A U.S.-led international operation disrupted a crime ring that had infected hundreds of thousands of PCs around the globe with malicious software used for stealing banking credentials and cyber extortion, the Justice Department said on Monday.
Authorities used technical and legal tactics to interrupt the botnet in an effort called Operation Tovar, shutting down the servers the cybercriminals used to control infected machines and causing those machines to "phone home" to servers controlled by law enforcement.
“These schemes were highly sophisticated and immensely lucrative, and the cybercriminals did not make them easy to reach or disrupt,” Leslie Caldwell, who heads the Justice Department's criminal division, told a news conference.
The botnet, known as Gameover Zeus, or GOZ, derives its name from a version of the Zeus credential-stealing software, which U.S. court documents said have caused $100 million in losses to consumers and businesses since it first surfaced in 2007. Court documents released on Monday said that between 500,000 and 1 million machines worldwide were infected with the malicious software, or malware.
Its primary purpose was to capture banking credentials, though it has been known to change recipients of legitimate payments orders, for example targeting U.S. hospitals' payroll operations.
A botnet is a group of computers under the control of someone other than the computers' owners. They are typically assembled through viruses and are the key tool in spam, online bank fraud and denial-of-service attacks on websites.
GOZ was also used to distribute Cryptolocker, malicious software known as "ransomware" that encrypts data of an infected computer, making it inaccessible to the user. Cybercriminals would essentially take the machine hostage, promising to unscramble the data if the user paid them a ransom of as much as $700, the Justice Department said.
The U.S. Department of Homeland Security set up a website to help victims remove the GOZ malware: https://www.us-cert.gov/gameoverzeus. The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine and the United Kingdom.
Intel, Microsoft, security software companies F-secure, Symantec, and Trend Micro; and Carnegie Mellon University also supported the operation.
The U.S. government kept the effort secret until Monday when it unsealed a 14-count indictment accusing Russian national Evgeniy Mikhaylovich Bogachev of involvement in the alleged conspiracy.
The suspect, who authorities said is known online as Lucky12345, is charged with writing computer code used to compromise banking systems and assist others in stealing banking credentials, according to court documents.
Prosecutors said the victims of the attacks included Capital One Bank, Bank of Georgetown in Washington, and First National Bank of Omaha. Bogachev and his group infected thousands of business computers with software that captured passwords, account numbers and other information used to log in to online bank accounts, prosecutors said.