Posts Tagged: Operation Trident Breach


2
Oct 10

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week.

Friday’s media briefing at the FBI Hoover building in Washington, D.C. was designed to give reporters a clearer view of the sophistication of an organized crime group whose handiwork had largely escaped broader national media attention until this week. On Wednesday, authorities in the United Kingdom charged 11 people there – all Eastern Europeans – with recruiting and managing money mules. Then on Thursday, officials in New York announced they had charged 92 and arrested 39 money mules, including dozens of Russians who allegedly acted as mules while visiting the United States on student visas.

According to sources familiar with the investigation, the arrests, charges and announcements were intended to be executed simultaneously, but U.K. authorities were forced to act early in response to intelligence that several key suspects under surveillance were planning to flee the country.

SBU officials could not be reached for comment. But FBI agents described the Ukrainian group as the brains behind the attacks. Gordon M. Snow, assistant director of the FBI’s Cyber Division, said the individuals detained by the SBU are thought to have worked with the developer of the ZeuS Trojan to order up custom-made components and versions of ZeuS.

For example, security researchers identified one ZeuS variant that was specific to the Ukrainians known as JabberZeuS because it alerted the gang via Jabber instant message whenever online banking credentials for customers of specific institutions were stolen.

Snow said this week’s law enforcement action was a particularly big deal because of the unprecedented level of cooperation from foreign governments, particularly Ukraine and the Netherlands.

“We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said his group played a “small but important role” in helping to identify the hackers by monitoring the miscreants’ use of Dutch infrastructure.

“We helped in connecting all the dots together,” Takkenberg said in a phone interview. “The Netherlands provide for a large portion of the critical internet infrastructure, of which we can monitor certain parts. When criminals are unaware of the fact that they use Dutch infrastructure, that gives us good investigative opportunities. In this particular case we had an interest of our own, since the ZeuS malware made a lot of Dutch victims as well.”

The FBI’s Snow said the investigation began in May 2009, when FBI agents in Omaha, Neb. were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts through the United States.

I will continue to follow this important story in the days ahead, particularly as more information about the Ukrainian suspects is made public. Stay tuned.


30
Sep 10

U.S. Charges 37 Alleged Money Mules

Troy Owen never thought he’d see the day when the cyber thieves who robbed his company of $800,000 would ever be charged with any crime. Owen said investigators had warned him early on that the perpetrators were mostly overseas in places like Ukraine and Moldova, and that it might be tough to pursue those responsible.

But earlier today, authorities in New York announced they had charged more than 60 individuals — and arrested 20 — in connection with international cyber heists perpetrated against dozens of companies in the United States, including Owen’s.

In November 2009, cyber crooks used a sophisticated password stealing Trojan horse program called “ZeuS” to hack into computers at Owen’s firm — Plano, Texas-based Hillary Machinery. The program swiped the company’s online banking passwords, allowing the attackers to initiate more than $800,000 in bogus transfers out of the company’s online account to dozens of people in the United States who helped launder the money and send it to the attackers in Eastern Europe.

Fraudulent wire transfers from Hillary Machinery.

More than $14,100 of Hillary’s money was wired to Stanislav Rastorgeuv, a 22-year-old Russian national who entered the United States in June 2009 on a “J1″ student visa. According to charging documents, Rastorgeuv was the poster child for money launderers looking to recruit new mules to help retrieve the proceeds of ZeuS Trojan virus attacks.

Authorities say almost all of those arrested or charged in this case are young Eastern Europe men and women who were either planning to travel to, or were already present in, the United States on J1 student visas. Once the students  were in the United States, the organizers  of the mule organization gave  the recruits fake foreign passports to open accounts at local banks.

Then, days or weeks after those accounts were opened, other actors in the group would transfer money from cybercrime victims into the mule accounts, typically in amounts close to $10,000. Once the transfers were complete, the mules would quickly withdraw the money, keep a portion for themselves (usually 8 to 10 percent) and transfer the remaining amount to other participants in the fraud scheme, usually individuals overseas.

Some mules were asked to open a large number of bank accounts to help launder stolen funds. Charging documents say Rastogeuv opened up multiple bank accounts under his own name and using fake passports for fictitious individuals, including the names “Petr Rubsashkin” and “Alexey Iankov.” In addition to the unauthorized transfer sent to him by Hillary Machinery, Rastogeuv allegedly helped to launder nearly $30,000 from other victim companies over the next two months.

U.S. authorities say the ringleader of the New York-based money mule gang was Artem “Artur” Tsygankov, a Russian citizen living in New York who allegedly recruited Rastogeuv and other mules, supplied them with fake identity documents, and managed their daily activities. In all, the New York gang cleared more than $3 million from victim corporations using hundreds of accounts opened under false identities.

Others are charged with hacking into and siphoning funds from online brokerage accounts. Jamal Beyrouti, 53, Lorenzo Babbo, 20, and 29-year-old Vincenzo Vitello worked with hackers who infiltrated trading accounts at E-Trade and TD Ameritrade, executing fraudulent sales of securities and transferring the proceeds to accounts the mules controlled. At the same time, the attackers blasted victims’ phones with a barrage of calls to prevent the brokerage firms from contacting them to confirm the legitimacy of the transactions. The scam allowed mules to transfer roughly $1.2 million from hacked brokerage accounts.

Continue reading →


30
Sep 10

11 Charged In ZeuS & Money Mule Ring

Authorities in the United Kingdom on Wednesday charged 11 individuals with running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ultra-sophisticated ZeuS banking Trojan.

Yevhen Kulibaba

The gang is believed to be responsible for stealing more than $30 million from banks worldwide between October 2009 and September 28, 2010, and roughly £6 million (US$9.5 million) from financial institutions in the United Kingdom over a three-month period.

Karina Kostromina, in undated photo.

According to sources close to the case, members of the group also were heavily involved in online banking thefts perpetrated against dozens of small businesses and organizations based in the United States. Eight gang members were charged with money laundering, and 10 were charged with conspiracy to defraud. Police arrested 20 people in a pre-dawn raid on Tuesday; nine were bailed on Wednesday. The Metropolitan Police’s Central e-Crime Unit said those individuals may face charges at a later date. Those charged were due to appear in Westminster Magistrates’ Court court early this morning.

The individuals arrested in the U.K. are thought to be a subset of a global cybercrime operation. The Wall Street Journal now reports that the U.S. Attorney’s office in Manhattan is preparing to announce that 60 people have been charged in connection with a major ZeuS crime ring.

Sources say the ringleader of the U.K. gang, 32-year-old Ukrainian property developer Yevhen Kulibaba (pictured above right), shuttled some of the stolen funds from the U.K. to Ukraine and to Latvia, where he has been building a home with his wife. Information obtained by KrebsOnSecurity indicates that Kulibaba’s wife may be Karina Kostromina (pictured above left), a 33-year-old Latvian woman who was among those charged with money laundering and conspiracy in connection with this case. The U.K. Metropolitan Police declined to confirm or deny whether Kulibaba and Kostromina were married, although their public statement puts the two in the same neighborhood – Nevada Heights, Chingford, Essex.

Yuriy Konovalenko

Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko — also of Nevada Heights — is described by the e-Crime Unit as a self-employed Web designer from Ukraine. Sources say Konovalenko was chiefly responsible for managing a large number of “money mules,” people hired to withdraw, carry or transmit cash stolen by the gang. A review of Konovalenko’s social networking site identities suggests he is a blood relative of Kulibaba’s, but U.K. police declined to confirm or deny this information.

Also charged with conspiracy and stealing money from online bank accounts is Milka Valerij (pictured below), a 29-year-old Ukrainian whom U.K. police say was a building laborer.

Milka Valerij

The oldest alleged member of the group — 34 year-old Georgian Zurab Revazishvili — is facing violations of the U.K. Identity Cards Act of 2005, which makes it a crime to possess false identity documents. The Metropolitan Police statement on the crimes doesn’t specify what Revazishvili’s role was, but sources say he may have been responsible for creating false identity documents for the gang’s money mules.

Continue reading →