Threat Management, Malware, Phishing

Two Romanians convicted for roles in Bayrob malware operation


Two Romanian nationals were convicted in an Ohio federal court on Thursday for their roles in the Bayrob group, an organization that launched a multi-million-dollar cybercriminal operation fueled by its own proprietary malware.

Bogdan Nicolescu, 36, and Radu Miclaus, 37, were found guilty on separate 21 counts for developing and spreading the Bayrob trojan, which allowed them to steal payment card information from infected victims to sell on the dark web, as well as mine cryptocurrency using their machines' processing power.

Charges included conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering and wire fraud.

A Department of Justice press release says that Nicolescu, Miclaus and a third co-conspirator created the malware back in 2007 and subsequently infected victims with it via phishing campaigns featuring emails, with malicious attachments, that purported to be from Western Union, Norton AntiVirus (Symantec) and the IRS. The third co-conspirator, Tiberiu Danet, previously pleaded guilty last November.

The scheme allowed the Bayrob operators to compromise more than 400,000 computers, most of them based in the U.S. The men stole email contacts, personal information (including user names and passwords) and payment card data from these machines, while also disabling their anti-malware protections and blocking access to law enforcement websites. They also forced the compromised computers to register AOL email accounts, which they leveraged to send malspam to additional recipients, whose email addresses came from the stolen contact lists.

The Bayrob group even knew when infected users visited websites like Facebook, PayPal and eBay, and in response would redirect them to fraudulent copycat websites where victims would give away their account credentials.

In other cases, the cybercriminals injected fake pages into legitimate websites, in order to fool visitors with phony instructions.

"They placed more than 1,000 fraudulent listings for automobiles, motorcycles and other high-priced goods on eBay and similar auction sites. Photos of the items were infected with malware, which redirected computers that clicked on the image to fictitious webpages designed by the defendants to resemble legitimate eBay pages," the DOJ release states. "These fictitious webpages prompted users to pay for their goods through a nonexistent 'eBay Escrow Agent' who was simply a person hired by the defendants. Users paid for the goods to the fraudulent escrow agents, who in turn wired the money to others in Eastern Europe, who in turn gave it to the defendants. The payers/victims never received the items and never got their money back."

Symantec has previously reported that the Bayrob group may have stolen as much as $35 million from its victims. Sentencing will take place on Aug. 14.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.