US takes out gang that used Zeus malware to steal millions

Zeus malware used to attack Bank of America, First National Bank of Omaha and others

The US Department of Justice today charged nine members of a group that used Zeus malware to infect thousands of business computers with Zeus malware and illegally siphon-off millions of dollars into over-seas bank accounts.

The DoJ said an  indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb.,  of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36.  Konovalenko and Kulibaba were recently extradited from the United Kingdom.  All of the defendants had been charged by a federal grand jury in August 2012 with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud.

+More on Network World: The coolest Air Force UFO videos+

According to the indictment, the defendants participated in an enterprise and scheme that installed, without authorization, malicious software known as Zeus or "Zbot" on victims' computers  associated with Bank of America, First National Bank of Omaha, Nebraska, the Franciscan Sisters of Chicago and Key Bank. 

The defendants are charged with using that malicious software to capture bank account numbers, passwords, personal identification numbers, RSA SecureID token codes and similar information necessary to log into online banking accounts.  The indictment alleges that the defendants falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims' bank accounts, causing the banks to make unauthorized transfers of funds from the victims' accounts, the DoJ stated.

As part of the enterprise and scheme, the defendants allegedly used US residents as "money mules" who received funds transferred over the Automated Clearing House network or through other interstate wire systems from victims' bank accounts into the money mules' own bank accounts.  These money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators, the DoJ stated.

According to court documents unsealed today, Kulibaba allegedly operated the conspirators' money laundering network in the United Kingdom by providing money mules and their associated banking credentials to launder the money withdrawn from U.S.-based victim accounts.  Konovalenko allegedly provided money mules' and victims' banking credentials to Kulibaba and facilitated the collection of victims' data from other conspirators.

The DoJ noted that four identified defendants remain at large:

  • Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
  • Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.
  • Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.
  • Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.

The indictment also charges three other individuals as John Doe #1, John Doe #2 and John Doe #3.

From a recent Network World story: Zeus is the top banking Trojan, according to Dell SecureWorks, which made major discoveries about criminally-operated botnets based on the malware that date back to 2007. Zeus is often described as sophisticated banking Trojan malware that can execute an array of financially-oriented attacks, such as grabbing online credentials and siphoning off funds in payment systems.

According to the SecureWorks report, "Top Banking Botnets of 2013," Zeus banking Trojan variants accounted for about half of all banking malware seen in 2013.  SecureWorks points out that Zeus is now being used not just to attack financial institutions but also stock trading, social-networking and e-mail services, plus portals for entertainment or dating, for example.

Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook

Check out these other hot stories:

IRS plays-up identity theft, fraud fight

NASA setting up $250,000 Mars lander competition

Dept. of Justice: IRS tax refund fraud at all-time high

NASA laying foundation for Jupiter moon space mission

Mars look bigger and brighter than usual? It should

FBI: Elaborate $1 million Verizon iPhone, iPad fraud busted

The government as whopping UFO skeptic

NASA snaps shot of flashy Mars-bound comet

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies