Gozi Trojan Prosecutions Mark Rare Victory Against Bank Cyber-Fraud

U.S. law enforcement announce the indictment of three people accused of creating and using the Gozi trojan to steal money from banks, sending a message to cyber-criminals.

The arrest of three men in the United States, Romania and Latvia for the creation and spread of the banking trojan known as Gozi will send a message to other cyber-criminals that they are not outside the international reach of law enforcement, but will likely have little other impact, security experts said.

Indictments unsealed on Jan. 23 accuse Russian Nikita Kuzmin, Romanian Mihai Ionut Paunescu, and Latvian Deniss Calovskis of using and modifying the Gozi trojan, also referred to as a virus, so that it infected more than a million computer systems worldwide and cost consumers and businesses tens of millions of dollars.

Kuzmin allegedly created the Gozi program in 2005, hiring a programmer to write the source code and then leasing it to other criminal customers. Calovskis allegedly modified the program to inject malicious code into banking pages as seen by the victims to ask for personal information, while Paunescu is believed to have provided bulletproof hosting services to foil defenders attempts to identify and take down compromised computers.

The arrests send a strong message that cyber-criminals can be caught and prosecuted, even when they are operating abroad, said George Tubin, senior security strategist, Trusteer.

"Right now, they are not all that worried," Tubin said. "So it's good that this does send a message to the people getting into the business that there is some danger, there is a good chance that you will be found out and prosecuted for it."

While information about the cases was released on Jan. 23, Kuzmin had already been caught in November 2010 in the United States and plead guilty to charges of computer intrusion and fraud in May 2011. The two other accused men were arrested in their respective countries in November and December last year.

The Gozi trojan compromised more than 40,000 victims in the United States and about a million computers in other nations, including France, Finland, Germany, Italy, Turkey and the United Kingdom. Computers at the National Aeronautics and Space Administration (NASA) were among those compromised, prosecutors stated. The malicious code allowed Kuzmin to remotely control the compromised systems as a botnet, installing additional code to steal information and access banks accounts.

Operating across international jurisdictions to investigate and prosecute cyber-criminals has been a major hurdle for law enforcement agencies worldwide. Cooperating across jurisdictions is one of the main reasons for the creation of the European Cybercrime Center earlier this month.

"It costs a fortune to keep pace with organized criminals, to have the forensic equipment and software needed to do this in a coordinated way,” Troels Oerting, head of the new European Cybercrime Centre, told the Wall Street Journal. “Instead of the member states spending the same money, we are asking them about their needs and then we will do it in a centralized way."

Last March, FBI Director Robert Mueller said that private and public organizations need to better share data to be more effective against cyber-criminals.

While the arrests will not impact spam levels or fraud level in the same way that some private botnet takedown efforts have, continuing to send a message to criminals is good business, said Trusteer's Tubin.

"These people in the underground market, they pretty much operate under this assumption of anonymity," he said. "So I think it sends a good message to aggressively hunt down and prosecute them."