Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer


Solution providers said they know of hundreds of businesses impacted by the infection. The FBI said one of the biggest heists was against a regional bank in Northern Florida, which lost nearly $7 million in attacks. Other victims associated with Gameover Zeus attacks briefly mentioned in court documents include an Indian tribe in Washington, which lost more than $277,000, and an assisted living facility operator lost $190,800.

The Zeus Trojan and other financially driven malware attacks have been a plague to businesses and consumers globally, said Nick Peaster, managing director at  Sussex, U.K.-based security systems integrator Preventia Ltd.

"From a fraud perspective, this has been one of the worst," Peaster said. "It's the reason why we've moved in the financial industry to signing certificates and tokens to validate transactions."

The linchpin for investigators was the discovery of a U.K.-based server. Despite the peer-to-peer communication mechanism designed to make dismantling the botnet difficult, law enforcement found a server that played a much larger role in Gameover Zeus than initially believed. It provided investigators with a detailed ledger of hundreds of the group's financial transactions. It acted as a communication tool to Bogachev's network of money mules and enabled investigators to trace the laundered funds. The server had a help-desk ticket system where technical issues and upgrades to the botnet were made.

Investigators said their monitoring uncovered a well-run criminal operation. Once a victim's account credentials were popped, Bogachev or one of his assistants used electronic funds transfers, wire transfers, ACH payments or other transactions to drain the victim's bank account. An extensive money mule network allegedly transferred the stolen money to Bogachev and his partners.

A restraining order authorized by the U.S. District Court authorized the FBI to collect Internet traffic from infected computers that attempt to connect to the command and control servers allegedly used by Bogachev and his group to communicate with the victims. It also enabled investigators to prevent systems from connecting to a long list of Russian Internet domains allegedly controlled by Bogachev.

Security researchers also found a connection between Gameover Zeus and the string of CryptoLocker ransomware infections at the end of 2013. The pesky malware infects victims' systems and encrypts the files, demanding a payment in 72 hours to regain access to the files. The group is said to have allegedly received millions in extortion payments from victims. Businesses were also impacted, forced to pay in some cases tens of thousands of dollars in lost business and IT services to clean infections and recover from backup, according to solution providers who assisted clients.

David Senseman, president of Cincinnati-based Integrity Solutions Group, a managed service provider whose clients are mainly dental industry offices and clinics, said his clients were lucky to have a multitiered backup system. Senseman said the system enabled his firm to help clients resume business quickly.

"As long as they had a backup in place, we could restore and reload their data fairly quickly," Senseman said in a recent interview.

NEXT: Dell, Microsoft Among Firms Helping Investigators