University professor helps FBI crack $70 million cybercrime ring

Wed Mar 21, 2012 12:14 PM EDT.

It was a crime of staggering sophistication by computer hackers who figured out a new way to get rich.

In a case that became known as Trident Breach, the hackers stole $70 million from the payroll accounts of some 400 American companies and organizations – all from the safety of their homes in Eastern Europe.

“I think it’s the perfect definition of organized crime,” said FBI Executive Assistant Director Shawn Henry. “It’s very well organized. It’s very well-structured. It requires many people operating in unison, in a collaborative way.”

At the beginning of 2008, the group of hackers compromised hundreds of thousands of Americans computers using a malicious computer “Trojan” bug called ZeuS. When computer users clicked on certain attachments and e-mail links, ZeuS infected their computers.

ZeuS is designed to zero in on users’ bank information. For example, when a user visits a bank website, ZeuS knows; and since it is a key logger program, it records the user's keystrokes as he or she enters usernames and passwords. It then sends that information by instant text message to waiting hackers, who then have access to the compromised accounts.

Henry is one of the country’s top cybercrime fighters. He says Americans are increasingly prone to “virtual gangs” prying on people’s personal data stored on their computers.

“We have organized groups that have developed internationally where groups of people have come together, each with a very specific capability and skill, who have never met each other in the physical world, but they meet online in a collaborative way,” he said.

Henry says that the security breaches have the potential to be more than just criminal acts. They could pose a national security risk.

“There are foreign intelligence services that are aggressively pursuing American technology. They’re aggressively pursuing American strategy. They’re looking at the American military, the American consumer, the American corporations, research and development organizations, laboratories, educational facilities,” Henry said. “The amount and value of data that is on the network is at an unprecedented level. Our adversaries know that that data is there. It’s information and information is valuable."

Money Mules Help Hackers Get $70 Million

In the Trident Breach case, the hackers were able to get their hands on the cash by turning people into money mules.

Beginning in late 2008, they created some 3000 money mules, many of them unwitting Americans, by luring them into work-at-home jobs requiring "employees" to open bank accounts.
--------------------------------------------------------------------------------

“The first money mule activity we started seeing was people who would receive an email saying, ‘You can get a work-at-home job’ and the work-at-home job would be something like transaction manager for an international company,” said Prof. Gary Warner of the University of Alabama at Birmingham, who teaches a program that combines computer forensics and justice studies.

Warner is also a member of the little-known FBI-affiliated group called InfraGard, comprising some 50,000 members across the United States who keep an eagle eye on U.S . critical infrastructure: power plants, water supply, security and financial services…and the internet. Warner said the hackers transferred cash from business payroll-type "ACH" (Automated Clearing House) accounts to the mule accounts and the mules sent the cash by Western Union or MoneyGram to Eastern Europe, taking eight or 10 percent commission.

Warner said that when the banks started to get wise to the hackers’ work-at-home schemes, and set up roadblocks, the hackers then recruited dozens of students, mainly from southern Russia, to be a new breed of money mule.

“It’s still a little gray whether the students who were recruited knew that they were being recruited for crime,” Warner said.

The hackers obtained fake passports for the students, U.S. J1 work/study visas, and packed their new mules off to the United States. The students opened multiple bank accounts, mainly in the New York area, where they received stolen cash. Then, just as the mules before them had, they wired the cash back to their bosses.

University Professor Helps FBI Crack Cybercrime Case

So stealthy was their ZeuS operation, neither the hackers nor the mules had counted on getting caught. But, using complex data mining techniques, Prof. Warner established links between ZeuS-infected computers and traced the origins of the mass infection to Ukraine; and many of the hackers and their mules were caught.

But 18 mules remained at large in the United States. And after the FBI published a wanted poster of the students, Warner’s students began using what they’d learned in class to track the criminals.

“So the students used the techniques we had taught them during investigating online crime [class] and began crawling Facebook pages and VKontakte, which is a Russian version similar to Facebook and were able to quickly identify profile pages of almost all of them, at-large mules,” Warner said.

Warner’s students discovered one of the students-turned-mules had brazenly posted pictures of herself with a wad of hundred-dollar bills. Another had posted a picture of himself dressed in an “I ❤ New York” top, arms aloft, celebrating in a bar with his friends – some of whom turned out to be other money mules. And another was pictured standing next to the new car he has presumably just bought.

Though all the mules – except one – were arrested, that does not necessarily mean the end of the money mules, says Gary Warner.

“ZeuS infections are rampant still today. There are probably millions of computers in the United States that have active Zeus on their machines right now,” Warner said.

Editor’s Note: Richard Engel’s full report, 'Easy Money,' airs Wednesday, March 21 at 10 pm/9 c on Rock Center with Brian Williams.

Rock Center with Brian Williams - University professor helps FBI crack $70 million cybercrime ring