Posts Tagged: SBU


23
Jun 11

$72M Scareware Ring Used Conficker Worm

Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.

Image courtesy fbi.gov

The Security Service of Ukraine (SBU) said today that it had seized at least 74 pieces of computer equipment and cash from a criminal group suspected of running a massive operation to steal banking information from consumers with the help of Conficker and scareware, a scam that uses misleading security alerts to frighten people into paying for worthless security software. A Google-translated version of an SBU press release suggests that the crime gang used Conficker to deploy the scareware, and then used the scareware to launch a virus that stole victims’ financial information.

The Ukrainian action appears to be related to an ongoing international law enforcement effort dubbed Operation Trident Tribunal by the FBI. In a statement released Wednesday, the U.S. Justice Department said it had seized 22 computers and servers in the United States that were involved in the scareware scheme. The Justice Department said 25 additional computers and servers located abroad were taken down as part of the operation, in cooperation with authorities in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.

On Tuesday, The New York Times reported that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation.

The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation. Conficker first surfaced in November 2008. The SBU said the FBI has been investigating the case for three years. [Update, June 24, 9:37 a.m.: Not sure whether this was an oversight or a deliberate attempt to deceive, but the picture showing the stack of PCs confiscated in this raid is identical to the one shown in an SBU press release last fall, when the Ukrainian police detained five individuals connected to high-profile ZeuS Trojan attacks.]

Continue reading →


2
Oct 10

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week.

Friday’s media briefing at the FBI Hoover building in Washington, D.C. was designed to give reporters a clearer view of the sophistication of an organized crime group whose handiwork had largely escaped broader national media attention until this week. On Wednesday, authorities in the United Kingdom charged 11 people there – all Eastern Europeans – with recruiting and managing money mules. Then on Thursday, officials in New York announced they had charged 92 and arrested 39 money mules, including dozens of Russians who allegedly acted as mules while visiting the United States on student visas.

According to sources familiar with the investigation, the arrests, charges and announcements were intended to be executed simultaneously, but U.K. authorities were forced to act early in response to intelligence that several key suspects under surveillance were planning to flee the country.

SBU officials could not be reached for comment. But FBI agents described the Ukrainian group as the brains behind the attacks. Gordon M. Snow, assistant director of the FBI’s Cyber Division, said the individuals detained by the SBU are thought to have worked with the developer of the ZeuS Trojan to order up custom-made components and versions of ZeuS.

For example, security researchers identified one ZeuS variant that was specific to the Ukrainians known as JabberZeuS because it alerted the gang via Jabber instant message whenever online banking credentials for customers of specific institutions were stolen.

Snow said this week’s law enforcement action was a particularly big deal because of the unprecedented level of cooperation from foreign governments, particularly Ukraine and the Netherlands.

“We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said his group played a “small but important role” in helping to identify the hackers by monitoring the miscreants’ use of Dutch infrastructure.

“We helped in connecting all the dots together,” Takkenberg said in a phone interview. “The Netherlands provide for a large portion of the critical internet infrastructure, of which we can monitor certain parts. When criminals are unaware of the fact that they use Dutch infrastructure, that gives us good investigative opportunities. In this particular case we had an interest of our own, since the ZeuS malware made a lot of Dutch victims as well.”

The FBI’s Snow said the investigation began in May 2009, when FBI agents in Omaha, Neb. were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts through the United States.

I will continue to follow this important story in the days ahead, particularly as more information about the Ukrainian suspects is made public. Stay tuned.