Gameover Zeus: scam that could empty your bank account in a fortnight

Rights, Scams and Politics

Updated on 16 July 2014 | 8 Comments

The Gameover Zeus scam has security experts worried. Here's how it works, and why it could empty bank accounts within a fortnight.

News broke this week of the Gameover Zeus (GOZ) and Cryptolocker malware rackets which have, conservatively, defrauded computer users of over $100 million.

Victims include the materials company in Pennsylvania which lost $198,000 in a wire transfer fraud, the North American Indian tribe which lost $277,000, the Florida bank which was ripped off for $7 million and the pest control company in North Carolina, hit for $80,000.

But there are victims in many countries besides the US. In the UK, the National Crime Agency reckons the computers of more than 15,000 people here are already infected, at risk of losing millions of pounds.

The man behind the scam

The reason the examples above are American is because the United States Department of Justice (DoJ) is going after the man they allege to be the principal perpetrator of what is probably the biggest ever computer hacking rip-off.

In court filings, the DoJ has named Evgeniy Mikhailovich Bogachev, from Anapa (a Russian Black Sea tourist resort) as the operation's mastermind. The shaven-headed 30-year-old is also known as Slavik, Lucky 12345 and Pollingsoon.

GOZ is a malicious piece of software which infiltrates the victim's computer unseen, turning the machine into part of a botnet, a network of infected computers all controlled, in this case, by Bogachev. Some computers in the network are called “proxy nodes” - these communicate with the others. There is also a “domain generation algorithm” which creates a large and changing number of internet domain names to confuse everyone.

GOZ intercepts sensitive details you send to and receive from your bank or other financial institution. It can then substitute itself for the account's real owner. This is known as the “man in the middle” tactic. But GOZ has a further clever feature. It can infiltrate a real site,  adding in extras. So it would appear that your bank, on what seems to be its legitimate site, is asking for your date of birth, social security number or credit card details as well your password.

Victims give this sensitive information because they are not aware their bank site has been compromised.

Armed with this information, the DoJ says in its allegation of bank fraud, the criminals could loot accounts at will. And they did.

But organising a fraud of this size needs seed capital and day-to-day running expenses, money to set up the racket and keep the criminals on the staff happy. This involved, according to the DoJ, the original GOZ also sometimes downloading Cryptolocker, a nasty piece of software which falsely informs victims that their computer will be rendered useless unless they pay over around $750 (£450) within 72 hours.

It's pure extortion. Cryptolocker has infected 230,000 machines, of which 120,000 are in the United States.

FBI Special Agent James Craig has also published details of the UK operation. In court filings he names Yevhen Kulibaba, currently in jail, as the arranger of the “money mules” and in charge of the money laundering operation. His sidekick Yuriv Konovalenko is also locked up.

Get a health insurance quote with lovemoney.com

When will the scam strike again?

The good news is that law enforcement agencies have disabled the “command and control” servers spreading the viruses in the network.

The bad news is that no one knows how long it will be before the large numbers in the gang who remain outside custody get their act together and restore their scam using even more difficult to crack computer codes. This could be as little as a fortnight or as long as three months.

Computer security expert Graham Cluley says: “The great news today is that the authorities, working with ISPs and members of the computer security industry, has seized control of a large amount of the internet infrastructure being used by the GameOver Zeus and CryptoLocker threats. Unfortunately, if your computer has been compromised by GameOver Zeus you won’t be able to tell with the naked eye. You need good security software to clean-up your infection, and remove affected computers from the internet until they are safe to reconnect.”

If your computer has been compromised, you should be contacted by your Internet Service Provider. You should also run the most powerful anti-malware software you can lay your hands on!

Get a health insurance quote with lovemoney.com

More on scams:

Don't fall for the 'free' replacement boiler scam

Beware the pensions review scammers

Dodgy lawyers running off with Stamp Duty payments

Legal aid cuts mean we're more at risk from fraudsters than ever before

We must act on these 0203 phone number scammers

Comments

Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © lovemoney.com All rights reserved.

 

loveMONEY.com Financial Services Limited is authorised and regulated by the Financial Conduct Authority (FCA) with Firm Reference Number (FRN): 479153.

loveMONEY.com is a company registered in England & Wales (Company Number: 7406028) with its registered address at First Floor Ridgeland House, 15 Carfax, Horsham, West Sussex, RH12 1DY, United Kingdom. loveMONEY.com Limited operates under the trading name of loveMONEY.com Financial Services Limited. We operate as a credit broker for consumer credit and do not lend directly. Our company maintains relationships with various affiliates and lenders, which we may promote within our editorial content in emails and on featured partner pages through affiliate links. Please note, that we may receive commission payments from some of the product and service providers featured on our website. In line with Consumer Duty regulations, we assess our partners to ensure they offer fair value, are transparent, and cater to the needs of all customers, including vulnerable groups. We continuously review our practices to ensure compliance with these standards. While we make every effort to ensure the accuracy and currency of our editorial content, users should independently verify information with their chosen product or service provider. This can be done by reviewing the product landing page information and the terms and conditions associated with the product. If you are uncertain whether a product is suitable, we strongly recommend seeking advice from a regulated independent financial advisor before applying for the products.