Zeus is a do-it-yourself software kit that gives criminals most of the pieces they need to build and maintain botnets used to steal bank account information. Over the past several years, it has emerged as a major source of fraud for banks, according to Chris Larsen, senior malware researcher at Blue Coat Systems. A large number of crime gangs use Zeus to infect unsuspecting PC users with malware that surreptitiously records keystrokes to steal account information, passwords and other security codes, he said. Users unwittingly get directed to Websites where the Zeus malware resides after clicking on a link in an e-mail message that looks harmless or authentic.
A variant of Zeus even displays a screenshot of the bank account statement that users see when they access their accounts online, Larsen said. This way, users don't notice the money leaving the account until it's too late.
"The Zeus Trojan allegedly allowed the hackers, from thousands of miles away, to get their hands on other peoples' money," said FBI Assistant Director Janice Fedarcyk.
The charges range from bank fraud and false use of a passport to money laundering and conspiracy to commit wire fraud. Maximum prison sentences range from 10 years to 30 years and fines from $250,000 to $1 million per count.
The indictment marks the culmination of a yearlong investigation, dubbed Operation ACHing mules, conducted by several state and federal agencies, including the FBI, the New York Police Department, the State Department and the U.S. Secret Service. It was triggered when New York police detectives went to a Bronx bank in February to investigate a suspicious $44,000 withdrawal, according to the statement issued by the FBI and other law enforcement agencies.
It is difficult for banks to protect against Trojans like Zeus, as it records keystrokes, said Larsen. Instead, users need to be proactive about their own security by patching their computers against known exploits and actively monitoring their activity, he said.
Banks' internal fraud alerts don't always work, as mule accounts are generally located in the same country as the compromised accounts and balances are kept below $10,000.
"I would expect this bust to make existing groups take notice and watch their tracks even more especially in the short term, but it's not likely to have any significant sustained effect. The risk versus rewards are still too great," said Cox.