by Paul Ducklin
More than eight-and-a-half years ago, we wrote about the US indictment of three cybercrime suspects.
The troika was wanted for allegedly operating a bank-raiding crimeware “service” known as Gozi, based on zombie malware that used a technique known as HTML injection to trick victims into revealing personal information relating to their on-line banking.
As we explained at the time [original text slightly edited]:
Adding to or altering the content of a bank’s online login form is tricky if you want to make the modifications on the server side or while the content is in transit. […]
But if you can plant malware on the victim’s PC, you can use what’s known as an MiTB attack, or “manipulator in the browser”.
Then, you wait until a suitable online transaction form has been securely delivered and decrypted for display in the browser. Only then do you inject content into the HTML in order to modify the form, for example to request additional security information that wouldn’t normally be needed at that point.
Finally, you exfiltrate the extra data entered by the victim by sending it somewhere other than the bank.
By leaving the genuine fields in the web form alone, and allowing data in the genuine parts of the form to flow to the regular banking site as usual, HTML injection attacks generally don’t interfere with the original transaction.
That means there is no tell-tale error message or failed transaction that the crooks need to disguise, and there is no tell-tale fake URL in the address bar that an observant user might notice.
Using the stolen data, the Gozi crooks could then raid the victim’s bank account, with the US Department of Justice (DOJ) noting at the time that there were at least 17,000 Gozi malware infections in the US alone, including 160 at NASA.
It seems that rocket scientists aren’t aren’t just people of interest to cybercrooks for the latest spaceplane plans – their bank account details are valuable, too.
The three defendants were accused of playing different roles in the overall scam, detailed by the 2013 charge sheet as follows:
Kuzmin was said to have been what you might call the COO of the “business”, hiring coders to write the Gozi malware and operating the Crimeware-as-a-Service (CaaS) business based around it.
Čalovskis was the HTML injection expert, coding up the HTML modifications used to trick the victims and steal their account information.
Paunescu allegedly ran what are known as “bulletproof hosts” for the enterprise – servers that are intentionally operated to be hard for cybersecurity defenders to identify and take down.
By 2016, Kuzmin – whom we assume was caught in the US despite himself being Russian, and who had been in custody for more than three years while his case dragged on – finally pleaded guilty, and was sentenced to “time served”, meaning that his 37 months on remand were considered incarceration enough.
He was also required to forfeit just under $7,000,000, which gives you an idea of how much money bank-raiding malware crooks stand to make off with.
Čalovskis was in Latvia, and sucessfully fought extradition to the US until 2015, having convinced a Latvian court that his likely sentence would be considered unreasonably harsh by Latvian standards.
(The DOJ routinely lists maximum sentences in its reports – 67 years in the case of Čalovskis, as shown above – even though maximums are rarely handed out.)
By 2015, however, the two countries had apparently reached a “reasonableness agreement” whereby Čalovskis, if extradited, would not appeal his conviction or sentence if he were to get no more than two years.
In the end, that’s what happened, with Čalovskis being sent to the US, pleading guilty and admitting: “I knew what I was doing was against the law.”
After 21 months in custody, he too was sentenced to “time served” while waiting extradition and sentencing, a period of less than two years, as agreed in advance.
Only Paunescu remained out of the DOJ’s clutches, apparently spared from extradition by a Romanian court.
Until this week, that is, when he was picked up at Bogotá International Airport by the Colombian authorities, who promptly contacted the US diplomatic service to see if it wished to begin extradition proceedings.
We’re not sure whether Paunescu was busted on the way in or on the way out; reports state just that he was “sporting a thick beard and wearing a red t-shirt.”
(A Wu-Tang Clan shirt, apparently, according to one image bearing the Colombian Attorney General’s logo.)