Cybercrime takedown: Is it game over for Gozi trojan that stole millions?
The three alleged leaders of the Gozi cybercrime gang were indicted in federal court. The Gozi trojan was highly successful, but it may be too hard to operate with the alleged masterminds in jail.
(Page 2 of 2)
"As we have seen with increasing frequency, cybercriminals’ bank heists require neither a mask nor a gun, just a clever program and an Internet connection," said Preet Bharara, US attorney for Manhattan, in a statement. "This case should serve as a wake-up call to banks and consumers alike, because cybercrime remains one of the greatest threats we face, and it is not going away anytime soon.”Skip to next paragraph
Subscribe Today to the Monitor
Once the Gozi Trojan was coded, the court documents allege, Kuzmin began sharing it with other cybercriminals in exchange for a weekly fee through what he called his “76 Service.”
Through the service, Kuzmin made the Gozi Trojan's catch available to criminals, who could also configure the program to steal data of their choosing – for instance from a particular country. All the stolen data was stored for them on Mr. Paunescu's bulletproof servers.
Meanwhile, Kuzmin advertised his “76 Service” on Internet cybercrime forums. Finally, in 2009, Kuzmin began to do what other cyber bank Trojan-makers had done long before – sell the actual source code to Gozi. The price: $50,000 a copy.
"Where Gozi really was a trailblazer was in providing criminal-to-criminal services," says Don Jackson, a senior security researcher with the Counter Threat unit of Dell Secureworks in Atlanta, who first discovered Gozi in 2007.
"The 76 Service was not about selling the source code, but selling access to the infected computers,” he says, “reaching out to other criminals and providing live data feeds."
After he first unveiled the workings of Gozi in 2007, the gang backed off targeting US bank customers and focused instead on European victims. As a result, Mr. Jackson says that for about three years he had a hard time getting the attention of US law enforcement authorities, who were less concerned about European attacks. But that all changed around a few years later when the gang started hitting the US again, he says.
"About 2010, the Gozi gang began targeting US banks almost exclusively," Jackson says. "That's when the FBI started calling again asking for information."
Jackson says the capture of Paunescu, the alleged bulletproof-hosting service provider, was a key to ending Gozi.
Unlike Gozi, other major banking Trojan malware like Zeus and SpyEye is more user-friendly for the criminals, involving point-and-click systems, thus making those operations more resilient – and even more dangerous, Jackson says.
But because the Gozi gang’s inner circle was a tightly knit group, and because the Trojan required more technical expertise to operate, he thinks that Gozi is likely to be dead in the long run, even if a few operators of the software try to persist.
"I think in this case they've finally cut off the head of the snake," he says.