Bank-raiding Gozi malware – three men charged in New York

If you don’t live in North America, you’re probably not used to US-style book and article titles.

Over there, headlines are traditionally written With Every Word Capitialised, and, as a result, some of them fairly shout at you for attention.

Like this one from the US Department of Justice:

Three Alleged International Cyber Criminals Responsible For Creating And Distributing Virus That Infected Over One Million Computers And Caused Tens Of Millions Of Dollars In Losses Charged In Manhattan Federal Court

The DoJ has provided a handy landing page for the five charging documents filed in New York yesterday.

I’d recommend having a look through these files yourself (or at least the ones labelled Information or Indictment).

They make fascinating reading, weaving together the activities of the accused troika into a long-running story that could apply to almost any successful online enterprise – but for the fact that the business described is unashamedly devious and criminal.

The malware family behind the charges is known as Gozi, zombie software that uses a technique called HTML injection to trick victims into revealing personal information by means of which a crook can later raid their bank accounts.

Adding to or altering the content of a bank’s online login form is tricky if you want to make the modifications on the server side or while the content is in transit.

You could hack the bank and alter its website, but that’s easier said than done these days. You could intercept the web traffic, especially if the victim is connected via WiFi, were it not for the use of HTTPS to encrypt (and digitally sign) the content all the way from the bank to the browser, making it hard to run what’s called an MiTM attack, or a “man in the middle”.

But if you can plant malware on the victim’s PC, you can use what’s known as an MiTB attack, or “man in the browser”.

Wait until a suitable online transaction form has been securely delivered and decrypted for display in the browser. Only then do you modify the form, for example to request additional security information. Then send the user-submitted content somewhere other than to the lawful recipient.

The trio of defendants each took different roles in the overall operation, which is said in Kuzmin’s charge sheet to have infected more than one million PCs around the world.

Čalovskis’s documentation adds even more detail: not just that there were at least 17,000 infections in the US alone, but 160 at NASA. (Rocket scientists aren’t just people of interest to cybercrooks for the latest spaceplane plans. Their bank account details are valuable, too.)

The highly summarised account of the allegations is as follows. [*]

Paunescu, out of Romania, ran what are known as “bulletproof hosts” for the enterprise. Think of him as the CIO.

Legimitate ISPs will offer you mirroring and automatic failover for your servers in order to ensure maximum uptime. The bulletproofers go one step further, moving your services around online not just to cover for hardware failures and outages, but also to deal with takedowns, blocklisting and other crime-fighting measures.

Čalovskis was the HTML injection expert, coding up the HTML modifications used to trick the victims and steal their account information. Let’s call him the Senior Web Consultant.

And Kuzmin was the COO. He hired coders to write the Gozi malware and operated a Crimeware-as-a-Service (CaaS) business based around it.

You could lease time on his botnet infrastructure, hosted by Paunescu, using data-stealing content tweaked by Čalovskis, and manage your entire crooked enterprise through a web portal on Kuzmin’s so-called 76 Service infrastructure.

Kuzmin also took care of providing anti-security updates to the malware, through his outsourced programmers, as well as licensing the source code to those who wanted to use it themselves rather than to operate through 76 Service.

In the resoundingly pleonastic way that only the legal profession can get away with, the prosecution alleges that:

It was a part and an object of the conspiracy that NIKITA KUZMIN, ... and others known and unknown, unlawfully, wilfully, and knowingly, would and did execute, and attempt to execute, a scheme and artifice to defraud financial institutions ... and to obtain moneys, funds, credits, assets, securities, and other property owned by, and under the custody and control of ... financial institutions, by means of false and fraudulent pretenses, representations, and promises, in violation of [US Code]

Phew. In a similarly dramatic fashion, the maximum penalties listed above range from 60 to 95 years.

They’re unlikely to serve sentences that are actually that long, of course – Kuzmin, for example, would need to smash the male longevity record to complete a 95-year tariff – but it’s clear that all three are in more than just a bit of hot water right now.

[*] To echo the words of the DoJ’s own press release, the charges contained in the indictments against these men are merely accusations and the defendants are presumed innocent unless and until proven guilty.

The aerial shot of Manhattan on the main page is from the website of the U.S. Attorney’s Office for the Southern District of New York.