September 29, 2010

Authorities in the United Kingdom on Tuesday arrested 19 individuals alleged to be connected to a massive fraud ring that has stolen tens of millions of dollars from hundreds of consumers and small to mid-sized businesses in the U.K. and the United States.

Members of the group — described as 15 men and 4 women between the ages of 23 and 47 — are thought to be part of a sophisticated, multinational computer crime operation that stole almost $10 million over a three month period and may have netted more than $30 million, according to an article in today’s  Daily Mail.

Investigators say the gang plundered bank accounts with the help of the ZeuS Trojan, which steals online banking credentials, and allows the thieves to connect back through the victim’s PC and Internet connection to initiate unauthorized transfers.

The Daily Mail story has some nice photos of those arrested, but the piece is otherwise light on details. According to several of my sources who have helped with or participated in the investigation that led to this week’s arrests, the group used ZeuS to steal online banking credentials from tens of thousands of victims, but it focused on extracting money from high-dollar accounts belonging to businesses.

Sources say the UK gang is part of a larger organization that is directly responsible for most of the e-banking heists that I have been writing about for the past 14 months. These attacks targeted bank accounts belonging to schools, libraries, towns, cities, law firms, and a broad range of small to mid-sized companies and nonprofit organizations.

In nearly every case, the gang initiated large batches of bogus payroll payments from victim businesses, sending the money in sub-$10,000 chunks to money mules, unwitting or willing individuals recruited through job search sites. The mules would then withdraw the funds in cash from their banks, and wire the loot – minus a small “commission” — to additional Eastern European mules recruited by the gang.

More to come. Stay tuned.

18 thoughts on “19 Arrested in Multi-Million Dollar ZeuS Heists

  1. JackRussell

    I guess I assumed that the real crooks were in Eastern Europe, but this says that the Eastern Europeans were a 2nd layer of money mules used to try and launder the money.

    I have confidence that the U.K. authorities will be able to prosecute these guys. But the question remains whether there are other gangs out there still doing the same thing.

    1. JS

      It saddens me to see the young ages and descriptions of those accused as part of the ZeuS ring.

      However I have to ask a few pointed questions.
      1) where did they learn this the basics of this hustle?

      2) Who have they taught it too?

      3) Were they savy enough to have their get out point or did the investigators catch them ala John Dillinger who inevitably fell due to law enforcment handing out favors and money for solid tips.

      In terms of being eastern European based gang I have to put my Tom Clancy hat on and ask:
      What do former SB, KGB, Stasi coders and analysts do now a days or when they got out if they were ever brought in?

      ZeuS targeted money, what key loggers and data scrappers were being targeted by the secret police arms of the communists at internal matters, private citizens, and Western European companies like Airbus, BAE, etc Let alone US companies and their subsidiaries.

      Makes me really worry. I’m sure many cold war hustles and software tool chests didn’t get buried or blown up by treaty.

      1. RJ

        I know I am being stereotypical, but none of the accused’s pictures fit in with what I’d picture the master minds to be like. Not to mention just a laptop? Just one? Where do they do the testing?

        What is the possibility that ZeuS is sold (and perhaps supported) as a turnkey? It’s the way I would do it. Get other goons to do the running around for you, supply the software in exchange for a small cut (paid via WU or other traceless methods used by the underground).

  2. BK

    Jack, there are plenty of other gangs out there doing the same thing. Comes down to dealing with the individual countries LEO, corruption, amount of $$$ involved in crime, etc. For the most part it’s still the wild west out there.

    1. RJ

      Woah, they infect the phone as well? How do they know what phone to target, though? Not to mention relying on the user to run an app from an unknown SMS user.

      It seems a bit hit and miss way of doing it, I thought.

      1. Matt

        In this case they know which phone by directly asking the user from the banks website after the user logs in (ZeuS’s MITB – they control the user browser) Then they show a red message “You must download a bank security certificate to your phone to continue to receive security tokens, click here” currently they are only doing symbian and blackberry however the writing is on the wall for all mobile based authentication.

        Once they start throwing money towards the mobile trojan developers there is no reason this problem wont grow, it will move from blackhat demonstrations to a real world criminal business. Mobiles while generally more insulated from the web become less so with every added feature and there are far less anti virus/trojan programs running on smartphones for them to contend with.

        If they are not already doing it the current versions of ZeuS will specifically start infecting phones when users connect to their pc’s to add/remove mp3’s or other mobile related maintenance like backing up emails. There are lots of ways into mobiles once they put the time into it.

        The next move if they are not already doing it will be away from the targeted mobile attack towards a more general mobile trojan network, probably becoming a internal business in of itself. The mobile trojan will sms/upload from the phones identifying markers to a C&C any without having to wait for the user to do any mobile banking, an obvious alternative identifier would be email addresses the phone logs into or IM usernames etc. In this way the user identity can be bought and sold as they currently do with other aspects of the crime puzzle and mobile identities correlated with their pc based ones.

        1. RJ

          I didn’t see that there were more posts on the topic on the blog you linked to (subscribed to it). Thanks for explaining it anyway.

          Very interesting stuff. I notice that the number is hardcoded into the application. I wonder how they operate that service? Would they have a phone rigged up to a laptop that is used for the sending/recieving? They must know that it can be triangulated. I suppose it is only a matter of time before they are using other infected phones as relays to get the codes to the C&C linked number. At the moment it seems that the C&C number can easily be identified, tracked, monitored and disconnected.

          1. RJ

            Yes it is a scary thought, JCit.

            It also occured to me, why do you have to resort to SMS to get the code? Why not just use the 3G (or even WAP if it is setup)?

    2. JCitizen

      This is not surprising to me, with the way folks have a habit of connecting their phone to the same PC they bank with.

      Of course, even with ‘non-smart’ phones, so many of them download ring tones and music from questionable sources also.

    3. brian krebs

      Oh shoot. I just remembered that I wrote up a blog post about the S21sec findings but never published them. Look for a blog post on this later Thursday or Friday.

  3. Philip

    Even if they also target phones, mobile phone based 2-factor auth still makes success harder for them. And that’s what it’s all about – making it harder. We won’t ever be able to keep them “out” completely, but we should be able to get to a point where their effort and return become more evenly balanced. Today, they make $$$$$ without any effort at all. More LEO activity, like described in this article, also helps, because higher odds of getting caught raises the “cost of doing business” considerably for them. Thanks for reporting, Brian, it is largely thanks to you that this topic stays alive in the news.

    1. JCitizen

      I like Passwindow(I’m not a spammer); even if your phone is compromised, the crook won’t be able to decipher what kind of authentication you are using.

      Even if they figure it out; I still don’t see how it could be compromised. Especially since it is so scalable.

  4. Geo

    I’ve read the article in the DM and to be honest the guy doesn’t look like a “BH mastermind” to me.
    Most probably he bough the kit from the internet and put it to use.
    As Brain pointed out recently you don’t have to be a savvy techie to use these “tools” nowadays … most of them are point and click and you don’t need MIT for that.
    The “real crocks” are still there and still getting paid…

  5. John

    As Krebs On Security has now been reporting since early 2009, cyber-theft is an established crime, growing fast, and a threat to your business and you.

    To download a letter you can take to your bank, get your Congressperson to act, or join victims, experts and concerned citizens to address this crisis, go to:

Comments are closed.