and Mihai Ionut Paunescu, a 28-year-old Romanian, were behind the scam, according to charges filed against them. The allegations were revealed in an indictment unsealed on Wednesday, 23 January. The US wants to extradite both Calovskis and Paunescu from their respective countries.

Systems at NASA were among the 40,000 computers in the US infected by the trio's Gozi Trojan, described in a US Department of Justice statement as "one of the most financially destructive computer viruses in history"*.

Kuzmin, who masterminded the Trojan, was arrested in the US in November 2010 and pled guilty to various computer hacking and fraud charges in May 2011. Calovskis, who allegedly helped program Gozi, was arrested in Latvia in November 2012. Paunescu (AKA Virus) allegedly supplied the "bulletproof [web] hosting" service that helped Kuzmin and other crooks distribute the Trojan as well as ZeuS, SpyEye and other malware - some linked to spam distribution and DDoS shenanigans. Paunescu was arrested in Romania in December 2012.

FBI Assistant Director-in-Charge George Venizelos said:

This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars. Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars – but far more effective and less detectable. The investigation put an end to the Gozi virus.

The Gozi Trojan first surfaced in 2007. Over the years it has infected Microsoft Windows computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in losses to individuals, businesses and governments whose computers were compromised. Gozi was distributed in various guises, most commonly disguised as a benign PDF document.

Kuzmin rented out access to the latest versions of the Gozi Trojan on a weekly basis through a business called "76 Service", which was advertised on various underground cybercrime forums.

From 2009 onwards he sold the source code to various conspirators, some of whom paid others to refine, update, and improve the software nasty. Calovskis was allegedly among the most able of these black-hat programmers. US prosecutors blame him for developing code, known as "web injects", that altered how the web pages of particular banks appeared on infected computers.

One such "redesign" changed a bank's welcome page on a compromised machine to trick victims into disclosing additional personal information – such as their mother’s maiden name, social security number, driver’s licence information and account PIN – supposedly needed in order to continue to access the banking website. These details were then relayed to crooks to exploit as they wished.

Various versions of Gozi were tailor-made to attack banks targeted by each underworld buyer. Paunescu allegedly operated the servers that collected the swiped personal data and controlled infected machines. He allegedly acted as an ISP for crooks, charging them a premium for providing a degree of anonymity and fending off takedown requests from security firms and upstream service providers.

As the US Department of Justice points out, "the charges contained in the indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty".

The case was handled by NASA's Office of Inspector General; Latvian State Police; the Romanian Intelligence Service; the Romanian Directorate for Combating Organized Crime; the Romanian Directorate for Investigating Organized Crime and Terrorism; and the FBI and various prosecuting agencies led by Preet Bharara, the US Attorney for the Southern District of New York, and Lanny A. Breuer, the Assistant Attorney General of the Department of Justice’s Criminal Division. ®

Bootnote

* While US prosecutors describe Gozi as a virus it doesn't replicate itself and for this and other reasons is better described as a Trojan.

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.