Posts Tagged: Dridex


4
Nov 16

Ne’er-Do-Well News and Cyber Justice

Way back in the last millennium when I was a lowly copy aide at The Washington Post, I pitched the Metro Section editor on an idea for new column: “And the Good News Is…” The editor laughed me out of her office. But I still think it’s a decent idea — particularly in the context of cybersecurity — to periodically highlight the good news when people allegedly responsible for spewing so much badness online are made to face justice.

NCA officials lead away a suspect arrested in this week's raids. Image: NCA.

NCA officials lead away a suspect arrested in this week’s raids. Image: NCA.

In the United Kingdom this week, 14 people were arrested on suspicion of laundering at least £11 million (~USD $13.7M) on behalf of thieves who stole the money using sophisticated banking Trojans like Dridex and Dyre. A statement issued by the U.K.’s National Crime Agency (NCA) said 13 men and a woman, aged between 23 and 52, were arrested in the roundup, including a number of foreign nationals.

The NCA warned in a report released this year that cybercrime had overtaken traditional crime in the United Kingdom. According to the U.K.’s Office of National Statistics, there were 2.46 million cyber incidents and 2.11 million victims of cybercrime in the U.K. in 2015.

Also in the U.K., 19-year-old Adam Mudd pleaded guilty to operating and profiting from Titanium Stresser, an attack-for-hire or “booter” service that could be hired to knock Web sites offline. When U.K. authorities arrested Mudd at his home last year, they found detailed records of the attack service’s customers and victims, which included evidence of more than 1.7 million attacks. Prosecutors say Mudd launched the service when he was 15 years old.

TitaniumStresser[dot]net, as it appeared in 2014.

TitaniumStresser[dot]net, as it appeared in 2014.

As I noted in this 2014 story, the source code for Titanium Stresser was later used by miscreants with the Lizard Squad hacking group to power their Lizard Stresser attack service. Happily, two other 19-year-olds were arrested earlier this month and accused of operating the Lizard Stresser attack service. It’s nice to see authorities here and abroad sending a message that operating booter service can land you in jail, full stop. Continue reading →


15
Jul 16

Cybercrime Overtakes Traditional Crime in UK

In a notable sign of the times, cybercrime has now surpassed all other forms of crime in the United Kingdom, the nation’s National Crime Agency (NCA) warned in a new report. It remains unclear how closely the rest of the world tracks the U.K.’s experience, but the report reminds readers that the problem is likely far worse than the numbers suggest, noting that cybercrime is vastly under-reported by victims.

ons-statThe NCA’s Cyber Crime Assessment 2016, released July 7, 2016, highlights the need for stronger law enforcement and business partnership to fight cybercrime. According to the NCA, cybercrime emerged as the largest proportion of total crime in the U.K., with “cyber enabled fraud” making up 36 percent of all crime reported, and “computer misuse” accounting for 17 percent.

One explanation for the growth of cybercrime reports in the U.K. may be that the Brits are getting better at tracking it. The report notes that the U.K. Office of National Statistics only began including cybercrime for the first time last year in its annual Crime Survey for England and Wales.

“The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the U.K. in 2015,” the report’s authors wrote. “These figures highlight the clear shortfall in established reporting, with only 16,349 cyber dependent and approximately 700,000 cyber-enabled incidents reported to Action Fraud over the same period.”

The report also focuses on the increasing sophistication of organized cybercrime gangs that develop and deploy targeted, complex malicious software — such as Dridex and Dyre, which are aimed at emptying consumer and business bank accounts in the U.K. and elsewhere.

Avivah Litan, a fraud analyst with Gartner Inc., said cyber fraudsters in the U.K. bring their best game when targeting U.K. banks, which generally require far more stringent customer-facing security measures than U.S. banks — including smart cards and one-time tokens.

“I’m definitely hearing more about advanced attacks on U.K. banks than in the U.S.,” Litan said, adding that the anti-fraud measures put in place by U.K. banks have forced cybercriminals to focus more on social engineering U.K. retail and commercial banking customers. Continue reading →


7
Sep 15

Arrests Tied to Citadel, Dridex Malware

Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex. The arrests involved a Russian national and a Moldovan man, both of whom were traveling or residing outside of their native countries and are now facing extradition to the United States.

cuffedLast week, a 30-year-old from Moldova who was wanted by U.S. authorities was arrested in Paphos — a coastal vacation spot in Cyprus where the accused was reportedly staying with his wife. A story in the Cyprus Mail has few other details about the arrest, other than to say authorities believe the man was responsible for more than $3.5 million in bank fraud using a PC.

Sources close to the investigation say the man is a key figure in an organized crime gang responsible for developing and using a powerful banking Trojan known as “Dridex” (a.k.a. Cridex, Bugat). The Dridex gang is thought to have spun off from the “Business Club,” an Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide.

In June 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Business Club’s key asset: The Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs and was used in countless cyberheists. Dridex would first emerge in July 2014, a month after the Gameover Zeus botnet was dismantled.

Separately, the press in Norway writes about a 27-year-old Russian man identified only as “Mark” who was reportedly arrested in the Norwegian town of Fredrikstad at the request of the FBI. The story notes that American authorities believe Mark is the software developer behind Citadel, a malware-as-a-service product that played a key role in countless cyberheists against American and European small businesses.

For example, Citadel was thought to have been the very same malware used to steal usernames and passwords from a Pennsylvania heating and air conditioning vendor; those same stolen credentials were reportedly leveraged in the breach that resulted in the theft of nearly 40 million credit cards from Target Corp. in November and December of 2013.

The Norwegian newspaper VG writes that Mark has been held under house arrest for the past 11 months, while the FBI tries to work out his extradition to the United States. His detention is being fought by Russia, which is naturally opposed to the treatment he may receive in the United States and says the evidence against Mark is scant.

According to VG, the U.S. Justice Department believes Mark is none other than “Aquabox,” the nickname chosen by the proprietor of the Citadel malware, which was created based off of the source code for the ZeuS Trojan malware. Citadel was sold and marketed as a service that let buyers and users interact with the developer and one another, to solicit feedback on how to fix bugs in the malware program, and to request new features in the malware going forward.

For a full translation of the original Citadel sales pitch as penned by Aquabox in 2011, see this link (PDF). For a full translated version of the VG story on Mark, see this PDF (thanks to KrebsOnSecurity reader Jeevan Sivagnanasuntharam for helping with the translation). VG notes that Mark continues to maintain his innocence. [Side note: The Citadel malware has for years had in its code a dig directed at the author of this blog: Included in the guts of the Trojan is the text string, “Coded by BRIAN KREBS for personal use only. I love my job & wife.” Needless to say, the second part of that statement is true, but Citadel was not coded by this Brian Krebs.]

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

Ars Technica carries an interesting piece about Deniss Calovskis, a Latvian man who was arrested in February and extradited to the United States for his role in creating the Gozi virus, another powerful malware family that has been used in countless cyberheists. The 30-year-old Calovskis long maintained his innocence, but ultimately acknowledged his role in a guilty plea entered in a federal court in Manhattan last week. Continue reading →


16
Feb 15

The Great Bank Heist, or Death by 1,000 Cuts?

I received a number of media requests and emails from readers over the weekend to comment on a front-page New York Times story about an organized gang of cybercriminals pulling off “one of the largest bank heists ever.” Turns out, I reported on this gang’s activities in December 2014, although my story ran minus many of the superlatives in the Times piece.

The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.

Image: Kaspersky

Image: Kaspersky

Such jaw-dropping numbers were missing from a story I wrote in December 2014 about this same outfit, Gang Hacked ATMs From Inside Banks. That piece was based on similar research published (PDF) jointly by Dutch security firm Fox-IT and by Group-IB, a Russian computer forensics company. Fox-IT and Group-IB called the crime group “Anunak,” and described how the crooks sent malware laced Microsoft Office attachments in spear phishing attacks to compromise specific users inside targeted banks.

“Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,” my December 2014 story observed. “But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”

I also noted that a source told me this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

Andy Chandler, Fox-IT’s general manager and senior vice president, said the group profiled in its December report and in the Kaspersky study are the same.

“Anunak or Carbanak are the same,” Chandler said. “We continue to track this organization but there are no major revelations since December. So far in 2015, the financial industry have been kept busy by other more creative criminal groups,” such as those responsible for spreading the Dyre and Dridex banking malware, he said. Continue reading →