Government // Cybersecurity
News
11/2/2011
11:46 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

FBI Helps Bust $4.6 Million Cybercrime Gang

Thirteen people jailed after British police break up a Trojan-application-using banking fraud crime ring.

British police announced Monday they have jailed 13 people for their participation in a sophisticated banking fraud gang that used malware to help steal at least 2.9 million British pounds ($4.6 million) from hundreds of people.

Police accuse the crime ring of unleashing Trojan applications to infect people's PCs and capture sensitive information, including bank account numbers, usernames, and passwords. The criminals used the stolen information to access people's bank accounts and transfer money to accounts that they controlled.

"These defendants were part of an organized network of computer criminals operating a state-of-the art international online banking fraud, through which they stole many millions of pounds from individuals and businesses in the U.K. and United States," said detective inspector Colin Wetherill from Britain's Metropolitan Police Central eCrime unit, in a statement.

[Were Your IDs, Passwords Stolen? Check PwnedList, which has amassed 5 million compromised logins since June.]

Police said the gang was led by two Ukrainian nationals, Yevhen Kulibaba, 33, and Yuriy Konovalenko (aka Pavel Klikov), 29. Both pled guilty to "conspiracy to defraud," were sentenced to serve four years and eight months in prison, and began serving those terms on Monday.

Kulibaba, the principal ringleader, was based in the Ukraine. According to police, he "was responsible for obtaining and allocating accounts to be attacked, and organizing the U.K.-based conspirators to setup and operate recipient accounts and remove funds from them." Meanwhile his right-hand man, Konovalenko, based in Britain, managed the recipient accounts, as well as the money mules hired to withdraw funds from them.

The investigation, code-named "Operation Lath," involved not only British police and prosecutors, but also the FBI and Department of Justice. "The investigation involved unprecedented levels of cooperation between the Metropolitan Police, the U.K. banks, the FBI, and other U.K. and international law enforcement agencies," said Wetherill. "We are working hard to reduce the harm caused by these activities, to put fear into the minds of those contemplating these conspiracies, and to bring such offenders to justice."

The investigation is ongoing. On Saturday, notably, British police arrested 20 more people in London and southeast England who they suspect worked with the gang. During those arrests, they recovered not only computers and mobile phone, but also banking documents and false passports. Her Majesties Revenue and Customs, which is Britain's tax authority, has also made further, related arrests.

The total amount stolen by the crime ring isn't known, but based on studying the 13 people incarcerated so far, authorities have found that at least 2.9 million British pounds ($4.6 million) was stolen between September 2009 and March 2010, although the gang had attempted to steal at least 4.3 million pounds ($6.9 million).

How can people protect themselves against banking data exploits? For starters, keep an eye on bank account statements for unusual activity, and keep PCs patched. "Keep your operating system and software patched--whatever operating system you use. Don't let malware sneak onto your PC through holes that you could already have closed," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. Notably, few attacks employ zero-day vulnerabilities that antivirus scanners wouldn't spot. Why bother, since so many people fail to patch known vulnerabilities or regularly update their antivirus scanners?

Other security essentials, according to Ducklin, are to never reuse passwords across different websites, because if hackers breach one website, they can use the stolen credentials to access people's bank accounts. Also, if a bank offers two-factor authentication, use it. Finally, only conduct online banking using trusted computers, and never from public hotspots. "Never do Internet banking from a kiosk or an Internet cafe," he said. "You can't tell what booby-traps the previous user may have left behind."

Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.