Social networking patterns help snag bank fraud suspects

The hardest part of untangling a web of organized cyber crime associated with the password-swiping Zeus virus is not the malicious code, but the thieves' scattered locations, FBI officials said Wednesday afternoon. The officials drew this conclusion from one successful attempt last fall to arrest about 92 people suspected of circulating the virus to steal $70 million from bank accounts.

Federal officials and private sector researchers gathered some clues by identifying "friends" of known offenders on the social networking service Facebook and also by partnering with law enforcement agencies in the Netherlands, United Kingdom and Ukraine to nail several of the suspects.

The perpetrators targeted organizations by sending malicious emails that infected machines with botnet viruses, which then let the hackers remotely pilfer sensitive personal information, investigators said. Once exposed, employees who logged on to real financial accounts would have been prompted with questions that Chase or Bank of America websites would not routinely ask, such as, "What is your Social Security number?"

The bank account emptying escapade has been hard to prosecute because the instigators are thousands of geographically dispersed hackers, as well as U.S.-based mules who transfer cash overseas, said Michael Eubanks, assistant legal attaché for the FBI in Bucharest, Romania. He and other researchers active in Operation Trident Breach spoke at a government contractor conference about the tactics they have employed since May 2009 to weaken the Zeus botnet.

Eubanks, a former computer programmer, said the hackers' code -- for sale on the Internet -- is not very sophisticated, but they excel at adding layers of complexity to their physical operations.

"All of these computers are located all over the world and if we want the evidence to put this case together it becomes quite a challenge," he said. "If we arrest 92 people, I would guess that less than six are actually guys that are very skilled. This is basically organized crime [where the strategy is,] how do you move the money? How do you move those credentials?"

Unlike the Coreflood botnet that the FBI disabled in April by reprogramming the remote servers to essentially self-destruct, the Zeus command-and-control centers frequently change Web addresses, or domains, which makes it difficult to turn them off, FBI Special Agent Dean Kinsman said in an interview with Nextgov.

"The problem with Zeus is there are so many different domains," he said.

But, the FBI and its far-flung partners were able to partially disrupt Zeus last fall by mapping the suspects' social circles.

Researchers developed a computer program that harvested the Facebook friends of known perpetrators and shared the findings with the FBI, said Gary Warner, a computer forensics professor at University of Alabama at Birmingham who led the effort.

"Common Facebook friends were used as leads for investigations," he explained.

The federal government probably spent about $3 million on staffing and travel to take down many people accountable for the $70 million heist, said Paul Joyal, a security consultant at National Strategies Inc. The crooks "were looking at small banks and municipal governments that don't have the wherewithal to defend themselves and have good amounts of cash," he said.

"The important thing to note is that all antivirus [software] sucks," Warner added. Three out of 43 antivirus products his group tested flagged Zeus as dangerous, while the other 40 applications could not tell the program was a virus. Panda Security manufactured one of the three successful products but Warner could not recall the others.

Operation Trident Breach should not be confused with Operation Trident Tribunal, an April FBI bust in which the feds partnered with nearly a dozen countries to nab lawbreakers who profited $74 million by installing "scareware" viruses onto victims' computers and then tricking them into purchasing security software. Kinsman said during the interview that they are different investigations that include the same Ukrainian emblem in their nicknames.