Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Russian authorities have apprehended the person believed to be behind a banking trojan botnet responsible for stealing around $4.5 million from unsuspecting victims.
The 22-year-old Russian man is accused of using a modified versions of the Carberp banking trojan to steal login details and digital signatures from compromised computers, according to a statement Friday from the Russian Interior Ministry. Authorities from “K,” the agency's anti-cyber crime division, apprehended the man at his home and confiscated computers, software and documents after a 10-month-long investigation. The suspect used the online handles “Hermes” and “Arashi,” according to the statement.
The botnet, compromised primarily of infected systems in Russia, is among the largest banking networks detected to date in the world. While the botnet has been pegged by the ministry at about six million compromised machines, analysis by Russian security firm Dr. Web indicates about 4.5 million were actually active. The botnet was responsible for one million malicious mail messages being sent out daily, and as many as 100,000 new zombies were being created each day.
“The young man was not only developing bot networks and massively distributing malicious programs, but also personally took part in stealing funds from accounts of individuals and legal entities,” according to the statement.
The infection pattern was standard for this type of operation. Users would be infected after opening malicious email messages and downloading malicious software, called “Client-Bank,” according to the statement. Once compromised, the computer would harvest login credentials to various services and transmit them to the attacker. With login credentials going to a fake phishing site instead of the actual financial sites, the attacker had the information necessary to transfer large amounts of money from victim bank accounts to accounts under his control.
Once cyber criminals have the stolen money in their accounts, the next step is to convert that to cash, Stefan Tanase, senior security researcher at Kaspersky Lab, told SCMagazine.com. And, Hermes had a number of shell companies to help him move the stolen funds around.
Hermes and his network of "money mules" – primarily based in Moscow and St. Petersburg – withdrew the stolen money from ATMs, often long before victims knew what was happening, said Tanase.
Hermes used the stolen assets to fund an extravagant lifestyle, including a "luxurious house in one of the resorts in Russia and expensive premium-class foreign cars," authorities said. The money was also being invested back into legitimate enterprises as part of a money-laundering operation.
Like its competitors Zeus and SpyEye, Carberp is available in the underground market. It is a popular choice for cyber criminals interested in going after bank accounts.
However, unlike Zeus and SpyEye, which lets anyone customize the code to create their variants, the gang that originally developed Carberp has retained control over the source code, Vitaly Kamluk, chief malware expert of Kaspersky Lab's global research and analysis team, told SCMagazine.com. Carberp is a commercial trojan, and crooks can specify its customizations before paying for it, Kamluk said.
Law enforcement has recently taken down several criminal rings that relied on Carberp. Russian police arrested six people in June and eight in March for Carberp-related online banking fraud activities.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.