Jail for Russian man who distributed Citadel banking malware to thousands

US and Russia

A 22-year-old Russian man received a four-and-a-half-year prison sentence this week for conspiracy to commit computer fraud, ending a long legal battle spanning two years and three countries.

The Russian national, Dimitry Belorossov, infected 7000 computers with the notorious Citadel banking malware, which he used to steal sensitive information including online bank account credentials and passwords from his victims.

Although the majority of his victims were located in Russia, at least one of the computers Belorossov compromised with malware was located in the US state of Georgia, where he was charged and sentenced.

According to the US Attorney for the Northern District of Georgia, Belorossov’s prison sentence will be followed by three years probation. He will also be required to pay $322,409.09 in restitution.

Belorossov’s legal troubles began in August 2013, when he was detained at Barcelona airport as he was about to board a flight back to Russia.

The US doesn’t have an extradition treaty with Russia, so American authorities sought help from Spain to have Belorossov arrested and extradited to the United States.

At a time of increasing tension between the US and Russia, Belorossov’s extradition to the US was among several extradition cases protested by the Russian Foreign Ministry, which called them “kidnappings.”

Another extradition case cited by the Russian government involved the son of a member of the Russian parliament, who was indicted for hacking point-of-sale systems at US retailers – the outraged father said the US might hold his son for ransom or trade him in exchange for the fugitive Edward Snowden.

The Russian Foreign Ministry said at the time that Russians could not get a fair trial in the US; nevertheless, Belorossov pleaded guilty in July 2014, so a trial wasn’t necessary.

Belorossov’s legal counsel, the New York based attorney Arkady Bukh, said his client could get out of prison after a little more than a year due to time served in custody, according to Reuters.

Bukh told Reuters that his client was only a teenager when he committed his crimes, but Belorossov had taken responsibility by pleading guilty.

The US isn’t going to back down from pursuing cybercriminals in countries where it doesn’t have an extradition treaty, even if it means tracking them down in other countries.

FBI Special Agent J. Britt Johnson said “international boundaries no longer provide a safe haven for cybercriminals,” and US investigators will work with foreign based legal attachés to bring cybercriminals targeting the US to justice.

It’s a good thing that Belorossov is being punished for his crimes, but his arrest and conviction doesn’t put much of a dent in the massive cybercriminal enterprise that is Citadel.

Because Citadel is a “crimeware” kit, anyone with the means and the motive can download the kit from underground forums that trade in malware and use it to create their own cybercrime campaign.

As SophosLabs senior researcher James Wyke explains in his excellent article putting Citadel “under the microscope,” this simple-to-use cybercrime kit even has built-in customer service to help wannabe crooks use the malware effectively.

It’s going to take a lot more effort to rein in cybercrime of this scale.

The FBI reports that Citadel is a global scourge that has infected 11 million computers, responsible for losses in excess of $500 million.

Fortunately, we can all fight cybercrime by keeping our computers as secure as possible, cleaning up malware infections to prevent them spreading to others, and teaching others security best practices.

Tips to protect yourself and your money online

  • Make sure you have an anti-virus program installed and active, and that you keep it up to date.
  • Apply security patches promptly for your operating system and your applications.
  • Consider using two-factor authentication if your bank supports it.
  • Check your statements regularly. If you notice something strange, contact your bank immediately.
  • Beware of “fraud investigators” who give you a number to call back, or tell you to visit a special website. Independently verify the contact details by looking at your statements, or by searching directly on your bank’s website.
  • Consider bookmarking your bank’s site so you don’t need to type it in every time. That helps avoid typosquatting, where crooks register easily-entered misspellings of a domain name.
  • Never share your PINs with anyone. Keep them secret. Not even the police or the bank should ever request a PIN, so be on guard for anyone claiming to have an official reason for asking.
  • Don’t click on banking-related links in emails. You could end up at a phishing site – a fake login page set up by crooks.
  • Avoid opening unsolicited or unexpected email attachments, as they may be booby-trapped to try to implant malware on your computer.

Image of US and Russia flags courtesy of Shutterstock.com.