U.S. authorities have charged more than 60 people in connection with the money-stealing Zeus Trojan program, according to the U.S. Department of Justice.
The arrests follow a Tuesday U.K. sweep that led to 11 charges against Eastern European citizens thought to be involved in moving stolen funds out of the country.
They allegedly used features of the ZeuS trojan to break into customer accounts and steal funds by transferring it to other accounts held by accomplices who then delivered it to the masterminds via untraceable means like Western Union, says Mickey Boodaei, CEO of browser security vendor Trusteer.
Related story: Trojan behind phishing scam can be found via Google
Those involved were apparently careless with their own security, leaving cracks where investigators could peer inside the operation and track who was involved, he says.
Manhattan DA Cy Vance Jr. discusses the criminal enterprise behind the Zeus crimeware at a press conference Sept. 30.
Zeus has been a major problem for computer users and financial institutions over the past few years. Once installed on the victim’s PC, the malware can be used to log into a victim’s bank account and transfer funds to another account controlled by the criminals.
The malicious software is sold in black market forums and there are more than a dozen Zeus gangs in operation worldwide. Security experts say that the gangs have netted more than US$200 million since Zeus was discovered in 2006.
The U.S. arrests involve so-called money mules, people who are paid to set up accounts that receive stolen funds and then move the money out of the country, typically via a wire service such as Western Union. The DOJ has scheduled a press conference in Manhattan on Thursday afternoon to further discuss the arrests.
According to documents seen by IDG News Service, prosecutors have filed a total of 26 complaints. Investigators from the agencies including the U.S. Federal Bureau of Investigation and State Department special agents describe in the complaints an elaborate network used to launder funds stolen by the Zeus malware.
One of the complaints describes in-depth the use of money “mules” in order to facilitate the transfer of funds into criminal accounts. Mules agree to allow funds to be transferred out of victims’ accounts into their own accounts. Those funds are typically quickly withdrawn and wired elsewhere before banks detect the fraud.
But that was a risky job, involving withdrawing cash from the banks either in person or visiting cash machines, both of which would be under video surveillance.
“The mule organization typically recruited mules from Eastern Europe who were either planning to travel to or were already present in the United States on J1 visas,” according to the complaint lodged against three individuals: Artem Semenov, Almira Rakhmatulina and Julia Shpirko.
The J1 visa is a non-immigrant visa granted to people such as students. When those mules arrived in the U.S., they were given fake foreign passports in order to open more bank accounts. Stolen funds were transferred to those accounts in amounts close to $10,000, according to the complaint.
In some cases Trusteer has managed to find the command and control servers used to run the operation, the company claims. Once investigators track down the command and control servers, they can follow transactions to the server and so trace the criminals, Boodaei says.
Similarly, investigators can trace the accounts set up by the money mules – the people whose accounts receive the stolen funds then transfer them to the criminals. Once they are found, investigators can trace how they were recruited and perhaps by whom, he says.
“The mules kept a portion of the fraudulent proceeds for themselves — usually 8 to 10 percent — and transferred the rest to other participants in the fraudulent scheme,” the complaint said.
Semenov, Rakhmatulina and Shpirko were charged with conspiracy to commit bank fraud and conspiracy to possess false identification documents. Semenov and Rakhmatulina were also charged with false use of a passport.
Customs officers intercepted a United Parcel Service package shipped from Moldova addressed to Semenov at a residence in Brooklyn, New York. Inside the package were several passports, including some with Semenov’s photograph but different names such as “Petar Stojanovic” and “Victor Rajkov.”
With notes from Tim Greene