Three Charged In Gozi Banking Malware Infections

The men allegedly played a role in developing and spreading the Gozi, a notorious banking Trojan that has caused a minimum of tens of millions of dollars in losses, according to the court documents filed in the U.S. District Court for the Southern District of New York. Gozi is believed to have surfaced in 2007, starting in Europe but spreading to at least 25,000 systems in the United States, stealing bank account credentials throughout the regions.

Mihai Paunescu, a Romanian, Deniss Calovskis, a Latvian, and Nikita Kuzmin of the Russian Federation, each face five counts of computer crimes including wire fraud, conspiracy to commit aggravated identity theft, conspiracy to commit computer intrusion and access device fraud conspiracy.

[Related: New Threats Of Cyberattacks Against U.S. Banks ]

The malware was embedded in Adobe .pdf documents and spread using spear phishing campaigns and other tactics in email attachments. The men were believed in September to have been gearing up for a highly coordinated cyberattack against U.S. banks.

Kuzmin, a native of Russia, is charged with being chief architect and promoter of the virus. He allegedly began designing the malware in 2005 and after months of work began renting out Gozi to two other men, who apparently configured it to steal passwords, user names and other types of data. In 2009, the government alleges that the source code for Gozi was acquired for $50,000 and used in more widespread attacks in the United States.

Paunescu is charged with committing computer intrusion offenses, allegedly renting a proxy server in California to harvest data from infected machines. The government alleges that in August 2012 as many as 160 of those infected systems belonged to NASA, resulting in $40,000 in losses. In a separate Gozi attack, at least one victim was bilked out of more than $200,000, according to the court documents.

Calovskis, a computer programmer from Latvia, is an alleged co-conspirator, according to the court documents, helping sell or rent the malware to other cybercriminals.

According to the account of the attacks, the cybercriminals involved with Gozi allegedly stole Social Security numbers, driver's license numbers, date of births and ATM card numbers. In late 2010m, members of the group controlled a command-and-control server that stored more than 3,000 user names of customers of seven U.S. banks, among others, according to the court filings.

PUBLISHED JAN. 23, 2013