Related Links

Related Stories

  • Spam campaign makes offerings to Zeus
    The widespread banking trojan/botnet known as Zeus is continuing to throw its malware-infested thunderbolts at unsuspecting users, this time through a wide-net spam campaign.
  • Android adware, Zitmo botnets and Romanian hackers, oh my!
    We're not in Kansas anymore: The third quarter of 2012 saw a marked increase in Android adware, while new evidence surfaced suggesting that the Zeus-in-the-Mobile (Zitmo) banking trojan is evolving into a botnet. And, Romanian hackers are continuing to perform large-scale scanning for web vulnerabilities, according to the quarterly threat assessment from Fortinet.
  • Universal man in the browser malware allows real-time information processing
    Hackers who employ the man-in-the-browser (MiTB) gambit to steal information from computer systems have found a way to more efficiently cast their net. According to researchers at Trusteer, a new strain of MiTB malware can adopt a “one-size-fits-all” approach to collecting compromising data from websites, eliminating the time-consuming process of parsing through specific logs for the sensitive bits.
  • Citadel trojan targeting major international airport hub
    The Citadel trojan is best known for its recent delivery of the Reveton ransomware. Now Trusteer has discovered a Citadel-based man-in-the-browser (MitB) attack aimed against VPN-using employees at a major international airport.
  • Man in the Browser (MITB) becomes Man in the Mobile (MITMO)
    MITB malware, personified by Zeus and SpyEye, has long been the bane of desktop online banking. Now Trusteer reports that MITB has migrated to Android; and calls it Man in the Mobile.

Top 5 Stories


Gozi malware mastermind and two others charged in New York court

24 January 2013

Three of the leading figures behind the development and use of the Gozi banking malware have been charged in New York for numerous offenses that carry a maximum penalty ranging from 60 to 95 years in prison.

The three accused are Nikita Kuzmin (Russian), Deniss Calovskis (Latvian) and Mihai Ionut Paunescu (Romanian). Kuzmin is considered both the ringleader and mastermind behind the Gozi malware. Court papers say that in 2005 he developed the technical specification for a virus to steal personal bank account information. He then subcontracted the coding to “a sophisticated computer programmer to write the virus’s ‘source code'."

Gozi became one of the earliest and most successful man-in-the-browser trojans, infecting, say the papers, “at a minimum, over 100,000 computers around the world, including at least 25,000 computers in the United States, and has caused, at a minimum, tens of millions of dollars in losses.” Elsewhere, the indictment makes clear that the government will be seeking forfeiture of $50 million dollars in reparations.

Calovskis, aka 'Miami', is accused of providing code tweaks to Gozi to customize the web injects for specific clients. The web injects define how the falsified web page will appear on the user’s browser, allowing the attacker to request specific or additional information that is sent by the malware to the command and control servers. 

Those C&C servers may well have been provided by, or at least shielded by, Paunescu’s bullet-proof hosting service.

The whole operation, from conception to fruition, together with the FBI’s investigation, can be found in the Department of Justice published documents. “They make fascinating reading,” comments Paul Ducklin of Sophos, “weaving together the activities of the accused troika into a long-running story that could apply to almost any successful online enterprise – but for the fact that the business described is unashamedly devious and criminal."

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×