Thread: Microsoft, FBI take aim at global cyber crime ring

Exclusive: Microsoft, FBI take aim at global cyber crime ring

By Jim Finkle | Reuters – 1 hr 56 mins ago


Reuters/Reuters - A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

By Jim Finkle
BOSTON (Reuters) - Microsoft Corp and the FBI, aided by authorities in more than 80 countries, have launched a major assault on one of the world's biggest cyber crime rings, believed to have stolen more than $500 million from bank accounts over the past 18 months.
Microsoft said its Digital Crimes Unit on Wednesday successfully took down at least 1,000 of an estimated 1,400 malicious computer networks known as the Citadel Botnets.
Citadel infected as many as 5 million PCs around the world and, according to Microsoft, was used to steal from dozens of financial institutions, including: American Express, Bank of America, Citigroup, Credit Suisse, eBay's PayPal, HSBC, JPMorgan Chase, Royal Bank of Canada and Wells Fargo.
While the criminals remain at large and the authorities do not know the identities of any ringleaders, the internationally coordinated take-down dealt a significant blow to their cyber capabilities.
"The bad guys will feel the punch in the gut," said Richard Domingues Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit.
Botnets are armies of infected personal computers, or bots, which run software forcing them to regularly check in with and obey "command and control" servers operated by hackers. Botnets are typically used to commit financial crimes, send spam, distribute computer viruses and attack computer networks. (See graphic http://link.reuters.com/vem68t)
Citadel is one of the biggest botnets in operation today. Microsoft said its creator bundled the software with pirated versions of the Windows operating system, and used it to control PCs in the United States, Western Europe, Hong Kong, India and Australia.
The U.S. Federal Bureau of Investigation told Reuters it is working closely with Europol and other overseas authorities to try to capture the unknown criminals. The FBI has obtained search warrants as part of what it characterized as a "fairly advanced" criminal probe.
"We are upping the game in our level of commitment in going after botnet creators and distributors," FBI Assistant Executive Director Richard McFeely said in an interview.
"This is a more concerted effort to engage our foreign partners to assist us in identifying, locating and - if we can - get U.S. criminal process on these botnet creators and distributors."
Microsoft has filed a civil lawsuit in the U.S. District Court in Charlotte, North Carolina against the unknown hackers and obtained a court order to shut down the botnets. The complaint, unsealed on Wednesday, identifies the ringleader as John Doe No. 1, who goes by the alias Aquabox and is accused of creating and maintaining the botnet.
Boscovich said investigators are trying to determine Aquabox's identity and suspect he lives in eastern Europe and works with at least 81 "herders," who run the bots from anywhere in the world.
The Citadel software is programmed so it will not attack PCs or financial institutions in Ukraine or Russia, likely because the creators operate in those countries and want to avoid provoking law enforcement officials there, Microsoft said.
FINDING 'JOHN DOE'
According to Microsoft, Citadel was used to steal more than $500 million from banks in the United States and abroad, but the company did not specify losses at individual accounts or firms.
The American Bankers Association, one of three financial industry groups that worked with Microsoft, said any success in reducing the number of active Citadel Botnets will reduce future losses incurred by banks and their customers.
"I am hopeful we have a model that will allow us to get closer and closer to those who are the ultimate perpetrators of these crimes," said ABA Vice President Doug Johnson.
In the United States, banks typically reimburse consumers when they are victims of cyber crime, but they may require business customers to absorb those losses, the ABA said.
Microsoft's team of digital detectives, who are based at corporate headquarters in Redmond, Washington, have been involved in seven efforts to attack botnets since 2010. Wednesday's marked its first collaboration with the FBI.
The software maker sought help from the FBI about 10 days ago. At that time the agency told Microsoft that it had already done significant work on a criminal probe into the Citadel Botnets, the FBI's McFeely said.
Microsoft said it and the FBI are working with law enforcement and other organizations in countries including: Australia, Brazil, Ecuador, Germany, Holland, Hong Kong, Iceland, India, Indonesia, Spain and the United Kingdom.
Of the more than 1,000 botnets that were shut down on Wednesday, Microsoft said 455 were hosted in 40 data centers in the United States. The rest were located in dozens of countries overseas.
Technicians from Microsoft, accompanied by U.S. Marshals, visited two U.S. data centers in Scranton, Pennsylvania and Absecon, New Jersey to collect forensic evidence.
Boscovich said the data center operators typically are not aware that their servers are being used to run botnets. "There is no responsibility on their part to see what is in the pipes," he said.
DEJA ZEUS
It was the second time Microsoft's Digital Crimes Unit sought to bring down a large number of botnets at once. In March 2012 it targeted hundreds of Zeus botnets, which use similar software and infrastructure as Citadel, though they were not as sophisticated.
That effort succeeded in shutting just a quarter of the approximately 800 targeted Zeus command and control servers, according to Microsoft. Zeus is not controlled by a single developer like Citadel, which made it harder for investigators to track and knock out herders.
Cyber criminals typically infect machines by sending spam emails containing malicious links and attachments, and by infecting legitimate websites with computer viruses that attack unsuspecting visitors. Some bot herders rent or sell infected machines on underground markets to other cyber criminals looking to engage in a wide variety of activities.
The Citadel software disables anti-virus programs on infected PCs so they cannot detect malicious software. It surfaced in early 2012 and is sold over the Internet in kits that cost $2,400 or more.
Boscovich said he believes that Aquabox also gets a percentage of money stolen by his customers using Citadel.
These kits allow herders to easily set up and run botnets on pirated versions of Microsoft's Windows XP operating system, according to court documents. The kits include modules for infecting PCs, as well as stealing from online banking sites, sending spam and engaging in other types of cyber crime.
Some Citadel Botnet operators have used infected machines to disrupt bank websites in so-called distributed denial of service attacks, hoping to distract those firms from thefts that are occurring or have occurred, according to the complaint.
Aquabox provided herders a secret forum where they could suggest new features for the Citadel kits, as well as exchange ideas on best practices in botnet herding, Microsoft said.

http://news.yahoo.com/exclusive-microsoft-fbi-aim-global-cyber-crime-ring-000013822.html

Agari teams up with Microsoft financial services and others to disrupt global cybercrime ring

Email security leader plays key role in disrupting more than one thousand botnets targeting people's online banking information and personal identities and stealing over half a billion dollars

SAN MATEO, Calif., Jun 05, 2013 (BUSINESS WIRE) -- Agari, the leading provider of email authentication solutions that prevent cybercrime phishing, today announced it has successfully teamed up with Microsoft, financial services industry leaders FS-ISAC, NACHA, American Bankers Association, other industry partners, as well as the Federal Bureau of Investigation to break up a massive cybercrime ring which was stealing people's online banking information and personal identities. More than one thousand botnets, believed to be responsible for over half a billion US dollars in financial fraud and affecting more than five million people in over 90 countries, were disrupted by the operation. The investigation culminated June 5th with the seizure of key servers at two data hosting facilities in New Jersey and Pennsylvania, along with data and evidence from the botnets.
Agari played a key role in the investigation and subsequent disruption by providing crucial information over the course of many months. These cyber criminals used phishing emails impersonating legitimate brands to build the botnets. Agari leveraged the terabytes of phishing data it processes every month to provide critical insights on the development and growth of these botnets to Microsoft and FS-ISAC members. These insights allowed Agari to serve as a direct declarant to the court by describing the actual damage botnets cause, as well as the methods they use to attack financial services firms and their customers worldwide.
"This is a significant day for Agari, but more importantly, a great day for the Internet," said Patrick Peterson, Agari CEO. "Through our cooperation with Microsoft, law enforcement and others, we have seriously disrupted a cybercrime operation that has already stolen more than half a billion dollars and millions of people's personal identities and online banking information. While this certainly doesn't end the war with cybercriminals, a battle has definitely been won and we at Agari are proud to have played a pivotal role."
Deemed as "one of the most highly sophisticated and organized cybercrime rings in existence today," the cybercriminals employed more than one thousand botnets to infect computers with Citadel malware. Once infected, the victim's keystrokes were monitored and recorded, providing access to banking and other financial accounts leading to the theft of money and other personal information. As part of the operation, Microsoft took action against 1,462 Citadel botnets in order to cut off communication between the cybercriminals and the millions of infected computers under their control. The FBI also provided information to foreign law enforcement counterparts so that they could also take voluntary action on botnet infrastructure located outside of the U.S. The FBI also obtained and served court-authorized search warrants domestically related to the botnets.
"While we certainly celebrate today's victory, we are once again reminded just how advanced these types of attacks have become and how potentially costly and damaging they truly are," said Bill Nelson from FS-ISAC. "It underscores the need to be proactive in the ongoing battle against cybercriminals and to work together with partners like Agari to protect businesses and customers alike." Due to the size and complexity of the operation, the botnet threat has not been wiped out entirely, but it has been significantly disrupted, providing an opportunity to eliminate the malware from infected computers. Microsoft is working with Internet Service Providers and Computer Emergency Response Teams worldwide to quickly notify people with infected computers.
For more information about the coordinated action against Citadel, visit: http://blogs.technet.com/b/microsoft...rime-ring.aspx.
For more information about Agari's involvement in the action, visit http://www.agari.com/blog.
About Agari, Inc.
Agari collects terabytes of email data from sources across the Internet to create a cloud-based solution to assess, visualize, and protect against email threats to brands, such as phishing and other fraud. Today, Agari protects more than 65 percent of US consumer email traffic and processes more than 2.3 billion messages daily. The Agari Email Trust Network becomes more pervasive, intelligent, and powerful as more join Agari to protect email users, customers, brands, business models, and corporate and cyber infrastructure. Founded by the thought leaders behind Cisco's IronPort solutions, the Agari platform provides global brands with the tools needed to proactively protect brand reputation, eliminate email threats, protect customers and prevent the loss of sensitive data. Headquartered in Palo Alto, Calif., Agari is backed by Alloy Ventures, Battery Ventures, First Round Capital, and Greylock Partners. Additional information is available at http://www.agari.com.
http://cts.businesswire.com/ct/CT?id...mtx6&distro=nx

http://www.marketwatch.com/story/agari-teams-up-with-microsoft-financial-services-and-others-to-disrupt-global-cybercrime-ring-2013-06-05