Conspirators Indicted In Online Malware Attacks Against Financial Accounts

October 19, 2015

If you enjoy being scared, I guess you can watch one of the Sharknado movies or maybe go for a marathon session of some zombie television series. Of course, Halloween is coming up, so maybe just hang in there a few more days. On the other hand, some recent news stories may scare the crap out of you with just as much effectiveness. Consider the recent announcement by the Department of Justice ("DOJ") that it had purportedly shut down yet another criminal conspiracy to infect computers with botnet malware.

Case In Point

On October 13, 2015, DOJ unsealed a nine-count Indictment in the Western District of Pennsylvania charging Andrey Ghinkul, a/k/a "Andrei Ghincul" a/k/a/ "Smilex", 30, of Moldova with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud.Purportedly $10 million in U.S. losses are attributed to the conspiracy. Ghinkul was previously arrested on Aug. 28, 2015 in Cyprus and is awaiting efforts to extradite him back to the United States. United States of America v. Andrey Ghinkul (Indictment, 15-CR-00198, WDPA, September 16, 2015)

NOTE: An Indictment merely contains allegations and defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Botnet Conspiracy

The Indictment alleges that a criminal conspiracy using Botnets and phishing emails to infect computers with malware designed to steal confidential personal and financial information of its victims. The Botnets at issue were designed to defeat antivirus programs.

The Indictment alleges the conspirators stole their victims information and used those credentials undertake the fraudulent electronic transfers of millions of dollars from the victims' bank accounts into the accounts of so-called intervening "money mules", who then transferred the stolen funds to other conspirators.

As set forth in the Indictment (footnote omitted):

2) Keystroke logging is the action of recording (for logging) the keys struck on a keyboard. This action is usually done surreptitiously by a computer program (i.e., keylogger) to capture the keys typed on a computer without the typist's knowledge. Malware that uses keystroke logging often will provide the captured keystrokes to the individual who caused the malware to be installed or to a place designated by the individual. Through keystroke logging, individuals ar able to obtain online banking credentials as soon as the user of the infected computer logs into their account. After obtaining this information, these individuals can access the victim's online bank account and execute unauthorized electronic funds transfers ("EFT"), such as Automated Clearing House ("ACH") payments or wire transfers, to accounts they control.

The Nitty Gritty of Malware

The Indictment offers some explanation about one of the malwares, the Bugat, used in this criminal conspiracy:

8) Bugat malware is generally distributed through a process known as "phishing", where spam emails are distributed to victims.. The emails appear legitimate and are carefully crafted to entice the victim to click on a hyperlink or to open an attached file. In the event a user clicks on a hyperlink, the user is then usually redirected to an exploit kit, which is a web based software program that scans the victim's computer and operating systems for vulnerabilities and upon discovering one, forces the download of a malicious file upon the victim. In the event the victim opens an attached file, he is then directly infected either by the Bugat malware, or bay a loader program, which then downloads the Bugat payload without the victim's consent or knowledge.

9) Bugat, like most modern malware families, is specifically crafted to defeat antivirus and other protective measures employed by victims. As the individual behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called "Cridex," and later "Dridex." . . . 

Go Phish

The Indictment offers several examples of the allegedly criminal transfers that were facilitated by a phishing email sent to a Penneco Oil employee:

  • Dec. 16, 2011, $999,000 transferred from the Sharon, PA, City School District's account at First National Bank to an account in Kiev, Ukraine;
  • Aug. 31, 2012,  $2,158,600 was transferred from a Penneco Oil account at First Commonwealth Bank to an account in Krasnodar, Russia;
  • Sept. 4, 2012, of $1,350,000 from a Penneco Oil account at First Commonwealth Bank to an account in Minsk, Belarus; and 
  • Sept. 4, 2012, $76,520 transferred from a Penneco Oil account at First Commonwealth Bank to an account in Philadelphia.  

In addition to the Indictment, the FBI is now authorized pursuant to a civil injunction to redirect automated requests by victim computers for additional instructions to substitute servers. Victims may use the US-CERT webpage Alert (TA15-286A) Dridex P2P Malware for assistance on how to remove the malware:

READ the Full-Text Indictment

Also READ: