Feeds

'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

NASA systems among 1,000,000 computers suspects accused of infecting

Choosing a cloud hosting partner with confidence

US prosecutors have accused three people of using a bank-account raiding Trojan to infect at least one million computers and steal millions of dollars.

Russian national Nikita Kuzmin, 25, Latvian resident Deniss Calovskis, 27, and Mihai Ionut Paunescu, a 28-year-old Romanian, were behind the scam, according to charges filed against them. The allegations were revealed in an indictment unsealed on Wednesday, 23 January. The US wants to extradite both Calovskis and Paunescu from their respective countries.

Systems at NASA were among the 40,000 computers in the US infected by the trio's Gozi Trojan, described in a US Department of Justice statement as "one of the most financially destructive computer viruses in history"*.

Kuzmin, who masterminded the Trojan, was arrested in the US in November 2010 and pled guilty to various computer hacking and fraud charges in May 2011. Calovskis, who allegedly helped program Gozi, was arrested in Latvia in November 2012. Paunescu (AKA Virus) allegedly supplied the "bulletproof [web] hosting" service that helped Kuzmin and other crooks distribute the Trojan as well as ZeuS, SpyEye and other malware - some linked to spam distribution and DDoS shenanigans. Paunescu was arrested in Romania in December 2012.

FBI Assistant Director-in-Charge George Venizelos said:

This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars. Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars – but far more effective and less detectable. The investigation put an end to the Gozi virus.

The Gozi Trojan first surfaced in 2007. Over the years it has infected Microsoft Windows computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in losses to individuals, businesses and governments whose computers were compromised. Gozi was distributed in various guises, most commonly disguised as a benign PDF document.

Kuzmin rented out access to the latest versions of the Gozi Trojan on a weekly basis through a business called "76 Service", which was advertised on various underground cybercrime forums.

From 2009 onwards he sold the source code to various conspirators, some of whom paid others to refine, update, and improve the software nasty. Calovskis was allegedly among the most able of these black-hat programmers. US prosecutors blame him for developing code, known as "web injects", that altered how the web pages of particular banks appeared on infected computers.

One such "redesign" changed a bank's welcome page on a compromised machine to trick victims into disclosing additional personal information – such as their mother’s maiden name, social security number, driver’s licence information and account PIN – supposedly needed in order to continue to access the banking website. These details were then relayed to crooks to exploit as they wished.

Various versions of Gozi were tailor-made to attack banks targeted by each underworld buyer. Paunescu allegedly operated the servers that collected the swiped personal data and controlled infected machines. He allegedly acted as an ISP for crooks, charging them a premium for providing a degree of anonymity and fending off takedown requests from security firms and upstream service providers.

As the US Department of Justice points out, "the charges contained in the indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty".

The case was handled by NASA's Office of Inspector General; Latvian State Police; the Romanian Intelligence Service; the Romanian Directorate for Combating Organized Crime; the Romanian Directorate for Investigating Organized Crime and Terrorism; and the FBI and various prosecuting agencies led by Preet Bharara, the US Attorney for the Southern District of New York, and Lanny A. Breuer, the Assistant Attorney General of the Department of Justice’s Criminal Division. ®

Bootnote

* While US prosecutors describe Gozi as a virus it doesn't replicate itself and for this and other reasons is better described as a Trojan.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.