GozNym bust underlines cyber crime threat

A criminal network using GozNym malware has been shut down in an international law enforcement operation, but others are still operating, underlining the need for vigilance, warns a security expert

Police have arrested five suspected cyber criminals and are hunting for five more in connection with a criminal operation believed to have stolen $100m from 41,000 victims using banking malware.

The news comes just days after a strategic assessment by the National Crime Agency (NCA) warned that financial trojans targeting online banking users and created by Russian language organised criminal gangs represent the biggest cyber crime threat to the UK.

The GozNym malware is one of the latest versions of the notorious Gozi money-stealing malware created by Russian cyber criminal Nikita Kuzmin, who was arrested in 2013. In 2016, he was ordered to pay $6.9m in forfeiture and restitution, but was spared additional jail time because of his cooperation with investigators during the three years he had already spent in US custody.

“This provides yet another example of how adversaries tweak known attacks to bypass legacy security solutions to reach and exploit the end user,” said Roy Rashti, cyber security expert at BitDam.

“This strategy allows cyber crime groups to operate like any successful business – with efficiency, dynamism and always staying one step ahead. That is, of course, until they get caught.”

International effort against cyber criminals

The latest arrests come as the result of an international law enforcement operation to shut down the GozNym criminal network that has been targeting mainly businesses and their financial institutions.

Criminal prosecutions have been initiated in Georgia, Moldova, Ukraine and the US, where a federal grand jury in Pittsburgh has charged 10 members of the GozNym gang with conspiracy to:

  • Infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
  • Use the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
  • Steal money from victims’ bank accounts and launder those funds using US and foreign beneficiary bank accounts controlled by the defendants.   

Police taking part in the operation targeting the GozNym gang conducted searches in Bulgaria, Georgia, Moldova and Ukraine. The operation also involved cooperation with law enforcement agencies in Germany and the US.

Read more about law enforcement operations

Europol, the European Agency for Law Enforcement Cooperation, as well as Eurojust, the European Union’s Judicial Cooperation Unit, supported the case.

“This operation showcases how an international effort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries,” said Europol.

Police investigators said the GozNym network exemplified the concept of cyber crime as a service, with different criminal services such as bulletproof hosters, money mule networks, crypters, spammers, coders, organisers and technical support.

Breaking up criminal networks

The suspects advertised their specialised technical skills and services on underground, Russian-speaking online criminal forums. The GozNym network was formed when these individuals were recruited from online forums by the GozNym leader, who is being prosecuted in Georgia, along with his technical assistant.

A member of the network who encrypted GozNym malware to enable it to avoid detection by antivirus tools and protective software on victims’ computers is being prosecuted in Moldova.

Another member from Bulgaria was arrested by the Bulgarian authorities and extradited to the US in December 2016 to face prosecution in Pittsburgh. His primary role in the conspiracy was that of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access their online bank accounts and attempt to steal their money.

Several members of the network provided money-laundering services and were known as “cash-outs” or “drop masters”. These individuals, including two from Russia and one from Ukraine, provided fellow members of the conspiracy with access to bank accounts they controlled that were designated to receive stolen funds from GozNym victims’ online bank accounts.

“Cyber crime groups operate like any successful business – with efficiency, dynamism and always staying one step ahead. That is, of course, until they get caught”
Roy Rashti, BitDam

The five Russian nationals charged by the US remain on the run. In addition to the two “drop masters”, they include the developer of GozNym malware who oversaw its creation, development, management and leasing to other cyber criminals.

Another Russian GozNym member conducted spamming operations for the mass distribution of GozNym malware through phishing emails designed to appear legitimate to entice recipients into opening them and clicking on a malicious link or attachment which facilitated the downloading of GozNym onto the victims’ computers.

Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the Avalanche network. The Avalanche network provided services to more than 200 cyber criminals, and hosted more than 20 different malware campaigns, including GozNym. 

The administrator’s apartment in Poltava, Ukraine, was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure. Through the coordinated law enforcement operation, this alleged cyber criminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network. 

“As happy as we all should be that these particular criminals were brought to justice, we should keep in mind that it doesn’t end there,” said Rashti.

“Many other cyber crime groups are trying to steal or extort money from innocent victims all around the world. Some develop new malware, some prefer to tweak past attacks. 

“Our side of this fight is to make sure that we take every necessary precaution to ensure we do not get infected and support those around us in doing the same.”

Read more about banking malware

Read more on Hackers and cybercrime prevention