As part of a major crackdown in a dozen countries against Russian cyber-criminals, the RCMP has shut down two computer servers in Montreal that were part of a network that extorted millions of dollars from businesses and consumers.
The operation disrupted malicious software called Gameover Zeus (GOZ), which has infected up to a million computers around the world and caused losses of more than $100-million (U.S.).
Also known as GOZeus, the malware steals banking credentials, impersonates legitimate websites and infects computers with CryptoLocker, a ransomware that blackmails victims by locking down their hard drive until a payment is made.
On Friday, the RCMP seized two servers in Montreal in co-ordination with a two-and-a-half-year operation initiated by the U.S. Federal Bureau of Investigation.
According to an FBI affidavit filed in Pittsburgh, key servers in the CryptoLocker infrastructure were located in Canada, Ukraine and Kazakhstan.
More than 5,000 users were victims in Canada, with potential losses close to $1.5-million, the RCMP said.
The Canadian probe started about three months ago following a tip from the FBI, said Constable Philippe Gravel, a spokesman for the Mounties’ integrated technological crime unit in Quebec.
He said the Montreal seizures were done under the auspices of a search warrant invoking the “mischief to data” provision of the Criminal Code.
Constable Gravel said the two Montreal servers were purchased with the aim of using them specifically for the botnet, a network of compromised machines that were remote-controlled without the knowledge of the victims.
The crackdown is coded-named Operation Tovar, according to MacAfee Labs, one of several computer security firms helping authorities.
GOZ is the latest version of the Zeus malware. Unlike earlier variants, GOZ is not for resale.
“Based on the sophistication of this Trojan, the team behind these attacks appears to be well established and has probably been involved in financially motivated operations which predate the appearance of Gameover Zeus,” said Symantec, another of the computer security firms involved in the crackdown.
According to U.S. court documents, the ring is led by a 30-year-old Russian national, Evgeniy Mikhaylovich Bogachev.
The FBI says he is last known to be living in the Black Sea resort of Anapa. “He is known to enjoy boating and may travel to locations along the Black Sea in his boat,” his FBI Wanted poster says.
No charges have been laid by Canadian authorities, but police are looking for a foreign person who had rented the server space in Montreal, Constable Gravel said.
He said hacker groups are known to enlist people as “bulletproof holsters” – a police name for individuals who legally rent server space without knowing that the space will be used to advance illicit conspiracies. “They rent space on the Internet without asking any questions,” he said.
Constable Gravel noted that no one has to physically be in Montreal to rent server space there. “It’s global – you can rent a server in Montreal from Japan if you want.”
Canadian police have captured some data, he said, adding that they are still analyzing it.
According to U.S. court documents, the victims include:
• The Swansea, Mass., police department, which paid a $750 ransom in bitcoins last November after CryptoLocker took over its main file server, including investigative materials and seven years worth of digital mug shots.
• A northern Florida bank that lost $7-million after an unauthorized wire transfer using credentials stolen through GOZ.
• A corporation operating assisted-living facilities in Pennsylvania that lost $190,800 in a bogus wire transfer.
Computers were usually infected by GOZ after someone clicked on an e-mail attachment or a link that appeared genuine.
Once installed, GOZ enlisted the infected computers into botnets. “The malware waits silently, monitoring the user’s activity until the opportunity arises to capture banking or other private information, which is then transmitted back to the criminals via the botnet infrastructure,” according to a communiqué from the British National Crime Agency, which was involved in the global crackdown.
The malware can engage in man-in-the-middle deceptions, impersonating a legitimate website. “For example, if a GOZ-infected user were to visit a banking website that typically requests only a username and password, the [malware] could seamlessly inject additional form fields into the website displayed in the user’s Web browser that also request the user’s social security number, credit card numbers,” according to a court complaint filed in Pittsburgh.
GOZ also opened the door to CryptoLocker, which locks down the victim’s hard drives and demands a ransom in return for the encryption key.
“Where a computer infected with GOZeus turns out not to offer a significant financial reward, it can call in CryptoLocker, to give the criminal controllers a second opportunity to acquire funds from the victim,” the NCA communiqué said.
Because it is decentralized, “the GOZ botnet is widely believed to be the most advanced in existence and one of the most difficult to remediate,” said a memorandum of law filed by U.S. prosecutors in Pittsburgh.
Authorities in the United States obtained court orders to block access to domain names that were used to control infected computers. They will also set up substitute servers to replace the botnet infrastructure.