Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer
Financial malware is thought to be a danger to consumers, but a Pennsylvania plastics manufacturer was one of many firms that suffered a serious blow from the Gameover Zeus botnet. A successful attack bilked the company of more than $375,000 in a single day.
In a global law enforcement operation called Tovar, authorities in 10 countries seized the systems serving as the backbone to Gameover Zeus and CryptoLocker ransomware. The operation included assistance from Dell SecureWorks, which was tracking the evolution of the Gameover Zeus botnet. Microsoft, McAfee and other security firms that monitored infected PCs connected to the criminal group.
The indictment (.PDF) against Evgeniy Bogachev, a 30-year-old Russian who allegedly administered the botnet, detailed a single attack against Erie, Pa.-based Haysite Reinforced Plastics, which began with a phishing email to several employees on Oct. 18, 2011.
Bogachev's group, which was operating from a server located in Iran, tricked several employees into clicking a malicious link in the message. The phony message indicated there was a problem with Haysite's ACH Network tied to its PNC Bank account. The malware was installed in the background and the attackers were stealthily in control.
Once a Windows system is infected with the Zeus malware, an attacker can remotely capture the victim's banking account credentials using malicious software to record keystrokes. If that doesn't work, the malware can hijack the computer session using a man-in-the-middle attack technique, which involves injecting fake online banking webpages to trick the victim into giving up sensitive information.
After gaining account credentials and other information, two days later the attackers transferred more than $198,200 from Haysite's PNC Bank account to an account under the name of Lynch Enterprises LLC at SunTrust Banks in Atlanta. The fraudulent account was opened by a money mule, one of an extensive network allegedly managed by Bogachev, which would later transfer the funds to bank accounts in London. Only a few hours later, another $175,750 was transferred from Haysite's account to R&R Jewelers, a retailer that maintained an account at Herald National Bank in New York.
Bogachev and his group allegedly attempted to make another $500,000 in fraudulent transfers from the Haysite bank account, but the banks detected the unusual activity. CRN reached out to Haysite, but the company didn't respond to a request for comment.
PNC Bank spokesperson Marcey Zwiebel said the firm doesn't comment about ongoing legal investigations or its customers. "We work with every customer on an individual basis as fraud is detected," Zwiebel told CRN.
SunTrust Banks spokesperson Mike McCoy also declined to comment. "While we do have policies and procedures in place to combat fraud, we do not publicly disclose the specifics around those efforts," McCoy said.
Losses to businesses and consumers associated with Gameover Zeus and CryptoLocker exceeded $100 million, according to the FBI. Between 500,000 and 1 million computers were thought to be infected by Gameover Zeus-related malware globally.
NEXT: UK-Based Server A Linchpin For Investigators
Solution providers said they know of hundreds of businesses impacted by the infection. The FBI said one of the biggest heists was against a regional bank in Northern Florida, which lost nearly $7 million in attacks. Other victims associated with Gameover Zeus attacks briefly mentioned in court documents include an Indian tribe in Washington, which lost more than $277,000, and an assisted living facility operator lost $190,800.
The Zeus Trojan and other financially driven malware attacks have been a plague to businesses and consumers globally, said Nick Peaster, managing director at Sussex, U.K.-based security systems integrator Preventia Ltd.
"From a fraud perspective, this has been one of the worst," Peaster said. "It's the reason why we've moved in the financial industry to signing certificates and tokens to validate transactions."
The linchpin for investigators was the discovery of a U.K.-based server. Despite the peer-to-peer communication mechanism designed to make dismantling the botnet difficult, law enforcement found a server that played a much larger role in Gameover Zeus than initially believed. It provided investigators with a detailed ledger of hundreds of the group's financial transactions. It acted as a communication tool to Bogachev's network of money mules and enabled investigators to trace the laundered funds. The server had a help-desk ticket system where technical issues and upgrades to the botnet were made.
Investigators said their monitoring uncovered a well-run criminal operation. Once a victim's account credentials were popped, Bogachev or one of his assistants used electronic funds transfers, wire transfers, ACH payments or other transactions to drain the victim's bank account. An extensive money mule network allegedly transferred the stolen money to Bogachev and his partners.
A restraining order authorized by the U.S. District Court authorized the FBI to collect Internet traffic from infected computers that attempt to connect to the command and control servers allegedly used by Bogachev and his group to communicate with the victims. It also enabled investigators to prevent systems from connecting to a long list of Russian Internet domains allegedly controlled by Bogachev.
Security researchers also found a connection between Gameover Zeus and the string of CryptoLocker ransomware infections at the end of 2013. The pesky malware infects victims' systems and encrypts the files, demanding a payment in 72 hours to regain access to the files. The group is said to have allegedly received millions in extortion payments from victims. Businesses were also impacted, forced to pay in some cases tens of thousands of dollars in lost business and IT services to clean infections and recover from backup, according to solution providers who assisted clients.
David Senseman, president of Cincinnati-based Integrity Solutions Group, a managed service provider whose clients are mainly dental industry offices and clinics, said his clients were lucky to have a multitiered backup system. Senseman said the system enabled his firm to help clients resume business quickly.
"As long as they had a backup in place, we could restore and reload their data fairly quickly," Senseman said in a recent interview.
NEXT: Dell, Microsoft Among Firms Helping Investigators
Operation Tovar was similar to the Coreflood botnet take-down in 2011. In the Coreflood botnet take-down, Microsoft filed civil lawsuits requesting the ability to take out the botnet's command and control infrastructure. The software giant said in a blog post on Monday that the civil action wasn't needed for Gameover Zeus because of its decentralized peer-to-peer communication setup.
Microsoft said its researchers conducted analysis on the Gameover Zeus peer-to-peer network to help provide visibility into the extent of impacted Windows systems. The take-down marks the second botnet operation by Microsoft since Nov. 14 when it worked with investigators to disrupt the ZeroAccess click fraud botnet.
"The impact of GameOver Zeus is not limited to the financial industry -- nearly all major business and public sector organizations are impacted," wrote Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, in a blog post outlining the company's role in the investigation.
Dell SecureWorks researchers, which had been heavily focused on Gameover Zeus, said the next stage of the operation is getting victims to clean infected systems. The company said in a statement that Operation Tovar involved law enforcement organizations around the world, security industry partners, ISPs, US-CERT and members of the academic communities at Georgia Institute of Technology and Carnegie Mellon University.
The U.S. Computer Emergency Response Team issued an alert detailing the Gamover Zeus and CryptoLocker removal tools created by Microsoft, McAfee and other security firms.
"We anticipate the criminal infrastructure of both Gameover Zeus and CryptoLocker will re-establish operations as quickly as they can. Thus you need to take action quickly," according to McAfee Labs, which issued an advisory Monday.
PUBLISHED JUNE 3, 2014