The proprietors of shadowy online businesses that have become synonymous with cybercrime in recent years were arrested in their native Estonia on Tuesday and charged with running a sophisticated click fraud scheme that infected with malware more than four million computers in over 100 countries — including an estimated 500,000 PCs in the United States. The law enforcement action, dubbed “Operation Ghost Click,” was the result  of a multi-year investigation, and is being called the “biggest cybercriminal takedown in history.”

Vladimir Tsastsin, in undated photo.

Estonian authorities arrested six men, including Vladimir Tsastsin, 31, the owner of several Internet companies that have been closely associated with the malware community for many years. Tsastsin previously headed EstDomains Inc. a domain name registrar that handled the registrations for tens of thousands of domains associated with the far-flung Russian Business Network.

Reporting for The Washington Post in September 2008, I detailed how Tsastsin’s prior convictions in Estonia for credit card fraud, money laundering and forgery violated the registrar agreement set forth by the Internet Corporation for Assigned Names and Numbers (ICANN), which bars convicted felons from serving as officers of a registrar. ICANN later agreed, and revoked EstDomains’ ability to act as a domain registrar, citing Tsastsin’s criminal history.

Also arrested were Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28 (quoted in the above-linked stories as the spokesperson for EstDomains); and Anton Ivanvov, 26. All six men were arrested and taken into custody this week by the Estonian Police and Border Guard. A seventh defendant, a 31-year-old Russian national named Andrey Taame, is still at large.

Source: FBI

Indictments returned against the defendants in the U.S. District Court for the South District of New York detail how the defendants allegedly used a strain of malware generically known as DNS Changer to hijack victim computers for the purposes of redirecting Web browsers to ads that generated pay-per-click revenue for the defendants and their clients. U.S. authorities allege that the men made more than $14 million through click hijacking and advertisement replacement fraud.

DNS Changer most often comes disguised as a video “codec” supposedly needed to view adult movies. It infects systems at the boot sector level, hooking into the host computer at a very low level and making it often very challenging to remove. This malware family didn’t just infect Microsoft Windows systems: Several versions of DNS changer would just as happily infect Mac systems as well. Other variants of the malware even hijacked DNS settings on wireless home routers. The FBI has posted several useful links to help users learn whether their systems are infected with DNS Changer.

Feike Hacquebord, senior threat researcher for security vendor Trend Micro, called the arrest the “biggest cybercriminal takedown in history.” In a blog post published today, Hacquebord and Trend detail the multi-year takedown, which involved a number of front companies, but principally an entity that Tsastsin founded named Rove Digital:

In 2009 we obtained a copy of the hard drives of two C&C servers that replaced advertisements on websites when loaded by DNS Changer victims. On the hard drives we found public SSH keys of several Rove Digital employees. These keys allowed the Rove Digital employees to log in on the C&C servers without password, but with their private key. From log files on the servers we were able to conclude that the C&C servers were controlled from Rove Digital’s office in Tartu.

Rove Digital had also been running a fake AV / rogue DNS affiliate program called Nelicash. We were able to download a schema of the infrastructure for the fake AV part. From a Nelicash C&C server we discovered data on victims who bought fake AV software. Among the purchases of victims, there were several test orders placed by employees of Rove Digital from IP addresses controlled by Rove Digital in Estonia and the US. This shows that Rove Digital was directly involved in the sales of the fake AV.

From the same Nelicash C&C server we were also able to download a detailed planning of the deployment of new rogue DNS servers in 2010 and 2011. Every day, Rove Digital spread a new malware sample that changed systems’ DNS settings to a unique pair of foreign servers. We checked DNS Changer Trojans for a couple of days and we learned that these Trojans changed DNS settings of victims exactly according to their plan.

We collected much more evidence but we are unable to include them all here. All of our findings indicate that Rove Digital is committing cybercrimes on a large scale indeed and is directly responsible for the large DNS Changer botnet.

As its name suggests, DNS Changer works by hijacking the domain name system (DNS) server settings on a computer; these settings point to Internet servers that are responsible for translating human-friendly domain names like example.com into numeric Internet addresses that are easier for computers to understand. DNS Changer swapped out victims’ legitimate DNS server settings with the addresses of DNS Servers controlled by Rove Digital. Armed with that control, the defendants could redirect any part of the Web browsing session on an infected user’s computer.

This presented a unique challenge for the law enforcement officials and private security experts who sought to dismantle the fraud network. Experts had identified a large number of rogue DNS servers that were owned by front companies tied to Rove Digital, and indeed secured a court order to seize control over those servers. But experts warned the FBI that seizing the rogue DNS servers without first putting in place a backup system would effectively kill Internet access for the four million computers worldwide that were infected with DNS Changer.

In response, the court appointed the job of swapping out the rogue DNS servers for clean ones to Internet Systems Consortium (ISC), a California nonprofit that maintains BIND, a DNS software package that is widely used throughout the Internet.

“The big concerns came when all the evidence had built up on the law enforcement side, and people said, ‘Hey, there are millions of infected systems whose DNS is wrong,’” said Barry Greene, president and CEO of ISC. “We really wanted to keep people from having their DNS shut down, and everyone calling the help desk at their ISP or security provider to complain that their Internet wasn’t working.”

In a press call with reporters, FBI officials said they would be working with industry to help notify ISPs about customers infected with DNS Changer.

“It’s a complicated cleanup because the malware they put on there is boot-sector stuff,” Greene said. “So we’re not finished. We just finished phase 1, which is law enforcement putting handcuffs on people and making sure we don’t black out people on the ‘Net. The press release and outreach is phase two, and cleanup is phase three. We’ll be doing that for some time, I think.”

Officials from the FBI and the U.S. Attorney for the Southern District of New York said they would seek to extradite the defendants to the United States. An FBI official told reporters that four of the arrested have been charged in Estonia and will probably face trial and any judgment over in that country before being extradited. The FBI said it would concentrate on extraditing two of the men arrested — Anton Ivanov and Valeri Aleksejev — neither of whom were charged in Estonia but were arrested provisionally.

The U.S. government has had some success in extraditing Estonian cybercriminals. Sergei Tsurikov, an Estonian man convicted of participating in the coordinated $9 million ATM heist against RBS Worldpay in late 2008, was extradited to the U.S. last year after serving part of his time in an Estonian prison. Tsurikov is currently being processed through an federal jail in Atlanta.

A copy of the indictments returned against the seven men is available here (PDF). This link from Estonian news outlet Delfi includes several pictures of the arrest and seizure of equipment from Rove Digital properties.

Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.

According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as “arrows” to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.

The arrows in the United States would then visit wire transfer services such as Western Union or MoneyGram, provide false documents including passports and drivers’ licenses in the name of the recipient of the wire transfer, and grab the cash. They would subsequently wire the funds overseas, typically to individuals in Romania, minus a percentage kept for commissions. The victims would not receive the items they believed they were purchasing. In some cases, co-conspirators in Romania also directed arrows to provide bank accounts in the United States where larger amounts of funds could be wired by victims of the fraud.

Since February 2011, FBI agents and U.S. Justice Department authorities in Florida, Pennsylvania and Texas have arrested or charged at least 21 Romanians and Moldovans in the U.S. who were allegedly members of the ring. Thirteen of those charged have pleaded guilty, and three remain at large.

The Bucharest news agency Adevarul.ro has more details on the 90 Romanians arrested by authorities there in nine different cities. The Romanian authorities say the group stole almost $20 million, about twice as much as the Justice Department estimates.

Some of the Romanians arrested were from the town of Râmnicu Vâlcea, a location that has become synonymous with online auction fraud. In January, Wired published a fascinating and readable article on how this remote town of 120,000 residents has become cybercrime central, earning the town the nickname “hackerville.”

Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.

Image courtesy fbi.gov

The Security Service of Ukraine (SBU) said today that it had seized at least 74 pieces of computer equipment and cash from a criminal group suspected of running a massive operation to steal banking information from consumers with the help of Conficker and scareware, a scam that uses misleading security alerts to frighten people into paying for worthless security software. A Google-translated version of an SBU press release suggests that the crime gang used Conficker to deploy the scareware, and then used the scareware to launch a virus that stole victims’ financial information.

The Ukrainian action appears to be related to an ongoing international law enforcement effort dubbed Operation Trident Tribunal by the FBI. In a statement released Wednesday, the U.S. Justice Department said it had seized 22 computers and servers in the United States that were involved in the scareware scheme. The Justice Department said 25 additional computers and servers located abroad were taken down as part of the operation, in cooperation with authorities in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.

On Tuesday, The New York Times reported that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation.

The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation. Conficker first surfaced in November 2008. The SBU said the FBI has been investigating the case for three years. [Update, June 24, 9:37 a.m.: Not sure whether this was an oversight or a deliberate attempt to deceive, but the picture showing the stack of PCs confiscated in this raid is identical to the one shown in an SBU press release last fall, when the Ukrainian police detained five individuals connected to high-profile ZeuS Trojan attacks.]

“Exchanging information with the Security Service, it became clear that the intelligence services of both countries [were] investigating criminal acts of the same persons,” the SBU said in its prepared statement.

There are no court records of this case publicly available in the United States; a spokesperson at the Justice Department office in the Western District of Washington said the documents remain sealed. She referred questions about the case to the FBI headquarters in Washington, D.C. When asked specifically about the Conficker connection, FBI spokeswoman Jenny Shearer would say only that “there are indications that one of the delivery mechanisms for the scareware in this investigation was a Conficker variant.”

The Conficker element of this case is interesting for several reasons: The worm was so sophisticated and spread so quickly that it prompted unprecedented cooperation among governments and security experts, who formed the Conficker Working Group to help contain the damage wrought by the worm. Conficker certainly wrought financial damage — it is estimated to have infected more than 12 million PCs –  but until today there has been little information to suggest that this massive crime machine was used to generate profits for cyber crooks.

I know of two previous instances in which Conficker was linked to scareware scams. The first involved the initial version of the worm, which instructed all infected PCs to visit and download a file from TrafficConverter.biz, the domain of an affiliate program that paid hackers to distribute its brand of scareware. As I reported in a March 2009 story in The Washington Post, the top affiliates for that program were making hundreds of thousands of dollars a month pushing scareware, although it is not clear whether Conficker-infected systems ever received any scareware downloads from the domain. From that story:

“By the time Conficker first surfaced, TrafficConverter was nearing the end of a contest in which the top-selling affiliates competed for prizes, such as computers, fancy cell phones and other electronics. The grand prize? A Lexus IS250, a sports sedan that starts at $36,000.

At first glance, it is tempting to assume that the Conficker worm authors were in league with the operators of TrafficConverter.biz, and thus trying to drive traffic to the site — perhaps in an attempt to push the contest in favor of one or more affiliates. On the other hand, this may have been an attempt by the Conficker authors or a competing affiliate program to hinder and ultimately shutter TrafficConverter.biz, either by causing law enforcement and the security community to focus their attention on it, or by flooding the site with traffic from hundreds of thousands of Conficker-infected systems.”

And flood the site it did. According to [SecureWorks's Joe] Stewart’s review of the traffic log files for TrafficConverter.biz, during a 12-hour period on Nov. 24, the site was bombarded by more than 83 million hits from at least 179,000 unique Internet addresses.

The traffic from Conficker.A infected systems to TrafficConverter.biz might have translated into monster installs for affiliates of the site. Ironically, all of that traffic from Conficker-infected systems appears to have gone to a non-existent page on TrafficConverter.biz, Stewart said. In short, the site missed a pretty huge opportunity to convert a whole lot of traffic.

Still, had the curators of TrafficConverter.biz actually placed a file at that link for download, the resulting traffic from 179,000 systems trying to download that file at the same time probably would have crashed the site entirely, Stewart said.”

Conficker’s second association with scareware came three weeks after that story. On April 8, 2009, Kaspersky Lab reported that it had seen some Conficker infected systems updated with a scareware product called Spyware Protect 2009. Kaspersky analysts also discovered that infected PCs were seeded with another update: a version of the Waledac worm, which is able to steal data and send spam.

Anyone with information about the identity of the Conficker author(s) could have a lucrative tip on their hands: Microsoft has an outstanding $250,000 bounty for information leading to the arrest and conviction of those responsible for launching the worm.

The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built.

In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

In a declaration filed with the district court, FBI special agent Kenneth Keller said the bureau has issued approximately 19,000 uninstall commands to infected computers of two dozen identifiable victims in the United States. The FBI said it obtained written consent from all 24 victims, and that none reported any adverse or unintended consequences from the uninstall commands.

Keller said the FBI has directly notified hundreds of identifiable victims, and that it has provided information to approximately 25 of the largest Internet service providers in the United States, enabling them to notify their infected customers.

“The FBI has also provided information about infected computers to law enforcement agencies overseas,” Keller told the court. “While it has not been possible to notify the owner of every infected computer, due in part to the difficulty in identifying the computer owners and obtaining accurate contact information for them, the decline in the size of the Coreflood Botnet is likely attributable in large part to the success of the victim notification efforts.”

Keller said that the continued operation of the substitute server was no longer necessary to prevent the as-yet unidentified defendants from using the Coreflood botnet to commit further wire fraud and bank fraud, or to eavesdrop on victim PC communications.

“The continued operation of the substitute server is consuming considerable law enforcement resources, because the server is being closely monitored to ensure its proper operation,” Keller wrote. “Those resources can be better allocated to other law enforcement investigations, now that the decline in the size of the Coreflood Botnet has leveled off. Also, while the Coreflood software will begin to run on still-infected computers once the substitute server is taken out of operation, the seizure of the Coreflood domains will continue reasonably to prevent the Defendants from obtaining access to those computers or to data stolen from those computers.”

A copy of Keller’s declaration is available at this link (PDF).

The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

Sample network diagram of Coreflood, Source:FBI

The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

Andrew Fried, a botnet expert who runs Deteque, a security consultancy in Alexandria, Va., said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods,” Fried said.

Greene said the job now falls to ISPs, security firms, and Microsoft to help clean up the pool of PCs that remain infected with Coreflood. Microsoft this week shipped an update to remove Coreflood from Windows machines of users who take advantage of  the Malicious Software Removal Tool, an anti-malware tool offered through Windows Updates and Automatic Update that looks for and removes many families of infectious software.

Some readers may be alarmed by this news because they are wary of any government actions that involve access to individual computers. Wired.com’s Kim Zetter writes that the Electronic Frontier Foundation is uneasy with the government’s move, which called it “an extremely sketchy action to take.” However, as noted cybercrime expert Gary Warner points out in his blog, the government is offering computer users affected by the this week’s takedown the option to “opt out” of the terms of the temporary restraining order.

“The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood,” the FBI’s press release states. “Identified owners of infected computers will also be told how to ‘opt out’ from the TRO, if for some reason they want to keep Coreflood running on their computers.”

U.S. Justice Department press release

Coreflood Complaint (PDF)

Coreflood Seizure Warrant (PDF)

Coreflood Temporary Restraining Order (PDF)

McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.

On Nov. 24, I published an investigative piece that said criminals were conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations. From that story:

“The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.”

Artist haven deviantART also disclosed this week that its e-mail database — including 13 million addresses — had been hacked. deviantART blamed the breach on SilverPop Systems Inc., an e-mail marketing firm with whom it partners.

McDonald’s said its data spill was due to hacked computer systems operated by an e-mail database management firm hired by its longtime business partner Arc Worldwide, a marketing services arm of advertising firm Leo Burnett. Contacted by phone, Arc Worldwide President William Rosen referred all questions to another employee, who declined to return calls seeking comment.

Walgreens didn’t name the source of the breach, but said it was due to “unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data.” Interestingly, Arc Worldwide stated in a July 27, 2009 press release that Walgreens had chosen it as the promotion marketing agency of record.

As I was putting this blog post together, I read a story by The Register reporter Dan Goodin that cited an FBI agent who tied a thread  between all of the breaches. Goodin reported that FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems. From that piece:

“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”

In other words, it’s fair to say we can expect plenty more of these disclosures in the days and weeks ahead. The other thing to keep in mind is that while the customer data at issue in these breach disclosures isn’t exactly super-sensitive — e-mail addresses and birthdays, for example — this information can enable skilled attackers to be more convincing in posing as the victim company in a bid to extract even more useful customer data, such as passwords. One need only look to the recent breach at Gawker Media — which exposed passwords and user names of 1.3 million users — to see how often users recycle passwords across a large number of Web sites.

Update, Dec. 16, 5:01 p.m. ET: SilverPop CEO Bill Nussey has published a brief response to the incident on the company’s blog.

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months.

In Wisconsin, police arrested two young men who were wanted as part of a crackdown in late September on money mules who were in the United States on J1 student visas. The men, both 21 years old, are thought to have helped transfer money overseas that was stolen from U.S. organizations with the help of malicious software planted by attackers in Eastern Europe.

Codreanu and Adam

Dorin Codreanu and Lilian Adam, both originally from Moldova, are being transferred to New York, where they were charged on Sept. 30 in connection with the international money laundering scheme (hat tip to Sophos).

In related news, the government of Moldova’s Specialized Services Center for Combating Economic Crimes and Corruption (CCECC) announced late last month that it had detained six individuals suspected of helping the same international ZeuS gang launder money.

All six of those detained were bank employees, and one worked at the Bank of Moldova. According to Moldovan authorities, the suspects allegedly specialized in intercepting Western Union and MoneyGram payments that mules had sent to Eastern Europe after receiving bank transfers from organizations victimized by the ZeuS Trojan.

Altogether, Moldovan prosecutors are looking at 12 suspects, including a government official who is alleged to have provided the group with copies of ID cards needed to open bank accounts. That nation’s anti-corruption center said it has conducted over 30 searches at detainees’ houses, and seized at least $300,000, a gun, and two luxury cars.

Eleven of the 37 money mules charged in September in connection with these attacks are still at large. Photos of the suspects are available at this alert posted by the FBI.

New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.

On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.

The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace’s David Brancaccio interviewed a woman from Northern New Hampshire:

“The bank with her personal account still sends monthly statements printed on paper, through the mail, for free. Old school. But this year, one of her business accounts started charging money for paper statements.

Johnson: That’s right.

Brancaccio: How much?

Johnson: $9.99 a month.

Brancaccio: Really?

Johnson: Yes.

Brancaccio: When did you actually notice?

Johnson: My bank statement, my paper bank statement! is how I found it!

“It’s a growing trend in banking. For instance, Bank of America has something called the E-banking account where paper statements and routine visits to a human teller cost money. It’s now in more than three dozen states. B of A says techno-savvy customers seem fine with online-only in exchange for no minimum cash balances in the account.”

Johnson didn’t say which bank her commercial account was at.  And for its part, BofA’s eBanking plan only applies to consumer accounts, not businesses. But if this type of trend becomes more mainstream among commercial banking customers, more and more small businesses will be pushed into banking online without knowing how to protect themselves from organized cyber thieves that have stolen at least $70 million from small to mid-sized organizations over the last few years.

Banks using fees to push customers away from traditional offline banking will at least be a boon to companies offering security services to the banks, said Dave Jevans, chairman of the Anti-Phishing Working Group, an industry consortium.

“You’re going to see a lot more unsophisticated users entering the channel,” Jevans said.

Avivah Litan, a fraud analyst with Gartner Inc., said banks should not be pushing more businesses into online banking without adequately informing them of the risks.

“It’s not a good time to be forcing people online unless you’re protecting their rights, or at least making sure they’re fully aware of the risks,” Litan said. “This is happening at the same time the banking industry groups are urging businesses to bank online only from locked down, dedicated systems. But the individual banks don’t want to talk about this with their customers.”

What does it take to harden your network, computers, and employees against this type of attack? Apparently, that’s a difficult question to answer succinctly. Last week, the FBI, the Secret Service, the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center jointly issued a nine-page fraud advisory (PDF) for businesses that warned of high-dollar losses from commercial account takeovers.

“Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts,” the advisory begins. “Often these funds may not be recovered.”

The section on how to protect, detect and respond to these attacks spans five pages of bullet-pointed dos and don’ts. The entire paper should be required reading for every business owner who banks online, but based on interviews with dozens of victims, I’d say that a majority of these attacks could have been stopped had the victims observed the following precautions:

-Use a dedicated computer for online banking — if possible, one that does not run Microsoft Windows (emphasis on non-Windows usage mine).

-Reconcile your accounts daily.

-Talk to your financial institution about Positive Pay and other “out-of-band” services such as SMS texting, call backs, and batch limits to help protect against altered or counterfeit checks and unauthorized transactions.

The financial and law enforcement group that issued the report also issued a separate alert for consumers (PDF), which warns consumers to stay away from work-at-home job schemes and to avoid phishing scams. The consumer version of the alert is much smaller because business owners do not enjoy the same legal protections as consumers when things go wrong with online banking. As a result, a business that suffers an account hijacking is likely to lose any money from fraudulent transfers that their bank cannot reverse.

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week.

Friday’s media briefing at the FBI Hoover building in Washington, D.C. was designed to give reporters a clearer view of the sophistication of an organized crime group whose handiwork had largely escaped broader national media attention until this week. On Wednesday, authorities in the United Kingdom charged 11 people there – all Eastern Europeans – with recruiting and managing money mules. Then on Thursday, officials in New York announced they had charged 92 and arrested 39 money mules, including dozens of Russians who allegedly acted as mules while visiting the United States on student visas.

According to sources familiar with the investigation, the arrests, charges and announcements were intended to be executed simultaneously, but U.K. authorities were forced to act early in response to intelligence that several key suspects under surveillance were planning to flee the country.

SBU officials could not be reached for comment. But FBI agents described the Ukrainian group as the brains behind the attacks. Gordon M. Snow, assistant director of the FBI’s Cyber Division, said the individuals detained by the SBU are thought to have worked with the developer of the ZeuS Trojan to order up custom-made components and versions of ZeuS.

For example, security researchers identified one ZeuS variant that was specific to the Ukrainians known as JabberZeuS because it alerted the gang via Jabber instant message whenever online banking credentials for customers of specific institutions were stolen.

Snow said this week’s law enforcement action was a particularly big deal because of the unprecedented level of cooperation from foreign governments, particularly Ukraine and the Netherlands.

“We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said his group played a “small but important role” in helping to identify the hackers by monitoring the miscreants’ use of Dutch infrastructure.

“We helped in connecting all the dots together,” Takkenberg said in a phone interview. “The Netherlands provide for a large portion of the critical internet infrastructure, of which we can monitor certain parts. When criminals are unaware of the fact that they use Dutch infrastructure, that gives us good investigative opportunities. In this particular case we had an interest of our own, since the ZeuS malware made a lot of Dutch victims as well.”

The FBI’s Snow said the investigation began in May 2009, when FBI agents in Omaha, Neb. were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts through the United States.

I will continue to follow this important story in the days ahead, particularly as more information about the Ukrainian suspects is made public. Stay tuned.

Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week, KrebsOnSecurity.com has learned.

The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.

Kathy Still, director of news and media relations at UVA Wise, declined to offer specifics on the theft, saying only that the school was investigating a hacking incident.

“All I can say now is we have a possible computer hacking situation under investigation,” Still said. “I can also tell you that as far as we can tell, no student data has been compromised.”

According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

Sources said the FBI is investigating and has possession of the hard drive from the controller’s PC. A spokeswoman at FBI headquarters in Washington, D.C. said that as a matter of policy the FBI does not confirm or deny the existence of investigations.

The attack on UVA Wise is the latest in a string of online bank heists targeting businesses, schools, towns and nonprofits. Last week, cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa.

Update, Sept. 4, 4:27 p.m. ET: Jordan Fifer, a reporter for the Highland Cavalier, the official student newspaper for UVA-Wise, writes that school officials now say they have recovered the stolen money.