BOSTON: Microsoft Corp and the FBI, aided by authorities in more than 80 countries, have launched a major assault on one of the world’s biggest cybercrime rings, believed to have stolen more than $500m from bank accounts over the past 18 months.
Microsoft said its Digital Crimes Unit on Wednesday successfully took down at least 1,000 of an estimated 1,400 malicious computer networks known as the Citadel Botnets.
Citadel infected as many as 5 million PCs around the world and, according to Microsoft, was used to steal from dozens of financial institutions, including: American Express, Bank of America, Citigroup, Credit Suisse , eBay’s PayPal, HSBC , JPMorgan Chase, Royal Bank of Canada and Wells Fargo.
While the criminals remain at large and the authorities do not know the identities of any ringleaders, the internationally coordinated take-down dealt a significant blow to their cyber capabilities. “The bad guys will feel the punch in the gut,” said Richard Domingues Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit.
Botnets are armies of infected personal computers, or bots, which run software forcing them to regularly check in with and obey “command and control” servers operated by hackers. Botnets are typically used to commit financial crimes, send spam, distribute computer viruses and attack computer networks.
Citadel is one of the biggest botnets in operation today. Microsoft said its creator bundled the software with pirated versions of the Windows operating system, and used it to control PCs in the United States, Western Europe, Hong Kong, India and Australia.
The US Federal Bureau of Investigation said it is working closely with Europol and other overseas authorities to try to capture the unknown criminals. The FBI has obtained search warrants as part of what it characterized as a “fairly advanced” criminal probe.
“We are upping the game in our level of commitment in going after botnet creators and distributors,” FBI Assistant Executive Director Richard McFeely said in an interview. “This is a more concerted effort to engage our foreign partners to assist us in identifying, locating and — if we can — get US criminal process on these botnet creators and distributors.”
Microsoft has filed a civil lawsuit in the US District Court in Charlotte, North Carolina against the unknown hackers and obtained a court order to shut down the botnets. The complaint, unsealed on Wednesday, identifies the ringleader as John Doe No 1, who goes by the alias Aquabox and is accused of creating and maintaining the botnet.
Boscovich said investigators are trying to determine Aquabox’s identity and suspect he lives in eastern Europe and works with at least 81 “herders,” who run the bots from anywhere in the world.
The Citadel software is programmed so it will not attack PCs or financial institutions in Ukraine or Russia, likely because the creators operate in those countries and want to avoid provoking law enforcement officials there, Microsoft said.
According to Microsoft, Citadel was used to steal more than $500m from banks in the United States and abroad, but the company did not specify losses at individual accounts or firms.
The American Bankers Association, one of three financial industry groups that worked with Microsoft, said any success in reducing the number of active Citadel Botnets will reduce future losses incurred by banks and their customers.
Microsoft’s team of digital detectives, who are based at corporate headquarters in Redmond, Washington, have been involved in seven efforts to attack botnets since 2010. Wednesday’s marked its first collaboration with the FBI.
The software maker sought help from the FBI about 10 days ago. At that time the agency told Microsoft that it had already done significant work on a criminal probe into the Citadel Botnets, the FBI’s McFeely said.
Microsoft said it and the FBI are working with law enforcement and other organizations in countries including: Australia, Brazil, Ecuador, Germany, Holland, Hong Kong, Iceland, India, Indonesia, Spain and the United Kingdom.
Of the more than 1,000 botnets that were shut down on Wednesday, Microsoft said 455 were hosted in 40 data centers in the United States. The rest were located in dozens of countries overseas. Boscovich said the data center operators typically are not aware that their servers are being used to run botnets.
Cyber criminals typically infect machines by sending spam emails containing malicious links and attachments, and by infecting legitimate websites with computer viruses that attack unsuspecting visitors. Some bot herders rent or sell infected machines on underground markets to other cyber criminals looking to engage in a wide variety of activities.
The Citadel software disables anti-virus programs on infected PCs so they cannot detect malicious software. It surfaced in early 2012 and is sold over the Internet in kits that cost $2,400 or more. Boscovich said he believes that Aquabox also gets a percentage of money stolen by his customers using Citadel.
Reuters
