While the arrest of members of the SpyEye gang is something to cheer about, the suspects are most likely low-level money mules and the developers of the banking Trojan remain at large.
U.K. police have arrested
three alleged members of the SpyEye gang. Security researchers consider SpyEye,
a banking Trojan that harvests victims' personal credentials, the de facto
successor to the Zeus Trojan.
Two of the men were charged
on April 8, but the third man was released on bail on the condition that he
return for further questioning in August, police said, according to a report by
Pavel Cyganoc, a Lithuanian living in Birmingham, England, and Aldis Krummins,
a Latvian living in Goole, England, were both charged with conspiracy to
defraud and concealing the proceeds of crime.
Cyganoc was also charged
with conspiracy to cause unauthorized modifications to computers, police said.
The Police Central e-Crime
Unit, a specialized group based in Scotland Yard, made the arrests "in
connection with an international investigation into a group suspected of
utilizing malware to infect personal computers and retrieve private banking
Along with the arrests,
police also seized computer equipment and data. The investigation is still
However, these arrests won't
affect the gang's activities, as the suspects are most likely fairly low in the
hierarchy, Sean Bodmer, senior threat analyst at Damballah, told eWEEK.
"Unfortunately, these are
not the primary authors [members of the Roman team] behind SpyEye development,"
Bodmer said. Damballa had information on four developers behind the Trojan,
which had been gathered by infiltrating the botnet's command-and-control
servers, according to Bodmer. "None of the names and ages match any of the
information" of the arrested suspects, said Bodmer.
It's difficult for law
enforcement to track the higher members of the SpyEye gang as they use many
names and numerous VPN services to hide their tracks, Bodmer said. They also
have a "smart" chain-of-command where the authors are removed from daily
operations of the botnets and sales of the crimeware kit.
The suspects are most likely
money mules, the individuals who accept stolen funds in their personal accounts
and move it to the actual gang's accounts for a slice of the proceeds. Even so,
it's important not to underestimate the impact of the arrests, as the
criminals' activities have been disrupted, Troy Gill, security analyst at
AppRiver, told eWEEK. The information gained during the arrests could also play
a role in bringing down the larger group, Gill said.
Security analysts have been
watching SpyEye for some time, especially after there were reports of its merging
late last fall. The most recent version of the SpyEye code is a
closely guarded secret, according to Bodmer. The older versions are available
online, as an attack kit for SpyEye is available on underground cyber-crime
forums for around $1,000 per license. With the kit, practically anyone can
create a customized version of the Trojan.
That appears to be the case
here, as the three-month investigation revolved around the group's customized
version of the SpyEye Trojan. "There are many independently operating
criminal gangs who purchase crimeware tools like Zeus and SpyEye, and it would
appear that one of these gangs is now looking out the window at the gray bar
hotel," Chet Wisniewski, senior security advisor at Sophos, told eWEEK.
The arrests will likely not affect the other SpyEye variants that are
available, and the code remains available for even more variants.
The team behind SpyEye is
most likely making money off of the sale of malware instead of using it to
actually steal account credentials, Fred Touchette, a senior security analyst
at AppRiver, told eWEEK. Arresting the "script kiddies" helps send a
message that law enforcement isn't going to put up with the malware, Touchette
Much more work has to be
done to put a dent in online
, Wisniewski said.
There have been joint
international efforts in the past between the U.K. police and the United States
Federal Bureau of Investigation to execute raids and arrest cyber-crime
suspects. The largest and most prominent bust was last October when authorities
arrested dozens of money mules working with the gang behind the Zeus
in both the U.K. and U.S.
Even with the code merger
between the two Trojans, Zeus is still active as standalone malware.