News broke this week of the Gameover Zeus (GOZ) and Cryptolocker malware rackets which have, conservatively, defrauded computer users of over $100 million.
Victims include the materials company in Pennsylvania which lost $198,000 in a wire transfer fraud, the North American Indian tribe which lost $277,000, the Florida bank which was ripped off for $7 million and the pest control company in North Carolina hit for $80,000.
But there are victims in many countries besides the US. In the UK, the National Crime Agency reckons the computers of more than 15,000 people here are already infected, at risk of losing millions of pounds.
The man behind the scam
The reason the examples above are American is because the United States Department of Justice (DoJ) is going after the man they allege to be the principal perpetrator of what is probably the biggest ever computer hacking rip-off.
In court filings, the DoJ has named Evgeniy Mikhailovich Bogachev, from Anapa (a Russian Black Sea tourist resort) as the operation's mastermind. The shaven-headed 30-year-old is also known as Slavik, Lucky 12345 and Pollingsoon.
How Gameover Zeus works
GOZ is a malicious piece of software which infiltrates the victim's computer unseen, turning the machine into part of a botnet, a network of infected computers all controlled, in this case, by Bogachev. Some computers in the network are called “proxy nodes” - these communicate with the others. There is also a “domain generation algorithm” which creates a large and changing number of internet domain names to confuse everyone.
GOZ intercepts sensitive details you send to and receive from your bank or other financial institution. It can then substitute itself for the account's real owner. This is known as the “man in the middle” tactic. But GOZ has a further clever feature. It can infiltrate a real site, adding in extras. So it would appear that your bank, on what seems to be its legitimate site, is asking for your date of birth, social security number or credit card details as well your password.
Victims give this sensitive information because they are not aware their bank site has been compromised.
Armed with this information, the DoJ says in its allegation of bank fraud, the criminals could loot accounts at will. And they did.
But organising a fraud of this size needs seed capital and day-to-day running expenses, money to set up the racket and keep the criminals on the staff happy. This involved, according to the DoJ, the original GOZ also sometimes downloading Cryptolocker, a nasty piece of software which falsely informs victims that their computer will be rendered useless unless they pay over around $750 (£450) within 72 hours.
It's pure extortion. Cryptolocker has infected 230,000 machines, of which 120,000 are in the United States.
FBI Special Agent James Craig has also published details of the UK operation. In court filings he names Yevhen Kulibaba, currently in jail, as the arranger of the “money mules” and in charge of the money laundering operation. His sidekick Yuriv Konovalenko is also locked up.
When will the scam strike again?
The good news is that law enforcement agencies have disabled the “command and control” servers spreading the viruses in the network.
The bad news is that no one knows how long it will be before the large numbers in the gang who remain outside custody get their act together and restore their scam using even more difficult to crack computer codes. This could be as little as a fortnight or as long as three months.
Computer security expert Graham Cluley says: “The great news today is that the authorities, working with ISPs and members of the computer security industry, has seized control of a large amount of the internet infrastructure being used by the GameOver Zeus and CryptoLocker threats. Unfortunately, if your computer has been compromised by GameOver Zeus you won’t be able to tell with the naked eye. You need good security software to clean-up your infection, and remove affected computers from the internet until they are safe to reconnect.”
If your computer has been compromised, you should be contacted by your Internet Service Provider. You should also run the most powerful anti-malware software you can lay your hands on!