Posts Tagged: RICO Act


8
Jul 14

Feds Charge Carding Kingpin in Retail Hacks

The U.S. Justice Department on Monday announced the arrest of a Russian hacker accused of running a network of online crime shops that sold credit and debit card data stolen in breaches at restaurants and retailers throughout the United States.

The government alleges that the hacker known in the underground as “nCux” and “Bulba” was Roman Seleznev, a 30-year-old Russian citizen who was recently arrested by the U.S. Secret Service.

Seleznev was initially identified by the government in 2012, when it named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where Bulba and other members openly marketed various cybercrime-oriented services.

According to Seleznev’s own indictment, which was filed in 2011 but made public this week, he was allegedly part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices.

The indictment further alleges that Seleznev and unnamed accomplices used his online monikers to sell stolen credit and debit cards at bulba[dot]cc and track2[dot]name. Customers of these services paid for their cards with virtual currencies, including WebMoney and Bitcoin. As explained in the screen shot below, the track2[dot]name site stopped accepting new members in 2011, and new applicants were directed to bulba[dot]cc, which claimed to be an authorized reseller.

Bulba[dot]cc, as it looked in May 2011.

Bulba[dot]cc, as it looked in May 2011.

Recently, however, track2[dot]name began accepting new members who agreed to pay up-front deposits. The deposits ranged from one bitcoin (about $624 USD) for a basic account, to 20 bitcoins (roughly $12,484 USD) for a “corporate” account that is eligible for generous volume discounts and lengthy replacement times for purchased cards that turn out later to be canceled by issuing banks. Continue reading →


26
Mar 12

Microsoft Takes Down Dozens of Zeus, SpyEye Botnets

Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

Microsoft, U.S. Marshals pay a surprise visit to a Scranton, Pa. hosting facility.

In a consolidated legal filing, Microsoft received court approval to seize several servers in Scranton, Penn. and Lombard, Ill. used to control dozens of ZeuS and SpyEye botnets. The company also was granted permission to take control of 800 domains that were used by the crime machines.The company published a video showing a portion of the seizures, conducted late last week with the help of U.S. Marshals.

This is the latest in a string of botnet takedowns executed by Microsoft’s legal team, but it appears to be the first one in which the company invoked the Racketeer Influenced and Corrupt Organizations (RICO) Act.

“The RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets,” wrote Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. “By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the “organization” were not necessarily part of the core enterprise.”

It’s too soon to say how much of an impact this effort will have, or whether it will last long. Previous takedowns by Microsoft — such as its targeting of the Kelihos botnet last fall — have produced mixed results. There also are indications that this takedown may have impacted legitimate — albeit hacked — sites that crooks were using in their botnet operations. According to data recorded by Abuse.ch, a Swiss security site that tracks ZeuS and SpyEye control servers, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure. Among them is a site in Italy that sells iPhone cases, a Thai social networking forum, and a site in San Diego that teaches dance lessons.

The effort also shines a spotlight on an elusive group of cyber thieves operating out of Ukraine who have been tagged as the brains behind a great deal of the ebanking losses over the past five years, including the authors of ZeuS (Slavik/Monstr) and SpyEye (Harderman/Gribodemon), both identities that were outed on this blog more than 18 months ago. Over the past few years, KrebsOnSecurity has amassed a virtual treasure trove of data about these and other individuals named in the complaint. Look for a follow-up piece with more details on these actors.

A breakdown of the court documents related to this case is available at zeuslegalnotice.com.