Federal prosecutors in New York City charged 37 people on Sept. 30 in connection with a cyber-crime ring that looted millions of dollars from victims’ bank accounts.
The defendants, mostly in their 20s, are accused of using the Zeus Trojan to steal more than $3 million.
The victims were primarily small businesses and municipalities, according to the indictment, although there were some breached brokerage accounts at TD Ameritrade and eTrade.
“This group was one of the premier Zeus operators in the underground,” said Alex Cox, principal analyst for NetWitness.
Of the people named in the indictment, 10 were arrested by federal and New York law enforcement officials today, while 10 were arrested previously. Seventeen still remain at large, either in the United States or abroad. All in all, 60 people have been charged by both federal and state authorities in the operation.
The charges were announced only a day after Scotland Yard arrested 19 people as part of a similar criminal organization that used the Zeus Trojan.
The timing of the two arrests seems too close to be a coincidence, leading many to speculate the investigation was a coordinated effort between various law enforcement agencies from the United Kingdom and the United States.
“From our eyes, it appears the U.K. arrests by the Metropolitan Police were the ringleaders, the controllers, and the people arrested in the U.S. were the money mules of the operation,” said Chester Wisniewski, a senior security adviser at Sophos.
While he has yet to see any “hard evidence” linking these two investigations, Wisniewski pointed to other similarities, such as the nationalities of the alleged criminals. Both groups were primarily Eastern European, namely Ukranian and Estonian, he said. The indictment mentioned that a package of forged passports was sent from the U.K., he said. He also noticed a similarity in the types of visitor visas held by the suspects. The ones named in the U.S. indictment held J-1 visas.
The J-1 visa allows visitors participating in cultural exchange or training programs to enter the United States freely. The group allegedly recruited mules via Russian language Websites by placing ads seeking students with J-1 visas who could open bank accounts in the United States, according to the indictment.
The mules allegedly kept a small percentage of the stolen money and wired the remainder to overseas bank accounts, often in Asia.
Zeus Gives Criminals Pieces They Need
Zeus is a do-it-yourself software kit that gives criminals most of the pieces they need to build and maintain botnets used to steal bank account information. Over the past several years, it has emerged as a major source of fraud for banks, according to Chris Larsen, senior malware researcher at Blue Coat Systems. A large number of crime gangs use Zeus to infect unsuspecting PC users with malware that surreptitiously records keystrokes to steal account information, passwords and other security codes, he said. Users unwittingly get directed to Websites where the Zeus malware resides after clicking on a link in an e-mail message that looks harmless or authentic.
A variant of Zeus even displays a screenshot of the bank account statement that users see when they access their accounts online, Larsen said. This way, users don’t notice the money leaving the account until it’s too late.
“The Zeus Trojan allegedly allowed the hackers, from thousands of miles away, to get their hands on other peoples’ money,” said FBI Assistant Director Janice Fedarcyk.
The charges range from bank fraud and false use of a passport to money laundering and conspiracy to commit wire fraud. Maximum prison sentences range from 10 years to 30 years and fines from $250,000 to $1 million per count.
The indictment marks the culmination of a yearlong investigation, dubbed Operation ACHing mules, conducted by several state and federal agencies, including the FBI, the New York Police Department, the State Department and the U.S. Secret Service. It was triggered when New York police detectives went to a Bronx bank in February to investigate a suspicious $44,000 withdrawal, according to the statement issued by the FBI and other law enforcement agencies.
It is difficult for banks to protect against Trojans like Zeus, as it records keystrokes, said Larsen. Instead, users need to be proactive about their own security by patching their computers against known exploits and actively monitoring their activity, he said.
Banks’ internal fraud alerts don’t always work, as mule accounts are generally located in the same country as the compromised accounts and balances are kept below $10,000.
“I would expect this bust to make existing groups take notice and watch their tracks even more especially in the short term, but it’s not likely to have any significant sustained effect. The risk versus rewards are still too great,” said Cox.