Zeus Arrests Won't End Fraud

Experts: Law Enforcement Won a Battle, Not the War
Zeus Arrests Won't End Fraud
Authorities in the U.S. and Europe last week made a sweeping set of arrests, disrupting a large-scale, international cybercrime operation tied to the malware called "Zeus."

U.S. officials have charged 92 suspects believed to have been involved in cyber attacks that stole $70 million from bank accounts over the last four years. Meanwhile, authorities in London arrested 19 people who allegedly stole more than $9 million in just over three months using the same malware. Police in the Ukraine arrested five suspects on September 30.

But will 116 arrests make a dent into the international banking fraud being perpetrated via Zeus? Don't get your hopes up, say industry experts.

"While these arrests may make some think twice," says Robert Siciliano, an identity theft expert and McAfee consultant, "the vast majority of criminal enterprises will keep pursuing the millions to be made from flawed security systems."

Operation Trident Breach

Last week's arrests are part of an international investigation, called "Operation Trident Breach," that began in May 2009, when FBI agents in Omaha, Neb., were alerted to fraudulent ACH payments made to 46 different bank accounts. The FBI agents soon realized the scope of the crime, and the agency partnered with local, state and federal partners, cybercrime task forces, working groups, and foreign authorities in the Netherlands, Ukraine and the United Kingdom.

The cybercriminals' target in the U.S. were small and medium businesses, municipalities, churches and individuals. How they were able to perpetrate their crimes was by infecting their targets' computers using a version of the Zeus botnet. The malware captured the victims' banking credentials, including passwords, account numbers and other data used to log into online banking accounts. This scheme resulted in the attempted theft of $220 million, with actual losses of $70 million from victims' bank accounts.

Expect to see more arrests like these, says David Ostertag, global investigations manager, at Verizon Business Investigative Response. "We're going to see over the next year or so more law enforcement activity and arrests around Zeus," says Ostertag. As a forensic researcher, Ostertag says he has been chasing Zeus since it first appeared in 2004.

Making a Dent In Cyber Crime?

With these arrests here and abroad, can businesses and financial institutions go back to work as usual and not have to worry about Zeus infecting their customers' computers? The answer is resoundingly "no," says Branden Williams¸ director of the Security Consulting Practice at RSA, the security division of EMC. "Zeus's use may decline initially, but there are thousands in line behind these arrested who are willing to pick up the task."

As Tom Wills, senior analyst at Javelin Strategy and Research, says: This is not a war that has been won. "Law enforcement has won an important battle here," Wills says. "But unless the weed was pulled out by the roots (i.e. the capture of the ringleaders), I expect to see them back at work soon."

Shane Sims, director, Forensic Services practice at PwC U.S., says arresting the money mules should result in a temporary dip in the upward spike of ACH-related frauds. However, he points out that these international hacker crews are like traditional organized crime groups. "If you don't dismantle the entire crime family, the criminal activities will continue. New money mules will be recruited, bank customers' computers will continue to get compromised, and fraudulent ACH currency movement will continue."

More Effort Needed

In the international investigation Operation Trident Breach, authorities say they had the widest and most far-reaching cooperation to date with other countries authorities. But industry experts still question if enough has been done to track and catch these criminals.

Javelin's Wills says authorities in countries where banks and customers tend to be victimized (North America, Europe, Australia and New Zealand) are doing the best they can with limited resources. One problem Wills says, is that in the Eastern European and Asian countries where the fraud ringleaders tend to operate, the legal infrastructure is not very conducive to investigating and prosecuting the perpetrators. "We can't count on that changing any time soon, so the best strategy in the victim countries is to practice proactive security," Wills says. "This means a greater focus on adding layers of security where the compromise takes place - in customers' computers and mobile devices."

The level of foreign cooperation hinges on the realization by other countries that the U.S. is vulnerable to these types of crime. "International relations have improved due to the fact if the U.S. is vulnerable to this, then globally others are that much more vulnerable. It's like dominoes, if we fall, they all go down," says Siciliano. One drawback he sees, despite federal authorities doing their best work, is that "They are up against an army of criminals who they will probably never have the means to stop due to how few law enforcers can investigate suspicious activity reports versus how many criminals are cracking."

The amount of work done by authorities in Operation Trident Breach isn't trivial. Hundreds of hours and months of work went into bringing down this one gang. Tracing money transfers across the globe, obtaining and serving subpoenas and search warrants, collecting and analyzing thousands of victim computers, reviewing paper records, sharing investigative findings with domestic and international authorities - this is all hard work, says Sims. "But to inspire international authorities to repeat these actions is an amazing accomplishment in the never-ending fight to combat cybercrime."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network