British police announced Monday they have jailed 13 people for their participation in a sophisticated banking fraud gang that used malware to help steal at least 2.9 million British pounds ($4.6 million) from hundreds of people.
Police accuse the crime ring of unleashing Trojan applications to infect people's PCs and capture sensitive information, including bank account numbers, usernames, and passwords. The criminals used the stolen information to access people's bank accounts and transfer money to accounts that they controlled.
"These defendants were part of an organized network of computer criminals operating a state-of-the art international online banking fraud, through which they stole many millions of pounds from individuals and businesses in the U.K. and United States," said detective inspector Colin Wetherill from Britain's Metropolitan Police Central eCrime unit, in a statement.
[Were Your IDs, Passwords Stolen? Check PwnedList, which has amassed 5 million compromised logins since June.]
Police said the gang was led by two Ukrainian nationals, Yevhen Kulibaba, 33, and Yuriy Konovalenko (aka Pavel Klikov), 29. Both pled guilty to "conspiracy to defraud," were sentenced to serve four years and eight months in prison, and began serving those terms on Monday.
Kulibaba, the principal ringleader, was based in the Ukraine. According to police, he "was responsible for obtaining and allocating accounts to be attacked, and organizing the U.K.-based conspirators to setup and operate recipient accounts and remove funds from them." Meanwhile his right-hand man, Konovalenko, based in Britain, managed the recipient accounts, as well as the money mules hired to withdraw funds from them.
The investigation, code-named "Operation Lath," involved not only British police and prosecutors, but also the FBI and Department of Justice. "The investigation involved unprecedented levels of cooperation between the Metropolitan Police, the U.K. banks, the FBI, and other U.K. and international law enforcement agencies," said Wetherill. "We are working hard to reduce the harm caused by these activities, to put fear into the minds of those contemplating these conspiracies, and to bring such offenders to justice."
The investigation is ongoing. On Saturday, notably, British police arrested 20 more people in London and southeast England who they suspect worked with the gang. During those arrests, they recovered not only computers and mobile phone, but also banking documents and false passports. Her Majesties Revenue and Customs, which is Britain's tax authority, has also made further, related arrests.
The total amount stolen by the crime ring isn't known, but based on studying the 13 people incarcerated so far, authorities have found that at least 2.9 million British pounds ($4.6 million) was stolen between September 2009 and March 2010, although the gang had attempted to steal at least 4.3 million pounds ($6.9 million).
How can people protect themselves against banking data exploits? For starters, keep an eye on bank account statements for unusual activity, and keep PCs patched. "Keep your operating system and software patched--whatever operating system you use. Don't let malware sneak onto your PC through holes that you could already have closed," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. Notably, few attacks employ zero-day vulnerabilities that antivirus scanners wouldn't spot. Why bother, since so many people fail to patch known vulnerabilities or regularly update their antivirus scanners?
Other security essentials, according to Ducklin, are to never reuse passwords across different websites, because if hackers breach one website, they can use the stolen credentials to access people's bank accounts. Also, if a bank offers two-factor authentication, use it. Finally, only conduct online banking using trusted computers, and never from public hotspots. "Never do Internet banking from a kiosk or an Internet cafe," he said. "You can't tell what booby-traps the previous user may have left behind."