Gameover Zeus: scam that could empty your bank account in a fortnight
The Gameover Zeus scam has security experts worried. Here's how it works, and why it could empty bank accounts within a fortnight.
News broke this week of the Gameover Zeus (GOZ) and Cryptolocker malware rackets which have, conservatively, defrauded computer users of over $100 million.
Victims include the materials company in Pennsylvania which lost $198,000 in a wire transfer fraud, the North American Indian tribe which lost $277,000, the Florida bank which was ripped off for $7 million and the pest control company in North Carolina, hit for $80,000.
But there are victims in many countries besides the US. In the UK, the National Crime Agency reckons the computers of more than 15,000 people here are already infected, at risk of losing millions of pounds.
The man behind the scam
The reason the examples above are American is because the United States Department of Justice (DoJ) is going after the man they allege to be the principal perpetrator of what is probably the biggest ever computer hacking rip-off.
In court filings, the DoJ has named Evgeniy Mikhailovich Bogachev, from Anapa (a Russian Black Sea tourist resort) as the operation's mastermind. The shaven-headed 30-year-old is also known as Slavik, Lucky 12345 and Pollingsoon.
GOZ is a malicious piece of software which infiltrates the victim's computer unseen, turning the machine into part of a botnet, a network of infected computers all controlled, in this case, by Bogachev. Some computers in the network are called “proxy nodes” - these communicate with the others. There is also a “domain generation algorithm” which creates a large and changing number of internet domain names to confuse everyone.
GOZ intercepts sensitive details you send to and receive from your bank or other financial institution. It can then substitute itself for the account's real owner. This is known as the “man in the middle” tactic. But GOZ has a further clever feature. It can infiltrate a real site, adding in extras. So it would appear that your bank, on what seems to be its legitimate site, is asking for your date of birth, social security number or credit card details as well your password.
Victims give this sensitive information because they are not aware their bank site has been compromised.
Armed with this information, the DoJ says in its allegation of bank fraud, the criminals could loot accounts at will. And they did.
But organising a fraud of this size needs seed capital and day-to-day running expenses, money to set up the racket and keep the criminals on the staff happy. This involved, according to the DoJ, the original GOZ also sometimes downloading Cryptolocker, a nasty piece of software which falsely informs victims that their computer will be rendered useless unless they pay over around $750 (£450) within 72 hours.
It's pure extortion. Cryptolocker has infected 230,000 machines, of which 120,000 are in the United States.
FBI Special Agent James Craig has also published details of the UK operation. In court filings he names Yevhen Kulibaba, currently in jail, as the arranger of the “money mules” and in charge of the money laundering operation. His sidekick Yuriv Konovalenko is also locked up.
Get a health insurance quote with lovemoney.com
When will the scam strike again?
The good news is that law enforcement agencies have disabled the “command and control” servers spreading the viruses in the network.
The bad news is that no one knows how long it will be before the large numbers in the gang who remain outside custody get their act together and restore their scam using even more difficult to crack computer codes. This could be as little as a fortnight or as long as three months.
Computer security expert Graham Cluley says: “The great news today is that the authorities, working with ISPs and members of the computer security industry, has seized control of a large amount of the internet infrastructure being used by the GameOver Zeus and CryptoLocker threats. Unfortunately, if your computer has been compromised by GameOver Zeus you won’t be able to tell with the naked eye. You need good security software to clean-up your infection, and remove affected computers from the internet until they are safe to reconnect.”
If your computer has been compromised, you should be contacted by your Internet Service Provider. You should also run the most powerful anti-malware software you can lay your hands on!
Get a health insurance quote with lovemoney.com
More on scams:
Don't fall for the 'free' replacement boiler scam
Beware the pensions review scammers
Dodgy lawyers running off with Stamp Duty payments
Legal aid cuts mean we're more at risk from fraudsters than ever before
Most Recent
Comments
-
Check out grc.com which demonstrates any number of vulnerabilities that your system, or the internet, can show. One section, called HTTPS Fingerprints, can demonstrate how someone else can intercept encrypted traffic to deliver what would appear to be a genuine site. It also shows you how to tell a genuine site from a spoof site. As for vulnerabilities, these are mainly inherent in Windows based operating systems simply due to the internal architecture of the operating system, which was designed NOT to take advantage of some of the facilities the protected mode of the 80x86 offered. Other OS's such as OS/2, Linux and Unix, are very difficult to compromise, if not impossible. It is all down to how the OS allocates memory and recovers it. Unix allocates memory to an application, then reclaims that memory when the application terminates. If the application tries to access memory outside its boundaries, it is terminated by the OS. Everything is kept neat and tidy. Windows allocates memory but expects the application to do its own clean up when it finishes. Not all applications finish cleanly, therefore you get a phenomenon called 'memory leak', which is why you have to reboot a Windows machine when it becomes slow. Windows always has been the Achilles Heal of the PC world. Even going back to the nineties, Windows 95 was a 16/32 bit hybrid, whereas OS/2 was a fully fledged 32 bit system. The problem with Hybrids is that while much processing is done in 32 bit mode, some of the core processes are still running in 16 bit mode, so you have to thunk between the two processor modes, which introduces vulnerabilities. Ironically, Microsoft were in partnership with IBM when developing OS/2, but pulled out the work on their Windows NT, which was a comparable product, unlike Windows 95, which was inferior. The difference between Windows NT and OS/2 was the price. Windows NT was circa £250 while OS/2 was circa £79. Microsoft obviously realised that they could make a killing by selling something marked up to such an extreme, especially when you consider that OS/2 was more or less bomb proof (you couldn't crash the machine). There are plenty of ways to secure both the humble PC and the Internet, yet no one wants to take the lead in this respect. ISPs could block specific traffic that is known to be used for running botnet attacks (dDOS), and enforce anti spoofing rules which allows you to send a packet with a fake return address, or partially complete packets designed to bog down servers (handshake stallers). Unfortunately, it is down the common person to protect their system. Install virus protect/anti malware, change the OS to Linux or some other OS that doesn't have loopholes used for exploiting, or just plain ignore all those pleas to respond to some Nigerian bank manager. Also, watch out for additional devices being attached to your computer. Keyloggers can be tiny little USB plugs. If something new appears on you PC, beware. Mind you, new tech doesn't have to be physical. Software can also compromise your system, and just because that new bit of shareware came from a genuine download site doesn't mean that package itself is clean. Norton often complains about discovering malware inserted into installation packages, as this is the easiest way to infiltrate your system.
REPORT This comment has been reported. -
We never give out sensitive personal information that might lead to a fraud. Often people will call us on a variety of pretexts and ask us to "confirm our address" or other more sensitive information. We just say yes and wait. After a while the caller will say "Well go on then" meaning we should tell them the information. Our response is "No You tell us what you have and we will 'confirm' or not". The watchword is to be suspicious of EVERY invitation to pass information or to "click" on an unternet link or open an attachment. Electricblue is right that the standard of written English is deplorable but if you receive an e-mail from someone you don't know don't open a link or attachment at all. If you receive an e-mail from someone you do know you should know if the language used or the action requested is what you would expect from that person. The advice is "Be suspicious and unless you are SURE - Don't".
REPORT This comment has been reported. -
@QuietDave: Just remember that Paypal operates outside the UK and outside the control of the FCA for a reason. It is not subjected to the same checks and controls as the UK based banks and financial institutions are. r.
REPORT This comment has been reported.
Do you want to comment on this article? You need to be signed in for this feature
15 June 2014