Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

More Than 80 Arrested In Alleged Zeus Banking Scam

Eastern European cybercriminals teamed with foreign students who opened accounts in the U.S., authorities say

Law enforcement authorities have leveled charges against more than 80 people in connection with a banking scam that was built on Zeus malware.

According to FBI press releases and wire service reports, hackers in Eastern Europe used the increasingly popular Zeus malware to steal usernames and passwords by teaming with foreign students who opened bank accounts in the United States.

The scam resulted in the theft of at least $3 million from American bank accounts, authorities said today.

Thirty-seven people were charged in court papers unsealed in U.S. District Court in Manhattan with conspiracy to commit bank fraud, money laundering, false identification use, and passport fraud for their roles in the invasion of dozens of victims' accounts, U.S. Attorney Preet Bharara said. Fifty-five have been charged in state court in Manhattan.

He said the victims included five banks and dozens of individuals with accounts throughout the country.

Nine New York-area people and one person in the Pittsburgh area were arrested early Thursday, said FBI Assistant Director Janice K. Fedarcyk, head of the New York office. Others had already been arrested and at least 17 are fugitives, she added.

In a series of criminal complaints filed in the case, the FBI said the scheme originated with information gleaned from computers through the use of a Zeus Trojan that was able to access the bank accounts of small and midsize businesses and municipal entities in the U.S.

The Zeus banking Trojan enabled hackers to secretly monitor the victims' computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as "money mules" in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

New York District Attorney Cyrus Vance Jr., a state prosecutor, said people from the Russian Federation, Ukraine, Kazakhstan, and Belarus who had obtained student visas to come to the United States were recruited through social networking sites and newspaper advertisements to open hundreds of U.S. bank accounts for fraudulent purposes.

He said the money stolen from the victims would be deposited into the bank accounts and then transferred in smaller amounts elsewhere. Authorities said those who set up the bank accounts would keep 8 to 10 percent for themselves before sending the rest to others involved in the scheme.

"This advanced cybercrime ring is a disturbing example of organized crime in the 21st century -- high tech and widespread," Vance said.

Gregory Antenson, commanding officer of the city police department's Financial Crimes Task Force, said the police department's detectives literally walked into the international probe that was already under way when they showed up at a Bronx bank in February to investigate a suspicious $44,000 withdrawal.

Noa Bar-Yosef, senior security strategist at Imperva, offered some insight on how the scam probably operated.

"These criminals operated Zeus one of two ways: either the bots used were under their own control, or, and more likely the case, they rented a bot from a bot 'farmer," Bar-Yosef says. "The bot farmer grows and manages the bot, and the criminals then rented and used it.

"The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia," Bar Yosef says. "There is a hierarchy with employees that have a distinct role in the scheme -- the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual 'consumer' who monetizes on the virtual goods received by the bot.

"In this scheme, these bots did more than just harvest user credentials -- they injected code into the user's browser so that the user thinks they have a legitimate connection with their bank. In fact, the user was actually engaging with the Trojan.

"Banks need to step up their security measures -- instead of being reactionary after the fact, try to be proactive by guessing the next steps of the hackers," Bar-Yosef advises. "The banks can [use] the uncovering of this Zeus [exploit] to learn more about how these gangs work. They can see how the attack code was adapted over time and analyze the modification of methods, which can help them anticipate the next move hackers are likely going to make."

Alex Cox, principal analyst with NetWitness, says the arrests probably will not discourage similar types of attacks in the future.

"The belief is that this group was one of the premier Zeus operators in the underground -- few have been as successful operating at this level," Cox says. "Operators at this level tend to work under a high level of suspicion already, so I would expect this bust to make existing groups take notice and watch their tracks even more especially in the short term. But it's not likely to have any significant sustained effect -- the risk vs. rewards are still too great.

"The popularity and power of Zeus is that it offers a very low barrier to entry, with a high possibility of return. As such, the use of Zeus is prolific to the point that we see it in the vast majority of organizations who call us in to assess them -- either via infected hosts inside the corporate network, or being used to commit fraud via the business online portals.

"Infection mechanisms in this case were likely a combination of exploits -- phishing and second stage malware payload," Cox suggests. "This works, so there is no need to change it or do anything different."

"These arrests show that some of the criminal groups behind Zeus are doing a poor job in covering their tracks," says Mickey Boodaei, CEO of secure browsing service provider Trusteer. "The police did a great job in tracing down this group and gathering information that can facilitate their arrest. This is not a simple task.

"In a recent initiative by Trusteer and a few other organizations, we were able to actually penetrate the criminals' servers and gather a lot of evidence from them," Boodaei says. "This shows that criminals are vulnerable.

"By running more operations like this -- and by the banks and other organizations investing effort in tracing fraudsters and not just blocking their activities -- there is a good chance we can lower the volumes of attacks," Boodaei says. "Customers can take their banks' advice and implement fraud prevention tools that provide valuable capabilities to banks in detecting and blocking these threats."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...