Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.
The Security Service of Ukraine (SBU) said today that it had seized at least 74 pieces of computer equipment and cash from a criminal group suspected of running a massive operation to steal banking information from consumers with the help of Conficker and scareware, a scam that uses misleading security alerts to frighten people into paying for worthless security software. A Google-translated version of an SBU press release suggests that the crime gang used Conficker to deploy the scareware, and then used the scareware to launch a virus that stole victims’ financial information.
The Ukrainian action appears to be related to an ongoing international law enforcement effort dubbed Operation Trident Tribunal by the FBI. In a statement released Wednesday, the U.S. Justice Department said it had seized 22 computers and servers in the United States that were involved in the scareware scheme. The Justice Department said 25 additional computers and servers located abroad were taken down as part of the operation, in cooperation with authorities in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.
On Tuesday, The New York Times reported that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation.
The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation. Conficker first surfaced in November 2008. The SBU said the FBI has been investigating the case for three years. [Update, June 24, 9:37 a.m.: Not sure whether this was an oversight or a deliberate attempt to deceive, but the picture showing the stack of PCs confiscated in this raid is identical to the one shown in an SBU press release last fall, when the Ukrainian police detained five individuals connected to high-profile ZeuS Trojan attacks.]
“Exchanging information with the Security Service, it became clear that the intelligence services of both countries [were] investigating criminal acts of the same persons,” the SBU said in its prepared statement.
There are no court records of this case publicly available in the United States; a spokesperson at the Justice Department office in the Western District of Washington said the documents remain sealed. She referred questions about the case to the FBI headquarters in Washington, D.C. When asked specifically about the Conficker connection, FBI spokeswoman Jenny Shearer would say only that “there are indications that one of the delivery mechanisms for the scareware in this investigation was a Conficker variant.”
The Conficker element of this case is interesting for several reasons: The worm was so sophisticated and spread so quickly that it prompted unprecedented cooperation among governments and security experts, who formed the Conficker Working Group to help contain the damage wrought by the worm. Conficker certainly wrought financial damage — it is estimated to have infected more than 12 million PCs — but until today there has been little information to suggest that this massive crime machine was used to generate profits for cyber crooks.
I know of two previous instances in which Conficker was linked to scareware scams. The first involved the initial version of the worm, which instructed all infected PCs to visit and download a file from TrafficConverter.biz, the domain of an affiliate program that paid hackers to distribute its brand of scareware. As I reported in a March 2009 story in The Washington Post, the top affiliates for that program were making hundreds of thousands of dollars a month pushing scareware, although it is not clear whether Conficker-infected systems ever received any scareware downloads from the domain. From that story:
“By the time Conficker first surfaced, TrafficConverter was nearing the end of a contest in which the top-selling affiliates competed for prizes, such as computers, fancy cell phones and other electronics. The grand prize? A Lexus IS250, a sports sedan that starts at $36,000.
At first glance, it is tempting to assume that the Conficker worm authors were in league with the operators of TrafficConverter.biz, and thus trying to drive traffic to the site — perhaps in an attempt to push the contest in favor of one or more affiliates. On the other hand, this may have been an attempt by the Conficker authors or a competing affiliate program to hinder and ultimately shutter TrafficConverter.biz, either by causing law enforcement and the security community to focus their attention on it, or by flooding the site with traffic from hundreds of thousands of Conficker-infected systems.”
And flood the site it did. According to [SecureWorks's Joe] Stewart’s review of the traffic log files for TrafficConverter.biz, during a 12-hour period on Nov. 24, the site was bombarded by more than 83 million hits from at least 179,000 unique Internet addresses.
The traffic from Conficker.A infected systems to TrafficConverter.biz might have translated into monster installs for affiliates of the site. Ironically, all of that traffic from Conficker-infected systems appears to have gone to a non-existent page on TrafficConverter.biz, Stewart said. In short, the site missed a pretty huge opportunity to convert a whole lot of traffic.
Still, had the curators of TrafficConverter.biz actually placed a file at that link for download, the resulting traffic from 179,000 systems trying to download that file at the same time probably would have crashed the site entirely, Stewart said.”
Conficker’s second association with scareware came three weeks after that story. On April 8, 2009, Kaspersky Lab reported that it had seen some Conficker infected systems updated with a scareware product called Spyware Protect 2009. Kaspersky analysts also discovered that infected PCs were seeded with another update: a version of the Waledac worm, which is able to steal data and send spam.
Anyone with information about the identity of the Conficker author(s) could have a lucrative tip on their hands: Microsoft has an outstanding $250,000 bounty for information leading to the arrest and conviction of those responsible for launching the worm.