Russian authorities arrest Carberp botmaster

Powered by SC Magazine
 

A 22-year-old arrested in Russia.

Russian authorities have apprehended the person believed to be behind a banking trojan botnet responsible for stealing around $4.5 million from unsuspecting victims.

The 22-year-old Russian man is accused of using a modified versions of the Carberp banking trojan to steal login details and digital signatures from compromised computers, according to a statement Friday from the Russian Interior Ministry. Authorities from “K,” the agency's anti-cyber crime division, apprehended the man at his home and confiscated computers, software and documents after a 10-month-long investigation. The suspect used the online handles “Hermes” and “Arashi,” according to the statement.

The botnet, compromised primarily of infected systems in Russia, is among the largest banking networks detected to date in the world. While the botnet has been pegged by the ministry at about six million compromised machines, analysis by Russian security firm Dr. Web indicates about 4.5 million were actually active. The botnet was responsible for one million malicious mail messages being sent out daily, and as many as 100,000 new zombies were being created each day.

“The young man was not only developing bot networks and massively distributing malicious programs, but also personally took part in stealing funds from accounts of individuals and legal entities,” according to the statement.

The infection pattern was standard for this type of operation. Users would be infected after opening malicious email messages and downloading malicious software, called “Client-Bank,” according to the statement. Once compromised, the computer would harvest login credentials to various services and transmit them to the attacker. With login credentials going to a fake phishing site instead of the actual financial sites, the attacker had the information necessary to transfer large amounts of money from victim bank accounts to accounts under his control.

Once cyber criminals have the stolen money in their accounts, the next step is to convert that to cash, Stefan Tanase, senior security researcher at Kaspersky Lab, told SCMagazine.com. And, Hermes had a number of shell companies to help him move the stolen funds around.

Hermes and his network of "money mules" – primarily based in Moscow and St. Petersburg – withdrew the stolen money from ATMs, often long before victims knew what was happening, said Tanase.

Hermes used the stolen assets to fund an extravagant lifestyle, including a "luxurious house in one of the resorts in Russia and expensive premium-class foreign cars," authorities said. The money was also being invested back into legitimate enterprises as part of a money-laundering operation.

Like its competitors Zeus and SpyEye, Carberp is available in the underground market. It is a popular choice for cyber criminals interested in going after bank accounts.

However, unlike Zeus and SpyEye, which lets anyone customize the code to create their variants, the gang that originally developed Carberp has retained control over the source code, Vitaly Kamluk, chief malware expert of Kaspersky Lab's global research and analysis team, told SCMagazine.com. Carberp is a commercial trojan, and crooks can specify its customizations before paying for it, Kamluk said.

Law enforcement has recently taken down several criminal rings that relied on Carberp. Russian police arrested six people in June and eight in March for Carberp-related online banking fraud activities.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Russian authorities arrest Carberp botmaster
 
 
 
Top Stories
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 284

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  61%
 
No
  39%
TOTAL VOTES: 102

Vote