Two Romanian nationals were convicted in an Ohio federal court on Thursday for their roles in the Bayrob group, an organization that launched a multi-million-dollar cybercriminal operation fueled by its own proprietary malware.
Bogdan Nicolescu, 36, and Radu Miclaus, 37, were found guilty on separate 21 counts for developing and spreading the Bayrob trojan, which allowed them to steal payment card information from infected victims to sell on the dark web, as well as mine cryptocurrency using their machines’ processing power.
Charges included conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering and wire fraud.
A Department of Justice press release says that Nicolescu, Miclaus and a third co-conspirator created the malware back in 2007 and subsequently infected victims with it via phishing campaigns featuring emails, with malicious attachments, that purported to be from Western Union, Norton AntiVirus (Symantec) and the IRS. The third co-conspirator, Tiberiu Danet, previously pleaded guilty last November.
The scheme allowed the Bayrob operators to compromise more than 400,000 computers, most of them based in the U.S. The men stole email contacts, personal information (including user names and passwords) and payment card data from these machines, while also disabling their anti-malware protections and blocking access to law enforcement websites. They also forced the compromised computers to register AOL email accounts, which they leveraged to send malspam to additional recipients, whose email addresses came from the stolen contact lists.
The Bayrob group even knew when infected users visited websites like Facebook, PayPal and eBay, and in response would redirect them to fraudulent copycat websites where victims would give away their account credentials.
In other cases, the cybercriminals injected fake pages into legitimate websites, in order to fool visitors with phony instructions.
“They placed more than 1,000 fraudulent listings for automobiles, motorcycles and other high-priced goods on eBay and similar auction sites. Photos of the items were infected with malware, which redirected computers that clicked on the image to fictitious webpages designed by the defendants to resemble legitimate eBay pages,” the DOJ release states. “These fictitious webpages prompted users to pay for their goods through a nonexistent ‘eBay Escrow Agent’ who was simply a person hired by the defendants. Users paid for the goods to the fraudulent escrow agents, who in turn wired the money to others in Eastern Europe, who in turn gave it to the defendants. The payers/victims never received the items and never got their money back.”
Symantec has previously reported that the Bayrob group may have stolen as much as $35 million from its victims. Sentencing will take place on Aug. 14.