Russian authorities arrest operator of Carberp bank botnet

Share this article:

Russian authorities have apprehended the person believed to be behind a banking trojan botnet responsible for stealing around $4.5 million from unsuspecting victims.

The 22-year-old Russian man is accused of using a modified versions of the Carberp banking trojan to steal login details and digital signatures from compromised computers, according to a statement Friday from the Russian Interior Ministry. Authorities from “K,” the agency's anti-cyber crime division, apprehended the man at his home and confiscated computers, software and documents after a 10-month-long investigation. The suspect used the online handles “Hermes” and “Arashi,” according to the statement.

The botnet, compromised primarily of infected systems in Russia, is among the largest banking networks detected to date in the world. While the botnet has been pegged by the ministry at about six million compromised machines, analysis by Russian security firm Dr. Web indicates about 4.5 million were actually active. The botnet was responsible for one million malicious mail messages being sent out daily, and as many as 100,000 new zombies were being created each day.

“The young man was not only developing bot networks and massively distributing malicious programs, but also personally took part in stealing funds from accounts of individuals and legal entities,” according to the statement.

The infection pattern was standard for this type of operation. Users would be infected after opening malicious email messages and downloading malicious software, called “Client-Bank,” according to the statement. Once compromised, the computer would harvest login credentials to various services and transmit them to the attacker. With login credentials going to a fake phishing site instead of the actual financial sites, the attacker had the information necessary to transfer large amounts of money from victim bank accounts to accounts under his control.

Once cyber criminals have the stolen money in their accounts, the next step is to convert that to cash, Stefan Tanase, senior security researcher at Kaspersky Lab, told SCMagazine.com. And, Hermes had a number of shell companies to help him move the stolen funds around.

Hermes and his network of "money mules" – primarily based in Moscow and St. Petersburg – withdrew the stolen money from ATMs, often long before victims knew what was happening, said Tanase.

Hermes used the stolen assets to fund an extravagant lifestyle, including a "luxurious house in one of the resorts in Russia and expensive premium-class foreign cars," authorities said. The money was also being invested back into legitimate enterprises as part of a money-laundering operation.

Like its competitors Zeus and SpyEye, Carberp is available in the underground market. It is a popular choice for cyber criminals interested in going after bank accounts.

However, unlike Zeus and SpyEye, which lets anyone customize the code to create their variants, the gang that originally developed Carberp has retained control over the source code, Vitaly Kamluk, chief malware expert of Kaspersky Lab's global research and analysis team, told SCMagazine.com. Carberp is a commercial trojan, and crooks can specify its customizations before paying for it, Kamluk said.

Law enforcement has recently taken down several criminal rings that relied on Carberp. Russian police arrested six people in June and eight in March for Carberp-related online banking fraud activities.


Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.