In a set of coordinated investigations, federal, state and local officials filed charges this week against more than 70 defendants who allegedly used cybercrime techniques to defraud both individuals and corporations out of millions of dollars. New York County District Attorney Cyrus R. Vance, Jr., announced the indictment of 36 people in Manhattan alone. This is in addition to the 37 defendants charged by the U.S. Attorney for the Southern District of New York.
The cases filed thus far represent just a small fraction of those in the works, Joan Vollero, spokesperson for District Attorney Vance, told the E-Commerce Times.
The investigations are ongoing, and, as Vance said Thursday in announcing the charges, the individuals apprehended so far represent just the “tip of the iceberg” in an international ring that operates much like the old-style crime organizations of the mid-20th Century.
Social Networking Meets the Mob
The defendants are students from outside the U.S. who were in the country on Exchange Visitor Visas. They are charged with opening bank accounts at JP Morgan Chase Bank and other financial institutions in New York and elsewhere to receive transfers from the bank accounts of identity theft victims. The students were recruited by the crime organization using social networking sites, according to Vance.
“Once the legal system has its way and these stories get told in court, we will see that the sophistication has been amazing,” Chester Wisniewski, senior security advisor with Sophos, told the E-Commerce Times.
The newer, more-organized cybercriminals are dividing their tasks into separate job descriptions with discrete teams of people involved in each step, Wisniewski explained. This type of crime is different from the hit-and-run fraud perpetrated by earlier identity thieves, in which the same person or group would typically be responsible for the fraud process from beginning to end.
Smile, You’re on Hidden Camera
The crime-ring-style people being prosecuted in the current spate of busts have used versions of Trojan viruses that are more sophisticated than their predecessors, said Wisniewski. Earlier spyware was based on the text entered by victims on their computer keyboards. However, banks, in response to keystroke-capturing schemes present in older versions of malware such as the Zeus Trojan, have implemented visual safeguards, such as glyphs that customers must recognize and identify during sign-in.
“Newer versions of the Zeus-bot can record a video of you logging in — can actually record your screen,” said Wisniewski. Thus, if a bank customer’s visual clue is a fox, for example, a cyberthief also can visually identify the fox and thus gain access to the victim’s band account.
In addition, the crime ring targeted in this week’s arrests targeted their victims more specifically, Wisniewski pointed out. Although many individuals were involved, money also was stolen from a number of U.S. small businesses and medium-sized organizations such as school districts.
The crime ring, according to complaints in the dozens of cases filed so far, has its headquarters in Eastern Europe. When the Zeus Trojan captured the sign-on information for victims, money was transferred to receiving accounts controlled by co-conspirators. The receiving accounts were set up by a “money mule organization” in the U.S. These are the students on visas charged in Manhattan.
Arrests made this week in the UK likely involved those higher up in the crime organization, said Wisniewski.
The newer, more elaborate cybercrime organizations give smaller, more isolated tasks to separate groups of people spread around the world and the Internet. Thus, a particular group only performs one function and likely only knows information about its own role in the crime activity, Wisniewski explained, adding that’s why these cases are so difficult to investigate and prosecute.