FBI Charges Creators and Distributor of Gozi Malware

Three sophisticated fraudsters behind the malware Gozi, which infected over one million computers including hundreds at NASA, have been arrested and charged with computer intrusion and conspiracy to commit bank fraud after creating and selling their malware to steal bank account credentials online in the black market.

Nikita Kuzmin, of Russia, set to create the Gozi virus back in 2005 and recruited Dennis Calovskis, a Latvian, to help write the code. This team of fraudsters was high up on the food chain, they created a the Gozi malware sell to other fraudsters who could then use it to infect computers and steal online banking credentials. This information could then be sold to other fraudsters or used to commit bank fraud directly. To get their Gozi malware out for sale on the black market, Kuzmin and Calovskis solicited help from a Romanian, Mihai Ionut Paunescu, who operated a hosting service for selling and distributing malware. Paunescu, who uses the online alias “Virus,” also provided hosting for the creators of the Zeus and SpyEye Trojans. For several years access to the malware code and frequent updates were provided online for a weekly service fee in what was called the “76 Service.” But in 2009 Kuzmin, the main creator of the virus and ringleader, decided to sell the source code for $50,000 a copy.

Over this time the Gozi malware spread as fraudsters used Kuzmin’s virus and services to infect computers and steal banking credentials. One of the earliest and most successful man-in-the-browser (MitB) attack viruses, the malware would present welcome pages for consumers to input banking credentials, PINs, SSNs, maiden names and other information. These pages and attacks would be targeted to specific banks and countries. Early on the malware focused on U.S. banks, but later targeted European banks for a few years before focusing on U.S. banks and victims again years later. Overall it is estimated that more than one million computers were infected with Gozi worldwide while at least 40,000 of those were in the United States. While it is difficult to estimate to full financial damage caused, the criminal indictment is seeking $50 million in reparations.

The Gozi virus also gained notoriety for infecting 160 NASA computers which resulted in $40,000 in damages. At this time it is unclear if any sensitive data was compromised or if affected NASA’s operations, but it did cause losses from infecting and damaging hardware. The criminal investigation into Kuzmin and the Gozi virus has been ongoing for several years, and will continue even with the three main leaders in custody. Kuzmin was initially arrested in the United States in late 2010 later pleading guilty to computer intrusion and fraud charges. Calovsksis and Paunescu (“Virus”) where charged in late January following arrests and extraditions in late 2012. Facing charges like conspiracy to commit aggravated identity theft, access device fraud and computer intrusion, the three face maximum penalties ranging from 60 to 95 years in prison.

For more information:

Cybercrime takedown: Is it game over for Gozi Trojan that stole millions?