Feeds

'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

NASA systems among 1,000,000 computers suspects accused of infecting

Beginner's guide to SSL certificates

US prosecutors have accused three people of using a bank-account raiding Trojan to infect at least one million computers and steal millions of dollars.

Russian national Nikita Kuzmin, 25, Latvian resident Deniss Calovskis, 27, and Mihai Ionut Paunescu, a 28-year-old Romanian, were behind the scam, according to charges filed against them. The allegations were revealed in an indictment unsealed on Wednesday, 23 January. The US wants to extradite both Calovskis and Paunescu from their respective countries.

Systems at NASA were among the 40,000 computers in the US infected by the trio's Gozi Trojan, described in a US Department of Justice statement as "one of the most financially destructive computer viruses in history"*.

Kuzmin, who masterminded the Trojan, was arrested in the US in November 2010 and pled guilty to various computer hacking and fraud charges in May 2011. Calovskis, who allegedly helped program Gozi, was arrested in Latvia in November 2012. Paunescu (AKA Virus) allegedly supplied the "bulletproof [web] hosting" service that helped Kuzmin and other crooks distribute the Trojan as well as ZeuS, SpyEye and other malware - some linked to spam distribution and DDoS shenanigans. Paunescu was arrested in Romania in December 2012.

FBI Assistant Director-in-Charge George Venizelos said:

This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars. Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars – but far more effective and less detectable. The investigation put an end to the Gozi virus.

The Gozi Trojan first surfaced in 2007. Over the years it has infected Microsoft Windows computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in losses to individuals, businesses and governments whose computers were compromised. Gozi was distributed in various guises, most commonly disguised as a benign PDF document.

Kuzmin rented out access to the latest versions of the Gozi Trojan on a weekly basis through a business called "76 Service", which was advertised on various underground cybercrime forums.

From 2009 onwards he sold the source code to various conspirators, some of whom paid others to refine, update, and improve the software nasty. Calovskis was allegedly among the most able of these black-hat programmers. US prosecutors blame him for developing code, known as "web injects", that altered how the web pages of particular banks appeared on infected computers.

One such "redesign" changed a bank's welcome page on a compromised machine to trick victims into disclosing additional personal information – such as their mother’s maiden name, social security number, driver’s licence information and account PIN – supposedly needed in order to continue to access the banking website. These details were then relayed to crooks to exploit as they wished.

Various versions of Gozi were tailor-made to attack banks targeted by each underworld buyer. Paunescu allegedly operated the servers that collected the swiped personal data and controlled infected machines. He allegedly acted as an ISP for crooks, charging them a premium for providing a degree of anonymity and fending off takedown requests from security firms and upstream service providers.

As the US Department of Justice points out, "the charges contained in the indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty".

The case was handled by NASA's Office of Inspector General; Latvian State Police; the Romanian Intelligence Service; the Romanian Directorate for Combating Organized Crime; the Romanian Directorate for Investigating Organized Crime and Terrorism; and the FBI and various prosecuting agencies led by Preet Bharara, the US Attorney for the Southern District of New York, and Lanny A. Breuer, the Assistant Attorney General of the Department of Justice’s Criminal Division. ®

Bootnote

* While US prosecutors describe Gozi as a virus it doesn't replicate itself and for this and other reasons is better described as a Trojan.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
SMASH the Bash bug! Red Hat, Apple scramble for patch batches
'Applying multiple security updates is extremely difficult'
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.