Security Experts:

Three Charged in Worldwide Gozi Banking Malware Operation

Three men accused of infecting more than a million computers worldwide with the Gozi banking Trojan and looting online banking accounts are in custody, U.S. law enforcement officials said Wednesday.

Mihai Ionut "Virus" Paunescu, of Romania, Deniss "Miami" Calovskis, of Latvia, and Nikita Vladimirovich Kuzmin, of Russia, were charged with computer intrusion, conspiracy to commit bank and wire fraud, and access device fraud, according to court documents unsealed by the U.S. Attorney's office for the Southern District of New York on Jan. 23. The three men represent the Trojan's supply chain, with the creator, developer, and the distributor: Kuzmin allegedly designed the Trojan, Calovskis allegedly modified it, and Paunescu was allegedly responsible for distributing it.

Cybercriminals ArrestedKuzmin was actually arrested in November 2010 when he arrived to the United States via Thailand and pleaded guilty in May 2011, said U.S. Attorney Preet Bharara during a press conference today. Kuzmin has spent the last two years cooperating with law enforcement. Calovskis was arrested in Latvia last November and Paunescu was arrested in Rumania in December. The U.S. is currently seeking extradition for both men.

"These men ran a modern-day bank robbery ring … Their bank heists required neither a mask nor a gun," Bharara said.

Authorities believe the Gozi Trojan infected at least 40,000 computers in the United States and cost victims tens of millions in losses and damages. The gang also infected 190 computers at National Aeronautics and Space Administration (NASA) and cost $40,000 in damages, according to the indictments. In the NASA attack, the Trojan extracted login credentials for a NASA email account, an eBay login, Web histories, and Google chat messages. Strategic information or anything related to NASA's operations were not compromised.

Investigators have so far collected 51 computer servers and other equipment with approximately 250 million MB of data, according to the Justice Department. One Dutch-based command and control server used by the Gozi Trojan contained more than 3,000 usernames for accounts at seven U.S. banks. In one incident last February, the gang stole more than $200,000 from a single victim's bank account, according to court documents.

Prosecutors believe the sophisticated cyber-scam was active from 2005 to March 2012, with the malware originally targeting banks in Europe. In 2010, they began targeting one major U.S. bank based in New York.

The Gozi Trojan was "stealing personal bank account information (such as account numbers, usernames, and passwords) from computers across Europe on a vast scale, while remaining virtually undetectable in the computers it infected," the indictment said. The malware was delivered in a variety of ways, but most commonly embedded in malicious PDF documents.

Kuzmin, the alleged chief architect of the Gozi Trojan, is accused of hiring a "sophisticated computer programmer" to actually write the Gozi Trojan based on the technical specifications he came up with back in 2005, according to his indictment. "After months of work, (the unnamed programmer) completed work on the source code for the Gozi Virus and provided it to Kuzmin," who in turn rented the virus out to other criminals on a weekly basis. Kuzmin allegedly named his lease operation "76 Service." Customers could access the stolen data from infected computers on 76 Service servers for the duration of the rental period, according to the indictment.

In 2008, Kuzmin stopped renting out the malware and sold the source code to a group of criminals for $50,000 plus a share of future profits. The group remains unnamed in the indictments.

vorVzakon Behind ‘Project Blitzkrieg’ ?

Paunescu operated a bulletproof hosting service using computers located in Romania, the U.S. and other countries. Customers could rent servers and IP addresses to send out malicious phishing emails, to act as command-and-control servers to control infected machines and store data, and to launch distributed denial of service attacks. Paunescu provided the infrastructure to distribute Gozi, Zeus, and SpyEye banking Trojans, according to his indictment.

Kuzmin worked with various developers to refine and update the Trojan's code over time. Calovskis, a software programmer, provided Web injects for the Gozi Trojan. Web injects are used to alter how banking websites appear on infected computers, such as displaying extra fields and text. For example Web injects could add extra text fields to trick users into submitting more personal information such as the Social Security number, phone number, or even the date of birth.

Kuzmin faces seven criminal charges related to wire fraud, access device fraud, and computer intrusion. If convicted, Kuzmin faces a maximum penalty of 95 years in prison. Calovskis is charged with five counts of bank fraud conspiracy, access device fraud conspiracy and computer intrusion and faces 67 years in prison. Paunescu faces charges of conspiracy to commit computer intrusion, conspiracy to commit bank fraud and conscpiracy to commit wire fraud and faces a maximum penalty of 60 years.

Related: The Man Behind the Gozi Trojan Attack: Mastermind or Trap?

Related: Project Blitzkrieg Cyber Heist Called a 'Credible Threat'

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.