Three Romanian men have been indicted in the United States for their involvement in a longstanding online fraud operation that resulted in estimated losses of up to $35 million.
The operation relied on the use of a piece of malware known as Bayrob, which was initially designed to facilitate fraud, but which was updated with cryptocurrency mining capabilities. During the 8 years of activity, the group is estimated to have sent over 11 million malicious emails and to have infected over 300,000 computers.
The three suspects indicted in this case are Bogdan Nicolescu (aka “Masterfraud”, aka “mf”); Danet Tiberiu (aka “Amightysa”, aka “amy”); and Radu Miclaus (aka “Minolta”, aka “min”). All three were arrested in Romania earlier this year and extradited to the United States, where they face multiple charges relating to fraud, identity theft, money laundering, and trafficking in counterfeit goods or services, Symantec, which participated in the investigation since 2011, reveals.
Initially, the group was associated with an online fraud operation where victims were tricked into believing they were buying a vehicle on eBay. The gang listed vehicles on various websites, including eBay, and targeted individuals interested in making a purchase via emails attacks.
People interested in the alleged sales were sent an initial email informing them that the sale was concluded, while a subsequent email informed them that the sale actually had fallen through. The second email also asked victims if they were still interested and contained a slideshow of the vehicle supposedly on sale as attachment.
The attached file was infected with the Bayrob malware (detected as Trojan.Bayrob), which was capable of displaying fake eBay pages. The cybercriminals would send the victim an eBay link via emails, and the Trojan made it look as a real auction, thus tricking the victim into bidding. The security researchers say that the malware was customized for each intended victim and that the emails were composed in fluent English.
Victims who decided to buy the allegedly auctioned vehicles were tricked into sending thousands of dollars to the accounts of money mules, who would then send the money to the malware operators. The gang even created a fake trucking company that contacted victims to inform them their vehicles were en-route, but which claimed the delivery was delayed for various reasons. This scheme ensured that the crooks would receive their money before the victims realized they had been conned.
The gang had a wide network of money mules in the United States and Eastern Europe, some of which were “hired” by means of fake job ads. Some people were told the job they were applying for had been filled, but were offered a work from home job as an alternative, while others were told they had gotten a job with a fake Yahoo subsidiary called Yahoo Transfers.
Money mules “were thoroughly vetted during recruitment, using Google searches, instant messaging, and VoIP calls,” Symantec says. Money mules could retail 6% of the received funds, but were also offered the option to send the entire sum and then receive a 10% cut, but this second setup was found to be yet another scheme, as nobody who opted for it received anything in return.
The US victim would send the money to an account controlled by a mule in the US, who would then transfer the funds to another mule, usually located in an Eastern European country, who would presumably transfer it to the gang members.
Although the gang was initially focused on auction fraud, its members soon started stealing credit card information from the infected computers, and used the stolen cards to purchase infrastructure and grow their operation. After managing to infect hundreds of thousands of computers, the group turned to cryptocurrency mining.
“In recent years, the gang has concentrated on rapidly growing the number of infected computers in order to build a botnet. When it was exclusively involved in auction fraud, the number of infected computers was around 1,000 at any one time. However, by 2014 it had jumped to approximately 50,000 and by mid-2016 it had grown to over 300,000 and continued to grow,” Symantec says.
The group managed to operate for such a long period of time because of the employed tactics, which also included extensive use of encryption for online communication: “email encrypted using PGP and instant messaging encrypted with the Off-The-Record (OTR) messaging protocol.” The gang also hid behind a double layer of proxies, but a weak point in the use of these proxies allowed the security researchers to expose the malicious activities
“Symantec’s pursuit of Bayrob is one of many long standing investigations we currently have underway, all of which are motivated by a desire to protect our customers. Today’s arrests illustrate the value of effective co-operation between security companies and law enforcement and sends a clear signal to international cybercrime gangs that they are not beyond the reach of the justice system,” Symantec concludes.