Three Charged in Connection with ‘Gozi’ Trojan – Krebs on Security

Federal prosecutors today announced criminal charges against three men alleged to be responsible for creating and distributing the Gozi Trojan, an extremely sophisticated strain of malicious software that was sold to cyber crooks and was tailor-made to attack specific financial institutions targeted by each buyer.

According to charging documents filed in the U.S. District Court for the Southern District of New York, authorities believe Gozi was the creation of Nikita Kuzmin, a 25-year-old Russian national. Authorities say Kuzmin was aided by 27-year-old Latvian resident Deniss “Miami” Calovskis, and Mihai Ionut Paunescu, a 28-year-0ld Romanian national who allegedly used the screen name “Virus”.

A press conference announcement sent to reporters today by the office of New York U.S. Attorney Preet Bharara states that Gozi infected more than one million computers — at least 40,000 of which were in the United States — and caused millions of dollars in losses. Bharara’s office called Gozi “one of the most financially destructive computer viruses in history.”

The charges include bank-fraud conspiracy, conspiracy to commit computer intrusion, wire-fraud conspiracy. Kuzmin was arrested in California in Nov. 2010; Calovskis was arrested in Latvia in Nov. 2012; Paunescu was arrested in last month in Romania.

First discovered in early 2007, the Gozi Trojan is a stealthy cybertheft tool that typically evades anti-virus detection for weeks — sometimes months — at a time. Cyber forensics experts say Gozi has remained a potent threat, mainly because its author has been very selective in choosing new customers and fastidious in creating custom, undetectable versions of the malware.

For all the Trojan’s sophistication, however, investigators say it was merely the delivery vehicle for the author’s real moneymaking machine: A software-as-a-service fraud scheme  called “76 Service.” According to authorities, Kuzmin marketed the service on highly-vetted cyber criminal forums online, offering customers a soup-to-nuts crime machine that automated the processes of robbing online banking customers. Incredibly, this turnkey system even automated the ready supply of so-called “money mules,” willing or unwitting individuals recruited through work-at-home job scams to help thieves launder stolen funds.

“This was kind of like Salesforce.com for the bad guys, where he’d hook them up to his cyber crime facility and then charge them out the ear for additional services,” said one fraud investigator who worked closely with law enforcement officials on the investigation but who asked to remain anonymous.

“As a customer, you’d tell him which banks you wanted to target, and he has close-knit relationships with people who can code together pre-coded scripts to interact specifically with those bank Web sites, or has developers on standby to meet your needs,” the source said. “Then he generates the custom Gozi Trojan just for you, providing the cryptor that helps it evade anti-virus detection, and he provides the hosting infrastructure on the back end that lets you manage all of the machines infected with the Trojan.”

76 Service customers were supplied a slick, point-and-click Web-based interface that could be used to control machines infected with their customer Gozi variant, and to manipulate the way victim customers interacted with their financial institutions’ Web site.

To that end, the “injects” supplied by the Gozi team were the key moneymaker for the 76Service. A typical Gozi attack worked like this: A 76Service customer would decide which banks most of those victimized by his Trojan were using, and then pay the author to create automated system so that when victims logged in to their bank’s site, the Trojan would inject HTML content into the bank’s Web site as displayed in the victim’s browser — usually form fields that requested additional personal or financial data on the victim, and then relayed that data back to the attackers.

One common type of inject used by Gozi was a pop-up box — such as the actual Gozi inject in the image above left, an inject that targeted US Bank and requested additional data from victim account holders.

Investigators say Gozi also was used to inject content directly into the bank’s Web page as displayed by the victim’s browser, allowing attackers to spoof the victim’s bank balance: In such attacks, the crooks could empty an account of all available funds, and yet force the victim’s browser to display the original balance before the robbery.

Another inject that sources say was used primarily against banks in the United Kingdom actually automated the process of sending stolen funds from compromised accounts to money mules. The mules were thought to be supplied by a third-party group that specialized in recruiting, vetting and training mules — priming them to be ready to receive transfers, pull the money out in cash, and then wire the funds to the attackers.

Prosecutors allege that Kuzmin directed the creation of Gozi, and that Calovskis was responsible for writing Web injects for Gozi and for customers of the ZeuS Trojan, another malware strain commonly used in cyberheists. According to investigators, Paunescu ran a “bulletproof hosting” service that was used as a proxy server for computers infected with Gozi and ZeuS.

If convicted, Kuzmin faces up to 95 years in prison. Calovskis and Paunescu face a maximum of 67 and 60 years in prison, respectively. Here are PDF copies of the charges against Calovskis, Kuzmin, and Paunescu.