International Operation Targeted Two Cybercriminal Rings That Caused More than $74 million in losses
The Department of Justice and the FBI, along with other law enforcement agencies around the world, announced the indictment of two individuals from Latvia as part of Operation Trident Tribunal, an ongoing operation targeting international cyber crime.
After obtaining warrants, authorities were able to seize 22 computers and servers in the United States that were and operating and managing the scheme. An additional 25 computers and servers located in countries including the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom were taken down as part of the operation.
The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years.
Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129. According to the FBI, an estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses. Latvian authorities also seized at least five bank accounts linked to the operators.
This past spring proved to be an opportunistic time for cybercriminals with several high profile events setting up the opportunity for rogue antivirus (rogueware) attacks exploiting events, including the Royal Wedding, the Easter holiday, the anniversary of Yuri Gagarin becoming the first man in space, along with the release of President Obama’s long-form birth certificate. Cybercriminals used these events to attack end-users via SEO poisoning attacks which hijack legitimate search results, such as searches for Royal Wedding coverage, as well as rogue AV applications and malicious websites that prompt users to install fake software on their PCs to view supposedly exclusive content.
A second international crime ring disrupted by Operation Trident Tribunal relied on “malvertising”, a growing method used to distribute malware via advertising tags served through an unsuspecting publisher’s Web site. An indictment charges the two operators of this scareware scheme with two counts of wire fraud, one count of conspiracy to commit wire fraud and computer fraud. The defendants, Peteris Sahurovs, 22, and Marina Maslobojeva, 23, were arrested yesterday in Rezekne, Latvia on the charges.
According to the indictment, Maslobojeva and Sahurovs created a fake ad agency and approached the Minneapolis Star Tribune’s news Web site, startribune.com saying they that they represented a hotel chain that wanted to buy online advertising space on the site. The defendants provided “third party ad tags”, allowing them to control and monitor their ads which removing the ability for publishers to be able to control what ads are served. Staff at startribune.com tested the advertising tags and found them to operate normally.
According to court documents, after the ad campaign started running on startribune.com, the defendants modified the code in the ad so that visitors to startribune.com were infected with malware that launched scareware on their systems. The scareware caused users’ computers to “freeze up” and generate a series of pop-up warnings in an attempt to trick users into purchasing fake antivirus software. Users’ computers “unfroze” if the users paid the defendants for the fake antivirus software, but the malware remained hidden on their systems. Users who didn’t buy the fake anti-virus software discovered that data and files stored on their computers became inaccessible. According to the FBI, the scam allegedly led to at least $2 million in losses.
Many of the digital ad serving platforms being used today were developed over a decade ago and not designed to cope with today’s massive volume of transactions from buyers and sellers around the world, creating a constant stream of new vulnerabilities in the system. Companies such as Dasient and SiteScout offer solutions to help protect publishers (and thus end users) by helping to identify malvertising campaigns like this.
“Cyber crime is profitable, and can prey upon American consumers and companies from nearly any corner of the globe. We will continue to be aggressive and innovative in our approach to combating this international threat,” said Assistant Attorney General Lanny A. Breuer of the Criminal Division.
If convicted, the defendants face penalties of up to 20 years in prison and fines of up to $250,000 on the wire fraud and conspiracy charges, and up to 10 years in prison and fines of up to $250,000 on the computer fraud charge. The defendants also face restitution and forfeiture of their illegal profits.