More Than 80 Arrested In Alleged Zeus Banking Scam

Eastern European cybercriminals teamed with foreign students who opened accounts in the U.S., authorities say

Tim Wilson, Editor in Chief, Dark Reading, Contributor

September 30, 2010

6 Min Read

Law enforcement authorities have leveled charges against more than 80 people in connection with a banking scam that was built on Zeus malware.

According to FBI press releases and wire service reports, hackers in Eastern Europe used the increasingly popular Zeus malware to steal usernames and passwords by teaming with foreign students who opened bank accounts in the United States.

The scam resulted in the theft of at least $3 million from American bank accounts, authorities said today.

Thirty-seven people were charged in court papers unsealed in U.S. District Court in Manhattan with conspiracy to commit bank fraud, money laundering, false identification use, and passport fraud for their roles in the invasion of dozens of victims' accounts, U.S. Attorney Preet Bharara said. Fifty-five have been charged in state court in Manhattan.

He said the victims included five banks and dozens of individuals with accounts throughout the country.

Nine New York-area people and one person in the Pittsburgh area were arrested early Thursday, said FBI Assistant Director Janice K. Fedarcyk, head of the New York office. Others had already been arrested and at least 17 are fugitives, she added.

In a series of criminal complaints filed in the case, the FBI said the scheme originated with information gleaned from computers through the use of a Zeus Trojan that was able to access the bank accounts of small and midsize businesses and municipal entities in the U.S.

The Zeus banking Trojan enabled hackers to secretly monitor the victims' computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as "money mules" in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

New York District Attorney Cyrus Vance Jr., a state prosecutor, said people from the Russian Federation, Ukraine, Kazakhstan, and Belarus who had obtained student visas to come to the United States were recruited through social networking sites and newspaper advertisements to open hundreds of U.S. bank accounts for fraudulent purposes.

He said the money stolen from the victims would be deposited into the bank accounts and then transferred in smaller amounts elsewhere. Authorities said those who set up the bank accounts would keep 8 to 10 percent for themselves before sending the rest to others involved in the scheme.

"This advanced cybercrime ring is a disturbing example of organized crime in the 21st century -- high tech and widespread," Vance said.

Gregory Antenson, commanding officer of the city police department's Financial Crimes Task Force, said the police department's detectives literally walked into the international probe that was already under way when they showed up at a Bronx bank in February to investigate a suspicious $44,000 withdrawal.

Noa Bar-Yosef, senior security strategist at Imperva, offered some insight on how the scam probably operated.

"These criminals operated Zeus one of two ways: either the bots used were under their own control, or, and more likely the case, they rented a bot from a bot 'farmer," Bar-Yosef says. "The bot farmer grows and manages the bot, and the criminals then rented and used it.

"The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia," Bar Yosef says. "There is a hierarchy with employees that have a distinct role in the scheme -- the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual 'consumer' who monetizes on the virtual goods received by the bot.

"In this scheme, these bots did more than just harvest user credentials -- they injected code into the user's browser so that the user thinks they have a legitimate connection with their bank. In fact, the user was actually engaging with the Trojan.

"Banks need to step up their security measures -- instead of being reactionary after the fact, try to be proactive by guessing the next steps of the hackers," Bar-Yosef advises. "The banks can [use] the uncovering of this Zeus [exploit] to learn more about how these gangs work. They can see how the attack code was adapted over time and analyze the modification of methods, which can help them anticipate the next move hackers are likely going to make."

Alex Cox, principal analyst with NetWitness, says the arrests probably will not discourage similar types of attacks in the future.

"The belief is that this group was one of the premier Zeus operators in the underground -- few have been as successful operating at this level," Cox says. "Operators at this level tend to work under a high level of suspicion already, so I would expect this bust to make existing groups take notice and watch their tracks even more especially in the short term. But it's not likely to have any significant sustained effect -- the risk vs. rewards are still too great.

"The popularity and power of Zeus is that it offers a very low barrier to entry, with a high possibility of return. As such, the use of Zeus is prolific to the point that we see it in the vast majority of organizations who call us in to assess them -- either via infected hosts inside the corporate network, or being used to commit fraud via the business online portals.

"Infection mechanisms in this case were likely a combination of exploits -- phishing and second stage malware payload," Cox suggests. "This works, so there is no need to change it or do anything different."

"These arrests show that some of the criminal groups behind Zeus are doing a poor job in covering their tracks," says Mickey Boodaei, CEO of secure browsing service provider Trusteer. "The police did a great job in tracing down this group and gathering information that can facilitate their arrest. This is not a simple task.

"In a recent initiative by Trusteer and a few other organizations, we were able to actually penetrate the criminals' servers and gather a lot of evidence from them," Boodaei says. "This shows that criminals are vulnerable.

"By running more operations like this -- and by the banks and other organizations investing effort in tracing fraudsters and not just blocking their activities -- there is a good chance we can lower the volumes of attacks," Boodaei says. "Customers can take their banks' advice and implement fraud prevention tools that provide valuable capabilities to banks in detecting and blocking these threats."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights