Feds Disrupt Giant Online Crime Ring

     PITTSBURGH (CN) - The United States sued a Russian hacking ring to try to stop it from using malicious software that has infected computers around the world, causing more than $100 millions in losses and costing U.S. businesses millions of dollars.
     The federal lawsuit, filed under seal on May 28, is part of a U.S.-led international operation to disrupt the crime ring and take control of the network of computers infected by malicious software (malware) known as Gameover Zeus.
     The lead defendant, Evgeniy Mikhailovich Bogachev aka Slavik aka Pollingsoon, is the mastermind behind a Russian malware network that has infected hundreds of thousands of computers around the world since 2011, causing more than $100 millions in losses, according to the complaint. His four co-defendants, listed only by their pseudonyms, are called Bogachev's co-conspirators in Russia and Ukraine.
     U.S. officials said Bogachev was last known to be living in the Black Sea resort town of Anapa.
     Bogachev and his helpers used malware known as "Gameover Zeus" (GOZ) and "Cryptolocker" to steal online banking and other sensitive information from infected computers they controlled remotely through a network known as a botnet. Cryptolocker, a form of ransomware, is used to encrypt key files on compromised computers and demand a ransom for returning the files to their users.
     "The GOZ botnet has been used for, among other purposes, the commission of fraudulent financial activity," the complaint states. "The principal purpose of GOZ is to capture banking credentials from infected computers. One means by which GOZ accomplishes this is through 'man-in-the-middle' attacks, in which GOZ intercepts sensitive information victims transmit from their computers.
     "To increase the effectiveness of such attacks, the defendants use GOZ to inject additional code into victims' web browsers that changes the appearance of the websites victims are viewing. For example, if a GOZ-infected user were to visit a banking website that typically requests only a username and password, the defendants could seamlessly inject additional form fields into the website displayed in the user's web browser that also request the user's social security number, credit card numbers, and other sensitive information. Because these additional fields appear to be part of the legitimate website users elected to visit, users are often defrauded into supplying the requested information, which is promptly intercepted by GOZ and transmitted to the defendants.
     "The defendants use the intercepted credentials for fraudulent purposes, such as initiating or re-directing wire transfers from victims' accounts to accounts controlled by the GOZ organization overseas.
     "Victims of the GOZ scheme to defraud and unauthorized interception include, among others:
     "a. A composite materials company in the Western District of Pennsylvania, which lost more than $198,000 after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the defendants through the use of GOZ;
     "b. An Indian tribe in Washington which lost more than $277,000 after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the defendants through the use of GOZ;
     "c. A corporation operating assisted-living facilities in Eastern Pennsylvania, which lost more than $190,800 after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the defendants through the use of GOZ;
     "d. A regional bank in Northern Florida, which lost nearly $7 million after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the defendants through the use of GOZ.
     "Since GOZ first emerged in September 2011, total losses attributable to GOZ exceed $100 million."
     Bogachev's ring used Cryptolocker to encrypt files on infected computers and demand payments for their release. Victims had no choice but to pay the ransom, which could reach $750, because the network's encryption algorithm is virtually unbreakable, according to the complaint.
     Cryptolocker, which emerged in mid-to-late 2013, has infected more than 230,000 computers, including more than 120,000 in the United States.
     Victims of the Cryptolocker scheme include an insurance company in Pittsburgh, which lost $70,000 when the network encrypted its business files, and a police department in Massachusetts that paid a $750 ransom to have its investigative files released, according to the lawsuit.
     The United States seeks an injunction against Bogachev's ring and wants to continue its malware disruption plan.
     The Gameover Zeus robot network is the largest so far disrupted that relied on a peer-to-peer distribution method, in which thousands of computers could reinfect and update each other, according to Dell expert Brett Stone-Gross, who assisted the FBI.
     Authorities in nearly a dozen countries worked with private security companies to disrupt the crime ring. Intel Corp, Microsoft, security software companies F-Secure, Symantec Corp, and Trend Micro and Carnegie Mellon University supported the operation, according to Reuters.
     "These schemes were highly sophisticated and immensely lucrative, and the cyber criminals did not make them easy to reach or disrupt," Assistant Attorney General Leslie Caldwell, who heads the Justice Department's criminal division, said at a news conference.
     Attorneys for the United States did not respond to Courthouse News' request for comment.