Three Charged In Global Gozi Cybercrime Bust

A global effort involving police from the UK and the FBI saw three charged in an investigation into the running of banking malware believed to have infected at least one million machines.

The FBI said it believes the three men named in its indictment – Nikita Kuzmin, Mihai Paunescu and Deniss Calovskis – played key roles in the distribution of the Gozi Trojan, which resulted in the theft or loss of tens of millions of dollars.

Once it found its way onto a machine, Gozi pilfered bank account login data, before sending it back to the hackers’ servers. Gozi attackers were linked to threats of a mass Trojan assault on US banks, picked up by security firm RSA last November, in what would have been “the most substantial organized banking-Trojan operation” ever.

Where did it all Gozi wrong?

The arrests came after a two-and-a-half year investigation, which uncovered criminal activity going back to 2005. Russian national Kuzmin pleaded guilty to charges in 2010 and was convinced to cooperate with the investigation.

Kuzmin admitted developing and marketing Gozi, the FBI said, initially renting it out for a “substantial weekly fee”.

The source code of Gozi was eventually put up for sale in 2009 for around $50,000 per customer and the malware seller got a cut of whatever the buyers subsequently made from their illicit activities.

With the help of Kuzmin, officials arrested Paunescu in Romania in November last year, believing he ran the “bullet-proof” hosting service on which Gozi was being run. It is believed the infrastructure was also being used for the Zeus and SpyEye banking Trojans.

Calovskis, a Latvian trained programmer, is alleged to have developed the web injects designed to trick customers into handing over more data. He was arrested on US charges by Latvian authorities last month.

The investigation resulted in the seizure of 51 servers in Romania, as well as laptops, desktops and external hard drives – all of which contained a total of 250 terabytes of data ready for forensics.

“That vast pile of data is almost certain to aid criminal investigations in FBI offices around the country, as well as law enforcement agencies around the world,” said assistant director at the FBI George Venizelos.

“With that volume of potential evidence, plus the fact that the charging documents refer to numerous unnamed co-conspirators, it is more than standard boilerplate to say that this investigation is very much an on-going investigation.

“This investigation has been a true international team effort. We owe a debt of gratitude to law enforcement and intelligence authorities in Latvia, Romania, Moldova, the Netherlands, Germany, Finland, Switzerland, and the UK.”

According to security blogger Brian Krebs, the attackers managed to automate the process of sending stolen funds from compromised systems to money mules, who would either wittingly or unwittingly pass on the cash to the crooks without revealing the criminals’ identity. This automation was primarily used against banks in the UK, Krebs said.

The case, despite millions being stolen, has proven police can effectively collaborate on cyber investigations. “Co-operation between national law enforcement agencies is fundamental in combatting such crime, as this and other examples such as DarkMarket have shown,” Raj Samani, UK CTO of McAfee, told TechWeekEurope.

“With the recent launch of the European Cybercrime centre (EC3) and stronger public-private sector partnership, cybercriminals can no longer hope that a lack of collaboration serves as their defence from capture.”

Think you know security? Test yourself with our quiz!