- CyberCrime Center
December 9, 2013
Like the script from a TV police procedural, Dutch cyberpolice arrested four men who allegedly used TorRAT malware to make off with $1.4 million, then used the online currency Bitcoins to launder the money.
Not familiar with it, TorRAT (named RAT, not for somebody who’d use it, but for the acronym Remote-Access Trojan) operates on the Tor network, which is known for maintaining user anonymity. With Tor cybercriminals operating botnets are able to disguise commands they send to infected PCs and hide the flow of stolen data that’s transmitted from infected PCs to attacker-controlled servers.
Mathew J. Schwartz reporting on informationweek.com explains how the criminals operating and how they were apprehended:
The Windows malware was distributed in part via hacked Twitter feeds, but largely via phishing attacks written in Dutch that targeted online banking users in the Netherlands. “Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages,” said [cybersecurity expert] Feike Hacquebord in a blog post. “These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.”
Police said the TorRAT gang coordinated their operations using Tor Mail — which was designed to provide users with anonymous, private communications — and ultimately stole funds from at least 150 Dutch bank accounts.
Stealing victims’ money was the easy part. Actually converting it to cash was much more difficult, and a single mistake might leave clues that authorities could trace back to the gang members’ real identity. “It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money,” said Hacquebord.
“The Dutch gang allegedly laundered money through Bitcoin transactions and even set up their own Bitcoin exchange service — FBTC Exchange — that went dark after the arrests.”
The Dutch investigation also resulted in police seizing from the TorRAT gang 56 Bitcoins, which authorities exchanged for over 7,700 euros ($10,000).
How did Dutch computer crime police trace the men? While authorities haven’t revealed what tipped them off, the arrests may have resulted directly from an FBI sting operation earlier this year that resulted in the arrest in Dublin of 28-year-old Eric Eoin Marques on child pornography distribution charges. Marques was also accused of being the operator of Freedom Hosting, which hosted multiple anonymous Tor software services, including Tor Mail, although the hosting service was affiliated with the Tor Project.
The FBI apparently hacked into the Freedom Hosting site and made it serve malware that targeted a bug — since patched — in the Firefox browser that underpins the Tor Browser Bundle (TBB), which is the easiest way to access the anonymizing Tor network. The malware planted a tracking ID onto a TBB-using PC, which allowed the FBI to trace the IP address for the computer, helping it identify the user. Accordingly, the FBI may have shared the real IP addresses of the alleged Tor Mail-using TorRAT gang members with Dutch police.
Last week’s takedown of the alleged TorRAT gang also followed the arrest earlier this month of Ross William Ulbricht, 29. The FBI accused Ulbricht, aka Dread Pirate Roberts, of running the notorious online narcotics marketplace known as the Silk Road. Reachable only via the Tor network, the site generated more than $1.2 billion in sales and $80 million in commissions during the more than two years in which it operated, authorities estimated. But even the combination of using Bitcoins as currency and the Tor network to hide participants’ identities didn’t prevent the FBI from tracing transactions back to the online marketplace’s alleged owner.
Last week, the FBI announced that it had seized a second stash of Bitcoins belonging to Ulbricht, which brought the total number of seized Bitcoins to 173,991. At current Bitcoin exchange rates, they would be worth more than $34.1 million.
ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Posted by Dan Rampe
Tags: Account Takeover, Account Takeover Fraud, Bank Fraud, Bitcoin, Botnets, CNP fraud, Cookieless Device Identification, Cookies, Credit Card Fraud, Cyber attacks, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Hacking, Identity Spoofing, Identity theft, Malware, Malware Detection, Malware Protection, Man-in-the-Browser Detection, MitB, Mobile fraud, Online Fraud, Phishing, Phishing Detection, PII, ThreatMetrix, ThreatMetrix Cybercrime Index, ThreatMetrix Global Trust Intelligence Network, ThreatMetrix Web Fraud Map, TorRAT, TrustDefender Cybercrime Protection Platform, Web Fraud