Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


More Than 80 Arrested In Alleged Zeus Banking Scam

Eastern European cybercriminals teamed with foreign students who opened accounts in the U.S., authorities say

Law enforcement authorities have leveled charges against more than 80 people in connection with a banking scam that was built on Zeus malware.

According to FBI press releases and wire service reports, hackers in Eastern Europe used the increasingly popular Zeus malware to steal usernames and passwords by teaming with foreign students who opened bank accounts in the United States.

The scam resulted in the theft of at least $3 million from American bank accounts, authorities said today.

Thirty-seven people were charged in court papers unsealed in U.S. District Court in Manhattan with conspiracy to commit bank fraud, money laundering, false identification use, and passport fraud for their roles in the invasion of dozens of victims' accounts, U.S. Attorney Preet Bharara said. Fifty-five have been charged in state court in Manhattan.

He said the victims included five banks and dozens of individuals with accounts throughout the country.

Nine New York-area people and one person in the Pittsburgh area were arrested early Thursday, said FBI Assistant Director Janice K. Fedarcyk, head of the New York office. Others had already been arrested and at least 17 are fugitives, she added.

In a series of criminal complaints filed in the case, the FBI said the scheme originated with information gleaned from computers through the use of a Zeus Trojan that was able to access the bank accounts of small and midsize businesses and municipal entities in the U.S.

The Zeus banking Trojan enabled hackers to secretly monitor the victims' computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as "money mules" in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

New York District Attorney Cyrus Vance Jr., a state prosecutor, said people from the Russian Federation, Ukraine, Kazakhstan, and Belarus who had obtained student visas to come to the United States were recruited through social networking sites and newspaper advertisements to open hundreds of U.S. bank accounts for fraudulent purposes.

He said the money stolen from the victims would be deposited into the bank accounts and then transferred in smaller amounts elsewhere. Authorities said those who set up the bank accounts would keep 8 to 10 percent for themselves before sending the rest to others involved in the scheme.

"This advanced cybercrime ring is a disturbing example of organized crime in the 21st century -- high tech and widespread," Vance said.

Gregory Antenson, commanding officer of the city police department's Financial Crimes Task Force, said the police department's detectives literally walked into the international probe that was already under way when they showed up at a Bronx bank in February to investigate a suspicious $44,000 withdrawal.

Noa Bar-Yosef, senior security strategist at Imperva, offered some insight on how the scam probably operated.

"These criminals operated Zeus one of two ways: either the bots used were under their own control, or, and more likely the case, they rented a bot from a bot 'farmer," Bar-Yosef says. "The bot farmer grows and manages the bot, and the criminals then rented and used it.

"The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia," Bar Yosef says. "There is a hierarchy with employees that have a distinct role in the scheme -- the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual 'consumer' who monetizes on the virtual goods received by the bot.

"In this scheme, these bots did more than just harvest user credentials -- they injected code into the user's browser so that the user thinks they have a legitimate connection with their bank. In fact, the user was actually engaging with the Trojan.

"Banks need to step up their security measures -- instead of being reactionary after the fact, try to be proactive by guessing the next steps of the hackers," Bar-Yosef advises. "The banks can [use] the uncovering of this Zeus [exploit] to learn more about how these gangs work. They can see how the attack code was adapted over time and analyze the modification of methods, which can help them anticipate the next move hackers are likely going to make."

Alex Cox, principal analyst with NetWitness, says the arrests probably will not discourage similar types of attacks in the future.

"The belief is that this group was one of the premier Zeus operators in the underground -- few have been as successful operating at this level," Cox says. "Operators at this level tend to work under a high level of suspicion already, so I would expect this bust to make existing groups take notice and watch their tracks even more especially in the short term. But it's not likely to have any significant sustained effect -- the risk vs. rewards are still too great.

"The popularity and power of Zeus is that it offers a very low barrier to entry, with a high possibility of return. As such, the use of Zeus is prolific to the point that we see it in the vast majority of organizations who call us in to assess them -- either via infected hosts inside the corporate network, or being used to commit fraud via the business online portals.

"Infection mechanisms in this case were likely a combination of exploits -- phishing and second stage malware payload," Cox suggests. "This works, so there is no need to change it or do anything different."

"These arrests show that some of the criminal groups behind Zeus are doing a poor job in covering their tracks," says Mickey Boodaei, CEO of secure browsing service provider Trusteer. "The police did a great job in tracing down this group and gathering information that can facilitate their arrest. This is not a simple task.

"In a recent initiative by Trusteer and a few other organizations, we were able to actually penetrate the criminals' servers and gather a lot of evidence from them," Boodaei says. "This shows that criminals are vulnerable.

"By running more operations like this -- and by the banks and other organizations investing effort in tracing fraudsters and not just blocking their activities -- there is a good chance we can lower the volumes of attacks," Boodaei says. "Customers can take their banks' advice and implement fraud prevention tools that provide valuable capabilities to banks in detecting and blocking these threats."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...