Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer


Financial malware is thought to be a danger to consumers, but a Pennsylvania plastics manufacturer was one of many firms that suffered a serious blow from the Gameover Zeus botnet. A successful attack bilked the company of more than $375,000 in a single day.

In a global law enforcement operation called Tovar, authorities in 10 countries seized the systems serving as the backbone to Gameover Zeus and CryptoLocker ransomware. The operation included assistance from Dell SecureWorks, which was tracking the evolution of the Gameover Zeus botnet. Microsoft, McAfee and other security firms that monitored infected PCs connected to the criminal group.

The indictment (.PDF) against Evgeniy Bogachev, a 30-year-old Russian who allegedly administered the botnet, detailed a single attack against Erie, Pa.-based Haysite Reinforced Plastics, which began with a phishing email to several employees on Oct. 18, 2011.

[Related: Zeus Gameover Botnet Disrupted In Crackdown Tied To CryptoLocker]

Bogachev's group, which was operating from a server located in Iran, tricked several employees into clicking a malicious link in the message. The phony message indicated there was a problem with Haysite's ACH Network tied to its PNC Bank account. The malware was installed in the background and the attackers were stealthily in control.

Once a Windows system is infected with the Zeus malware, an attacker can remotely capture the victim's banking account credentials using malicious software to record keystrokes. If that doesn't work, the malware can hijack the computer session using a man-in-the-middle attack technique, which involves injecting fake online banking webpages to trick the victim into giving up sensitive information.

After gaining account credentials and other information, two days later the attackers transferred more than $198,200 from Haysite's PNC Bank account to an account under the name of Lynch Enterprises LLC at SunTrust Banks in Atlanta. The fraudulent account was opened by a money mule, one of an extensive network allegedly managed by Bogachev, which would later transfer the funds to bank accounts in London.  Only a few hours later, another $175,750 was transferred from Haysite's account to R&R Jewelers, a retailer that maintained an account at Herald National Bank in New York.

Bogachev and his group allegedly attempted to make another $500,000 in fraudulent transfers from the Haysite bank account, but the banks detected the unusual activity.  CRN reached out to Haysite, but the company didn't respond to a request for comment.

PNC Bank spokesperson Marcey Zwiebel said the firm doesn't comment about ongoing legal investigations or its customers. "We work with every customer on an individual basis as fraud is detected," Zwiebel told CRN.

SunTrust Banks spokesperson Mike McCoy also declined to comment. "While we do have policies and procedures in place to combat fraud, we do not publicly disclose the specifics around those efforts," McCoy said.

Losses to businesses and consumers associated with Gameover Zeus and CryptoLocker exceeded $100 million, according to the FBI. Between 500,000 and 1 million computers were thought to be infected by Gameover Zeus-related malware globally.

NEXT: UK-Based Server A Linchpin For Investigators