Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FBI and International Agencies Bust Two Massive Scareware Operations

International Operation Targeted Two Cybercriminal Rings That Caused More than $74 million in losses

The Department of Justice and the FBI, along with other law enforcement agencies around the world, announced the indictment of two individuals from Latvia as part of Operation Trident Tribunal, an ongoing operation targeting international cyber crime.

International Operation Targeted Two Cybercriminal Rings That Caused More than $74 million in losses

The Department of Justice and the FBI, along with other law enforcement agencies around the world, announced the indictment of two individuals from Latvia as part of Operation Trident Tribunal, an ongoing operation targeting international cyber crime.

Operation Trident TribunalThe operation targeted two international cybercriminal rings that according to the FBI caused more than $74 million in losses to more than a million people through the sale of crimeware known as “scareware” or “rogueware”, also referred to as rogue anti-virus. After tricking users into unknowingly downloading this malware, the popular tactic displays fake pop-up alerts or security notifications that scare users into thinking their PC has been infected. Users are then informed they need to buy what they are told is anti-virus software in order to repair their computers. The users are then barraged with aggressive and disruptive notifications until they supply their credit card number and pay for a fake anti-virus product.

After obtaining warrants, authorities were able to seize 22 computers and servers in the United States that were and operating and managing the scheme. An additional 25 computers and servers located in countries including the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom were taken down as part of the operation.

The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years.

Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129. According to the FBI, an estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses. Latvian authorities also seized at least five bank accounts linked to the operators.

This past spring proved to be an opportunistic time for cybercriminals with several high profile events setting up the opportunity for rogue antivirus (rogueware) attacks exploiting events, including the Royal Wedding, the Easter holiday, the anniversary of Yuri Gagarin becoming the first man in space, along with the release of President Obama’s long-form birth certificate. Cybercriminals used these events to attack end-users via SEO poisoning attacks which hijack legitimate search results, such as searches for Royal Wedding coverage, as well as rogue AV applications and malicious websites that prompt users to install fake software on their PCs to view supposedly exclusive content.

A second international crime ring disrupted by Operation Trident Tribunal relied on “malvertising”, a growing method used to distribute malware via advertising tags served through an unsuspecting publisher’s Web site. An indictment charges the two operators of this scareware scheme with two counts of wire fraud, one count of conspiracy to commit wire fraud and computer fraud. The defendants, Peteris Sahurovs, 22, and Marina Maslobojeva, 23, were arrested yesterday in Rezekne, Latvia on the charges.

According to the indictment, Maslobojeva and Sahurovs created a fake ad agency and approached the Minneapolis Star Tribune’s news Web site, startribune.com saying they that they represented a hotel chain that wanted to buy online advertising space on the site. The defendants provided “third party ad tags”, allowing them to control and monitor their ads which removing the ability for publishers to be able to control what ads are served. Staff at startribune.com tested the advertising tags and found them to operate normally.

Advertisement. Scroll to continue reading.

According to court documents, after the ad campaign started running on startribune.com, the defendants modified the code in the ad so that visitors to startribune.com were infected with malware that launched scareware on their systems. The scareware caused users’ computers to “freeze up” and generate a series of pop-up warnings in an attempt to trick users into purchasing fake antivirus software. Users’ computers “unfroze” if the users paid the defendants for the fake antivirus software, but the malware remained hidden on their systems. Users who didn’t buy the fake anti-virus software discovered that data and files stored on their computers became inaccessible. According to the FBI, the scam allegedly led to at least $2 million in losses.

Many of the digital ad serving platforms being used today were developed over a decade ago and not designed to cope with today’s massive volume of transactions from buyers and sellers around the world, creating a constant stream of new vulnerabilities in the system. Companies such as Dasient and SiteScout offer solutions to help protect publishers (and thus end users) by helping to identify malvertising campaigns like this.

“Cyber crime is profitable, and can prey upon American consumers and companies from nearly any corner of the globe. We will continue to be aggressive and innovative in our approach to combating this international threat,” said Assistant Attorney General Lanny A. Breuer of the Criminal Division.

If convicted, the defendants face penalties of up to 20 years in prison and fines of up to $250,000 on the wire fraud and conspiracy charges, and up to 10 years in prison and fines of up to $250,000 on the computer fraud charge. The defendants also face restitution and forfeiture of their illegal profits.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.