Yesterday the UK Met Police arrested 19 people who are suspected of being engaged in online theft of bank accounts using the Zeus banking trojan. These people are thought to have stolen between 6 million to 30 million pounds this year.

The group purchased sophisticated crimeware, called Zeus, in online cybercrime forums. They used it to infect the computers of thousands of online banking users in the United Kingdom. The malicious software allowed them to harvest usernames, passwords, and other personal information. They used that information to log into the online accounts of these victims, and fraudulently transfer money from their accounts.

Because the suspects are located in the UK, it makes me wonder if these are actually the perpetrators of the crimes, or if in fact they were money mules: people who accept fraudulent funds transfers and then withdraw the funds, and send it to the real criminals overseas in return for a cut of the proceeds. Time will tell, as the case winds through the courts.

The defendants include Yuriy Korovalenko, 28, of Ukraine; Yevhen Kulibaba, 32, of Ukraine; Aleksander Kusner, 27, of Estonia; Roman Zenyk, 29, of Ukraine; Eduard Babaryka, 26, of Belarus; Valerij Milka, 29, of Ukraine; Iryna Prakochyk, 23, of Ukraine; Ivars Poikans, 29, of Latvia; Kaspars Cliematnieks, 24, of Latvia; and Karina Kostromina, 33, from Latvia. All have been denied bail, as they are considered flight risks.

In the USA, we have seen a marked increase in the targeting of small and medium sized businesses, government agencies and charities by cyber criminals. They have figured out that it’s easier to steal $500,000 from one small business, than to steal $500 from 1,000 consumer online bank accounts.

Today the US Department of Justice announced that it has made several arrests this weel in conjunction with Zeus botnets as well.

PROTECT YOURSELF: Police warn users to check that their home computers are secure

Nineteen people suspected of stealing millions from online bank accounts have been arrested by police as detectives from the Metropolitan Police Central e-Crime Unit raided a string of addresses across London on Monday.

The suspects are alleged to be part of a gang that has stolen at least £6m in the past three months using a Trojan programme called ”ZeuS”.

A Trojan is “Malware” that can appear as an ordinary application which is innocently or unintentionally downloaded and installed by a computer user. Once installed, it secretly gathers information from the infected computer and passes it back to its creator.

Detectives said that the gang had harvested log-in details operated by a range of major banks. Once the gang had the personal details, they transferred cash into accounts set up solely to gather the money before it was laundered onwards.

Detectives are questioning them on suspicion of fraud, money laundering and offences under the Computer Misuse Act.

International plot

Detectives say that many thousands of computers are suspected to have been targeted by the gang and said that it was likely that the amount known to have been stolen would “increase considerably” as the investigation continues.

Detective Chief Inspector Terry Wilson of the Metropolitan Police said “We believe we have disrupted a highly organised criminal network, which has used sophisticated methods to siphon large amounts of cash from many innocent people’s accounts, causing immense personal anxiety and significant financial harm.”

“Online banking customers must make sure their security systems are up to date and be alert to any unusual or additional security features requested which is at variance with their normal log-on experience.”

“Greater public awareness and education will make it harder for personal details to be compromised and for this type of fraud to be carried out.”

Last year, £59.7M was lost to online banking fraud, according to Financial Fraud Action UK – Another £440M was lost to credit card fraud.

The New York Times has published an article that discusses upcoming proposed legislation, driven by FBI requirements, to require Internet service providers to be able to provide access to communications and Web surfing traffic on the Internet, even if it is encrypted. This would require fundamental re-architecting of many secure communications systems.

While I do understand that criminals and terrorists are increasingly using Internet technologies for communications, I question the feasibility of this rumored legislation. Forcing companies to re-architect encryption systems seems untenable to me. It also brings about challenges of key management, key escrow, etc.

This reminds me of the days, 15 years ago, when the US Government proposed the Clipper chip, a back-door that they wanted to regulate be used by telecommunications companies to encrypt voice communications, but give law enforcement a back door to tap into any communication. Fortunately that project died amid public outcry and pressure from the Industry.

It looks like we are in for some pretty heated debate. Frankly, how would the new back doors even be verified? Only the largest service providers could really be audited for compliance.

I also know that this would have the same effect that we saw when encryption software had strict export controls back in the 1990s. At that time, encryption innovation moved offshore. We saw the development of OpenSLL and the SSLeay toolkit in Australia. I remember when RSA purchased the rights and hired the developers, so that they could have strong crypto products available outside the USA. Eventually the Department of Commerce and NSA saw the writing on the wall, and eased the export controls.

We would probably face a similar phenomenon now. Users would migrate to services that were hosted offshore, and to products from foreign countries, to avoid the back doors.

The New York Times has published an article that discusses upcoming proposed legislation, driven by FBI requirements, to require Internet service providers to be able to provide access to communications and Web surfing traffic on the Internet, even if it is encrypted. This would require fundamental re-architecting of many secure communications systems.

While I do understand that criminals and terrorists are increasingly using Internet technologies for communications, I question the feasibility of this rumored legislation. Forcing companies to re-architect encryption systems seems untenable to me. It also brings about challenges of key management, key escrow, etc.

This reminds me of the days, 15 years ago, when the US Government proposed the Clipper chip, a back-door that they wanted to regulate be used by telecommunications companies to encrypt voice communications, but give law enforcement a back door to tap into any communication. Fortunately that project died amid public outcry and pressure from the Industry.

It looks like we are in for some pretty heated debate. Frankly, how would the new back doors even be verified? Only the largest service providers could really be audited for compliance.

I also know that this would have the same effect that we saw when encryption software had strict export controls back in the 1990s. At that time, encryption innovation moved offshore. We saw the development of OpenSLL and the SSLeay toolkit in Australia. I remember when RSA purchased the rights and hired the developers, so that they could have strong crypto products available outside the USA. Eventually the Department of Commerce and NSA saw the writing on the wall, and eased the export controls.

We would probably face a similar phenomenon now. Users would migrate to services that were hosted offshore, and to products from foreign countries, to avoid the back doors.

David Barroso, of S21sec, has posted a series of blog entries detailing a scary new evolution in online banking crime. Readers of my blog have heard about the Zeus family of banking trojan malware that allows cyber criminals to break into corporate online banking sites through a user’s own computer.

Some banks, in an effort to defeat such malicious crimeware, will send a user an SMS text message on their mobile phone when they log into the bank. The user must then type in that secret code when the log in. This effectively stops criminals from being able to log into a user’s online bank account, because they don’t physically possess the user’s mobile phone, so do not know the secret code that the bank sends.

It appears now that the criminals have developed malicious software for various mobile smart phones, than can capture these banking text messages, and forwards them to the criminals so that they can in fact log into the user’s bank account.

In his blog posting, David describes analyzing such a mobile phone malware that was designed for Symbian phones.

He calls this attack, “Man-in-the-mobile”.

David Barroso, of S21sec, has posted a series of blog entries detailing a scary new evolution in online banking crime. Readers of my blog have heard about the Zeus family of banking trojan malware that allows cyber criminals to break into corporate online banking sites through a user’s own computer.

Some banks, in an effort to defeat such malicious crimeware, will send a user an SMS text message on their mobile phone when they log into the bank. The user must then type in that secret code when the log in. This effectively stops criminals from being able to log into a user’s online bank account, because they don’t physically possess the user’s mobile phone, so do not know the secret code that the bank sends.

It appears now that the criminals have developed malicious software for various mobile smart phones, than can capture these banking text messages, and forwards them to the criminals so that they can in fact log into the user’s bank account.

In his blog posting, David describes analyzing such a mobile phone malware that was designed for Symbian phones.

He calls this attack, “Man-in-the-mobile”.

I just looked into Evercookie. It’s very cool if you are someone that wants to track users online. It’s very scary if you are an average Internet user, and want to control which websites and advertisers are tracking you. Evercookie is innovative technology that gives websites and advertising networks many new ways to track a user’s visits all over the Internet.

About 50 million people use technology tools to reduce the ways that websites, advertisers and criminals can track them on the Internet (cookie deletion, cookie blockers, etc). Evercookie invents new ways for trackers to create persistent tracking identities that defeat cookie deletion tools. The Evercookie system is well thought out. It can restore cookies, it can copy cookie data between flash and multiple browsers, and (my favorite), is that it can post tracking information into stored images (basically a form of steganography), as well as posting cookies to google, where they are forever tracked.

This shows the innovation that is possible in cracking user privacy on the Internet. Clearly a new generation of tools is needed to allow users to manage their information and privacy on the Internet.

Winter Garden Corp has discovered that cyber thieves have used their company name, logo and identity information (location, phone number, tax id) to create fake companies and recruit unwitting people to be employed by a fake company, with the goal being to move money that was stolen from online bank accounts.

Over the last several months I’ve come to the conclusion, as have a number of my colleagues in the security industry, that the real limitation to online fraud is not the number of consumers who fall for phishing attacks, or the number of corporate laptops that are infected with invisible banking malware like Zeus. Instead, the real limitation is the number so-called money mules. Mules are people who think they are working for a real company, and who’s job it is to move money from bank accounts, into Western Union, PayPal, etc.

When a cyber thief gets access to a consumer’s or company’s bank account online, by stealing their username and password, or by infecting their computer with invisible malware like the Zeus trojan, then need somewhere to transfer the money. They do not want to transfer the funds directly to their own bank accounts, in order to avoid detection and prosecution by the police. Instead, they recruit mules to act as middle men. This makes detection by law enforcement extremely difficult.

It is very interesting to see that companies are seeing their own “identities” being spoofed in order to create realistic covers to recruit more unwitting mules. This is very interesting given the recent news that the chief of Interpol had his identity spoofed.

Ronald Noble, the head of Interpol, the international police organization, has announced that he had his identity stolen on the Internet. He made this announcement this week in Hong Kong at Interpol’s first cyber security conference.

“‘Cyber-crime is emerging as a very concrete threat. Considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face.”

It appears that what happened was that his identity was not actually “stolen”, rather it was spoofed.

Several accounts were set up on Facebook that purported to be Ronald Noble, but were not owned by him. The owners of those accounts then used that fake identity to send emails to various law enforcement agencies and others, in order to glean information about confidential investigations, notably Operation Infra Red.

This brings up some points of interest:
– why do law enforcement people think that a top Interpol manager would communicate with them over Facebook?
– OK, maybe I can see why they would, since there are many officials and executives who use Facebook
– I bet that Interpol has a policy against using Facebook
– But, they should be monitoring it and perhaps pre-emptively owning account names of senior executives

This last point really holds true for all companies and really for anyone. Even if you do not plan to use social networks, you might want to “own” your identity on those sites. If you do not, then someone can register an account in your name and start doing malicious activities.

Cesar Carranza, 38, also known as “uBuyWeRush,” has been sentenced to 6 years in prison for conspiracy to launder money. He worked with the online criminal underground to provide them machines that were used to create fake credit cards, using data that was phished or stolen from card processing databases such as the TJX credit card breach.

Carranza met criminals on online forums such as CarderPlanet and Shadowcrew. He eventually grew his business to include assisting money mules in laundering money by moving it between various bank accounts and online payment services like e-Gold. He is accused of laundering $2.5 million.

Read the 2008 indictment here.