Blog

Case Study: From Your Inbox To International Espionage

In the spring of 2009, special agent James Craig – an FBI rookie began looking into a string of electronic thefts. Little did he know, he was on the trail of an international cybercriminal organization, whose victims included banks, businesses, charities and even everyday people like you and me.

How did this happen?

Craig noticed something odd about these attacks – the money that was extracted from the victim’s accounts seemed to be withdrawn from their own IP address, using their own username and password. This became the trademark for the virus that came to be known as the Zeus Trojan Horse.

The hackers, who turned out to be kids in their twenties, demonstrated enough tact and organization in their scheme to impress any Fortune 100 company.

The virus entered the computer through the usual spam emails that you probably receive every day; victims would receive fake authoritative emails (from the IRS or UPS for example), which asked them to click an attachment. From the moment the attachment was downloaded, the computer became a “zombie”, which could be controlled by the hacker.

Using a keystroke logger on the infected computer, these hackers were able to gather passwords, pins and social security numbers and use them to access the victim’s personal banking accounts. More so, the hackers were able to generate fake screens when the infected computer was used to check bank balances, which meant the victim would not even realize their bank account was empty until they checked on a different computer.

Even when the infected computer belonged to a user without a major payload in the bank, the hackers would monetize the hack using ransomware to encrypt the files on the computer and charge $300-750 to restore them. It was estimated that as many as 250,000 machines were held ransom in one year, earning the hackers a modest $1.1 million profit.

When the hackers got hold of an account of a bank employee, they would use it to withdraw millions of dollars, and then shut down the bank’s server for long enough to transfer the money into the hacker’s offshore bank account. In November 2012, investigators watched as $6.9 million was stolen in a single transaction using this method. When the banks looked into these losses they would determine that it was stolen by an employee, and would terminate that employee, not realizing that it was the infected computer.

To make matters even more complex for law enforcement, this virus quickly became the digital malware of choice, with millions of computers infected by the time the investigation got a foothold. The stakes were further increased when it was realized that the web of “zombie” computers was being used for international espionage.

The Path To Justice

The investigation made real strides when law enforcement followed suspicious bank withdrawals. This led them to discover how the hackers were siphoning the stolen money and making it legitimate: immigrants were recruited to open bank accounts with small quantities of the stolen cash, and then withdraw the money next day – keeping a small portion for themselves and returning the rest to their employer. The banks caught wind of this suspicious activity, but investigators still attributed $70 million to $80 million in losses, some suspecting much more.

The events that followed were somewhat of a “frantic scramble” as law enforcement, ethical hackers and major Internet providers came together to disrupt the Zeus Trojan Horse.

Find out how the story unfolds by reading the whole article here.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.