The Justice Department announced today it has taken part in a multinational effort, code-named “Operation Tovar,” to disrupt two cybercrime schemes responsible for more than $100 million in losses to businesses and consumers around the world.
Working with European law enforcement agencies, including Europol, DOJ authorized the FBI to seize control of servers that ran the GameOver Zeus botnet, a network of compromised computers responsible for spreading malware designed specifically to steal banking and other credentials from the computers it infects. Predominately spread through spam e-mail or phishing messages, the GameOver Zeus malware uses those credentials to initiate or redirect wire transfers to accounts overseas controlled by the criminals.
DOJ also announced the unsealing of criminal charges in Pittsburgh and Omaha against alleged botnet administrator Evgeniy Mikhailovich Bogachev of Anapa, Russian Federation. Bogachev was added to the FBI’s Cyber’s Most Wanted list and identified in court documents as the leader of a gang of cyber criminals based in Russia and the Ukraine responsible for the development and operation of GameOver Zeus, as well as Cryptolocker, a type of ransomware that locks victims’ computer files and demands a fee in return for unlocking them. Computers infected with Cryptolocker are also often infected with GameOver Zeus.
“GameOver Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” said FBI Executive Assistant Director Robert Anderson. “The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the U.S. government.”
Unlike earlier Zeus variants, GameOver has a decentralized, peer-to-peer command and control infrastructure, which means instructions to the infected computers can come from any other infected computers, making a takedown of the botnet more difficult.
Analysis undertaken by McAfee Labs found that from January to May, Zeus, or Zbot, was the second most common piece of consumer and business malware detected, with CryptoLocker in ninth place for malware targeting consumers and eighth place for businesses.
“Gameover Zeus and CryptoLocker are two of the most prevalent pieces of malware, wreaking havoc and causing costly damage to those infected,” said Raj Samani, chief technology officer for Europe, Middle East and Africa at McAfee, part of Intel Security. “Disrupting the criminal infrastructure behind Gameover Zeus and CryptoLocker provides a rare and limited opportunity for consumers to remove the malware and take back control of their digital lives.”
But the U.S. obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to sever communications between the infected computers, re-directing these computers away from criminal servers to substitute servers under the government’s control. The orders authorize the FBI to identity the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to Computer Emergency Readiness Teams around the world, as well as to Internet service providers and other private sector entities who are able to assist victims in removing GameOver Zeus from their computers.
There have been more than 121,000 victims of the CryptoLocker ransomware scheme in the United States and 234,000 victims worldwide, according to the FBI. Victims reportedly paid nearly $30 million in ransom between September and December 2013.
The takedown operation, which began last week, involves law enforcement agencies from 10 countries disrupting more than 1 million known GOZ infections globally, 25 percent of which are located in the U.S.
How the scheme works
A victim of GOZ receives an email purportedly from the National Automated Clearing House Association, the Federal Reserve Bank or the Federal Deposit Insurance Corporation stating there’s been a problem with a recent ACH transaction or bank account transaction.
The sender includes a link in the email that claims it will help resolve the problem. When a user clicks on the link, it takes them to a phony website that infects their computer with the GameOver malware. After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site.
According to the FBI, recent investigations have shown some of the funds stolen from bank accounts go towards the purchase of precious stones and expensive watches from high-end jewelry stores. The criminals contact these jewelry stores, tell them what they’d like to buy and promise they will wire the money. The next day, a person involved in the money laundering aspect of the crime—called a “money mule”—comes into the store to pick up the merchandise. After verifying the money is in the store’s account, the jewelry is turned over to the mule, who then gives the items to the organizers of the scheme or converts them to cash and uses money transfer services to launder the funds.
“Increasingly, as part of this scheme, we see a rising number of unsuspecting mules hired via “work-at-home” advertisements who end up laundering some of the funds stolen from bank accounts,” the FBI said in a statement. “The criminals email prospective candidates claiming to have seen their résumés on job websites and offer them a job. The hired employees are provided long and seemingly legitimate work contracts and actual websites to log into. They’re instructed to either open a bank account or use their own bank account in order to receive funds via wire and ACH transactions from numerous banks…and then use money remitting services to send the money overseas.”