Operation Trident: lessons from the takedown of ZeuS cyber robbers in UK, U.S.

Daily Mail arrest photo

The mercurial Russian virus writer, known as A-Z, creator of the ZeuS banking Trojan, remains elusive –  and very active.

LastWatchdog introduced the wider public to A-Z in this 2008 cover story. A-Z is likely in his mid- to late 20s. He remains dedicated to  protecting  and improving his masterwork creation.

Through  A-Z’s brainpower and dedication,  ZeuS  burns hot as ever as the  engine driving cyber robberies.

The stunning take down this week of a top-tier  ZueS gang, is providing revealing insight into the inner workings of ZeuS-enabled bank robberies.

One revelation: stolen personal data is becoming increasingly  valuable on multiple levels, helping organized cybercrime gangs execute elaborate, lucrative cyberheists on a grand scale. Many of the victims — in particular,  small organizations  — may not get made whole.

Arrests on both sides of the Atlantic

In what the FBI is calling Operation Trident, U.S. authorities on Thursday charged 37 Russians and Eastern Europeans who allegedly opened U.S. bank accounts expressly to receive cash transferred from hacked online banking accounts.

On Wednesday, British authorities charged 11 Eastern Europeans with running the front end of that scam. Those suspects are alleged to have infected thousands of computers with the ZeuS banking trojan, a malicious program designed to tap into online banking accounts and make surreptitious cash transfers to accounts like the ones set up in the U.S.

Authorities have documented $9.5 million stolen from UK banks and $3 million from U.S. banks. Dozens of suspects have been arrested on both sides of the Atlantic. More charges and arrests are expected, and as much as $30 million may have been stolen, according the Daily Mail.

The crack down was “part of a sweeping and corrdinated effort to combat the 21st century’s variation on traditional bank robbery,” says Preet Bharara, US Attorney for southern New York.

Anatomy of a cyber robbery

According to U.S. complaints unsealed Thursday, 30 Sept. 2010, in Manhattan federal court, the cyber-attacks began in Eastern Europe, with the spreading of the ZeuS Trojan, via “apparently-benign email to … small businesses and municipalities in the United States.”

An excerpt from the U.S.  complaint:

Once the email was opened, the malware embedded itself in the victims’computers, and recorded their keystrokes – including their account numbers, passwords, and other vital security codes – as they logged into their bank accounts online.

The hackers responsible for the malware then used the stolen accountinformation to take over the victims’ bank accounts, and madeunauthorized transfers of thousands of dollars at a time to receiving accounts controlled by the co-conspirators.

These receiving accounts were set up by a money mule organization responsible for retrieving the proceeds of themalware attacks and transporting or transferring the stolen moneyoverseas. To carry out the scheme, the money mule organization recruited individuals who had entered the United States on student visas, providing them with fake foreign passports, and instructing them to open false-name accounts at U.S. banks.

Once these false-name accounts were successfully opened and receivedthe stolen funds from the accounts compromised by the malwareattacks, the “mules” were instructed to transfer the proceeds toother accounts, most of which were overseas, or to withdraw theproceeds and transport them overseas as smuggled bulk cash.

The defendants charged in Manhattan federal court included managers of and recruiters for the money mule operation, and specialist in obtaining fake passports and rank-and-file money mules.

Jackson

The gang was among the top 10 groups that regularly rob from online banking accounts using the ZeuS banking Trojan, says Don Jackson, director of threat intelligence at tech forensics firm SecureWorks.

This gang specialized in sending infectious e-mail messages to finance personnel at small businesses, local governments, school districts, churches and non-profits, says cybersecurity blogger Brian Krebs, of krebsonsecurity.com.

ZeuS takes over control of the victim’s web browser and begins collecting online banking account logons, as the victim types them.   “One or two people with technical knowledge usually will take care of spreading the Trojan and collecting the credential details,” says Catalin Cosoi, research director at antivirus firm BitDefender. “Most often, because they’re set up this way,  only the money mules get caught.”

Once the victim/employee begins executing an online banking transaction on behalf of his or her employer, ZeuS invisibly also executes a fraudulent wire transfer, usually for $10,000 or less. The funds go to the bank accounts set up by accomplices known as “mules.” The mules then withdraw the cash and wire the loot, minus a commission, to the ring leaders.

Small organizations are a favorite target, as LastWatchdog disclosed in this cover story, because they routinely do multiple daily wire transfers. What’s more the banking industry continues to use decades-old banking technologies — Automated Clearing House (ACH) transfers and wire transfers — that are easy for ZeuS to crack.

Banks  could do more

Bar Yosef

The banking industry insists it is doing all it can to keep online banking safe, and has asked consumers and small businesses to take on the burden of protecting their online accounts, as LastWatchdog revealed in this Page 1A story.

But banks could do more, says Noa Bar Yosef, security strategist at security firm Imperva.

“Banks defense mechanism rely on authentication (credentials) and also cross-referencing with other identification information from the user,” says Bar Josef. “But the user’s browser is actually under the control of the ZeuS botnet. The user imagines that her browser is interacting with the bank, but in fact ZeuS is interacting with the bank.”

Bar Josef calls on banks to “beef us their defense mechanism to handle such methods – to begin with, to recognize the user’s browser is actually Trojan-generated.”

Cox

Alex Cox, principal analyst at NetWitness, agrees there is much more the banking industry could do to mitigate cyberrobberies. A starting point would be to develop a strategy to actively track active robbery gangs. And they should promote wider use of text messages, cell phone calls and other “out of band” authentication technologies as a requirement to use online banking.

“U.S. based banks have historically lagged behind European banks as far as online banking safeguards go,” says Cox.

Kudos for law enforcement

There remain perhaps two dozen cyber gangs in control of sophisticated an estimated 160 ZeuS command servers live on the Internet today, says Jackson, who has closely tracked ZeuS for several years. Each command server can control tens of thousands of infected computers.

The coordinated arrests in the UK and U.S. probably won’t deter the elite ZeuS gangs, but novices may be discouraged by the threat of going to jail. “There was a lot of remarkable bi-lateral cooperation on the part of law enforcement and prosecutors, the best I’ve ever seen,” says Jackson. “It’s an exciting time to be on the good guys side, when it comes to ZeuS.”

By Byron Acohido