Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

“Gotcha ‘Gozi’ Guys.” Feds Indict 3 for Creating and Distributing the Adaptable Gozi Trojan Responsible for Tens of Millions in Losses.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Gozi infected more than a million computers and cost financial institutions and their customers tens of millions of dollars. Sold to cyberthieves and modified to attack the specific financial institution a buyer targeted, Gozi has been an extremely sophisticated and very successful strain of malicious software.

The FBI is quoted as saying the three men responsible were Russian national Nikita Kuzmin, 25, the malware’s creator, Latvia national Deniss “Miami” Calovskis, 27, who wrote some of the code that made the malware as effective as it was, and Romanian national Mihai Ionut Paunescu, 28, who purportedly went by the screen name “Virus.” While Paunescu is alleged to be a cybercrook, it appears he’s an honest one if he goes by the name “Virus.” Then again, maybe he just gets more than his share of head colds. reports “Kuzmin was arrested in the U.S. in November 2010, and pled guilty the following year to charges of computer intrusion and fraud. Calovskis meanwhile was arrested in Latvia in November 2012, and Paunescu, who is accused of running a bulletproof hosting service for criminals distributing the malware, was arrested in Romania in December.”

U.S. Attorney for the Southern District of New York, Preet Bharara reportedly indicted the men on bank fraud conspiracy, conspiracy to commit computer intrusion, and wire fraud conspiracy. Bharara noted that of the million computers infected by Gozi, at least 40,000 were in the United States and were responsible for millions in losses.

In his blog, Krebs on Security, Brian Krebs explained how Gozi works and why the men behind the Trojan were so successful – well, until they got caught.

First discovered in early 2007, the Gozi Trojan is a stealthy, cybertheft tool that typically evades anti-virus detection for weeks — sometimes months — at a time. Cyber forensics experts say Gozi has remained a potent threat, mainly because its author has been very selective in choosing new customers and fastidious in creating custom, undetectable versions of the malware. 

For all the Trojan’s sophistication, however, investigators say it was merely the delivery vehicle for the author’s real moneymaking machine: A software-as-a-service fraud scheme called “76 Service.”

According to authorities, Kuzmin marketed the service on highly-vetted cybercriminal forums online, offering customers a soup-to-nuts crime machine that automated the processes of robbing online banking customers. Incredibly, this turnkey system even automated the ready supply of so-called “money mules,” willing or unwitting individuals recruited through work-at-home job scams to help thieves launder stolen funds.

“This was kind of like for the bad guys, where he’d hook them up to his cybercrime facility and then charge them out the ear for additional services,” said one fraud investigator who worked closely with law enforcement officials on the investigation but who asked to remain anonymous.

“As a customer, you’d tell him which banks you wanted to target, and he has close-knit relationships with people who can code together pre-coded scripts to interact specifically with those bank Web sites, or has developers on standby to meet your needs,” the source said. “Then he generates the custom Gozi Trojan just for you, providing the cryptor that helps it evade anti-virus detection, and he provides the hosting infrastructure on the back end that lets you manage all of the machines infected with the Trojan.”

76 Service customers were supplied a slick, point-and-click Web-based interface that could be used to control machines infected with their customer Gozi variant, and to manipulate the way victim customers interacted with their financial institutions’ Web site.

To that end, the “injects” supplied by the Gozi team were the key moneymaker for the 76 Service. A typical Gozi attack worked like this:

A 76 Service customer would decide which banks most of those victimized by his Trojan were using, and then pay the author to create (an) automated system so that when victims logged in to their bank’s site, the Trojan would inject HTML content into the bank’s Web site as displayed in the victim’s browser — usually form fields that requested additional personal or financial data on the victim, and then relayed that data back to the attackers.

One common type of inject used by Gozi was a pop-up box … an inject that targeted (a specific bank) and requested additional data from victim account holders.

Investigators say Gozi also was used to inject content directly into the bank’s Web page as displayed by the victim’s browser, allowing attackers to spoof the victim’s bank balance: In such attacks, the crooks could empty an account of all available funds, and yet force the victim’s browser to display the original balance before the robbery.

Another inject that sources say was used primarily against banks in the United Kingdom actually automated the process of sending stolen funds from compromised accounts to money mules. The mules were thought to be supplied by a third-party group that specialized in recruiting, vetting and training mules — priming them to be ready to receive transfers, pull the money out in cash, and then wire the funds to the attackers.

By ThreatMetrix Posted