"In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online."
Beginning in 2007, those innocuous-sounding words began appearing seamlessly and immediately on the personal computer screens of thousands of online banking victims in the United States and worldwide right after they logged into their accounts.
Many were duped into entering their mother's maiden name, Social Security numbers, and other personal data into the neat little labeled boxes.
Little did they know that the moment the personal data was entered, a Trojan horse program inhabiting their personal computer immediately sent it to a computer server in California – and from there to a central command-and-control server in the Netherlands. After that, access to the stolen account data was sold to other criminals, who used it to enter the accounts and transfer out cash.
Tens of millions of dollars was stolen this way from online accounts, according to charges filed in a federal court in New York Wednesday against the alleged leading members of the Gozi Gang, cyber-bank-robber masterminds and creators of the infamous Gozi Trojan, one of the world's most notorious and malicious bank-theft software programs.
According to the US attorney for New York’s Southern District, the alleged gang leaders, three Eastern European men in US custody, played critical roles in producing and distributing the Gozi virus. They faced criminal charges ranging from conspiracy to commit bank fraud to access device fraud and computer intrusion, and maximum penalties ranging from 60 to 95 years in prison.
Since 2007, Gozi has infected at least 1 million computers worldwide, including 40,000 in the US.
Documents released in federal court Wednesday shed light on the federal takedown of the gang – including the three alleged international cybercriminals suspected of creating and distributing the Gozi virus (really a Trojan horse program that creates an invisible digital back door) – as well as the inner workings of the gang.
First, they allege that Nikita Kuzmin, a Russian national, was the mastermind who set out the technical specifications and hired a programmer called only "CC-1" to create the Gozi Trojan in 2005. Mr. Kuzmin was arrested during a visit to the US in November 2010, later pleading guilty to computer intrusion and fraud charges in May 2011.
Charged yesterday were Deniss Calovskis, a Latvian who goes by the online nickname “Miami,” who is alleged to have written some of the computer code that made the Gozi Trojan so effective. He was arrested in Latvia in November 2012. He was indicted on several conspiracy charges, including conspiracy to commit aggravated identity theft.
Also charged was Mihai Ionut Paunescu, a Romanian whose alleged hacker handle is "Virus.” Authorities say he operated a so-called bulletproof hosting service that enabled Kuzmin and other cybercriminals to distribute the Gozi Trojan, the Zeus Trojan, and other infamous malware. He was arrested in Romania in December 2012.
"As we have seen with increasing frequency, cybercriminals’ bank heists require neither a mask nor a gun, just a clever program and an Internet connection," said Preet Bharara, US attorney for Manhattan, in a statement. "This case should serve as a wake-up call to banks and consumers alike, because cybercrime remains one of the greatest threats we face, and it is not going away anytime soon.”
Once the Gozi Trojan was coded, the court documents allege, Kuzmin began sharing it with other cybercriminals in exchange for a weekly fee through what he called his “76 Service.”
Through the service, Kuzmin made the Gozi Trojan's catch available to criminals, who could also configure the program to steal data of their choosing – for instance from a particular country. All the stolen data was stored for them on Mr. Paunescu's bulletproof servers.
Meanwhile, Kuzmin advertised his “76 Service” on Internet cybercrime forums. Finally, in 2009, Kuzmin began to do what other cyber bank Trojan-makers had done long before – sell the actual source code to Gozi. The price: $50,000 a copy.
"Where Gozi really was a trailblazer was in providing criminal-to-criminal services," says Don Jackson, a senior security researcher with the Counter Threat unit of Dell Secureworks in Atlanta, who first discovered Gozi in 2007.
"The 76 Service was not about selling the source code, but selling access to the infected computers,” he says, “reaching out to other criminals and providing live data feeds."
After he first unveiled the workings of Gozi in 2007, the gang backed off targeting US bank customers and focused instead on European victims. As a result, Mr. Jackson says that for about three years he had a hard time getting the attention of US law enforcement authorities, who were less concerned about European attacks. But that all changed around a few years later when the gang started hitting the US again, he says.
"About 2010, the Gozi gang began targeting US banks almost exclusively," Jackson says. "That's when the FBI started calling again asking for information."
Jackson says the capture of Paunescu, the alleged bulletproof-hosting service provider, was a key to ending Gozi.
Unlike Gozi, other major banking Trojan malware like Zeus and SpyEye is more user-friendly for the criminals, involving point-and-click systems, thus making those operations more resilient – and even more dangerous, Jackson says.
But because the Gozi gang’s inner circle was a tightly knit group, and because the Trojan required more technical expertise to operate, he thinks that Gozi is likely to be dead in the long run, even if a few operators of the software try to persist.
"I think in this case they've finally cut off the head of the snake," he says.