May 19, 2014

International Blackshades Malware Takedown

Coordinated Law Enforcement Actions Announced

U.S. Attorney for the Southern District of New York Preet Bharara announces arrests in the Blackshades malware cyber takedown during a press conference in New York.

U.S. Attorney for the Southern District of New York Preet Bharara announces arrests in the Blackshades malware cyber takedown during a press conference in New York.

Today, representatives from the FBI New York Field Office and the U.S. Attorney’s Office for the Southern District of New York announced the results of a cyber takedown, which included the unsealing of an indictment against Swedish national Alex Yucel and the guilty plea of U.S. citizen Michael Hogue, both of whom we believe co-developed a particularly insidious computer malware known as Blackshades. This software was sold and distributed to thousands of people in more than 100 countries and has been used to infect more than half a million computers worldwide.

Also charged and arrested in the U.S. were an individual who helped market and sell the malware and two Blackshades users who bought the malware and then unleashed it upon unsuspecting computer users, surreptitiously installing it on their hardware. So far during the takedown, 40 FBI field offices have conducted approximately 100 interviews, executed more than 100 e-mail and physical search warrants, and seized more than 1,900 domains used by Blackshades users to control victims’ computers.
And that’s not all. The actions announced at today’s press conference are part of an unprecedented law enforcement operation involving 18 other countries. More than 90 arrests have been made so far, and more than 300 searches have been conducted worldwide.

Malware is malicious software whose only purpose is to damage or perform other unwanted actions on computer systems. Blackshades malware—in particular, the Blackshades Remote Access Tool (RAT)—allows criminals to steal passwords and banking credentials; hack into social media accounts; access documents, photos, and other computer files; record all keystrokes; activate webcams; hold a computer for ransom; and use the computer in distributed denial of service (DDoS) attacks.

We uncovered the existence of the Blackshades malware during a previous international investigation called Operation Cardshop, which targeted “carding” crimes—offenses in which the Internet is used to traffic in and exploit the stolen credit cards, bank accounts, and other personal identification information of hundreds of thousands of victims globally. We spun off a new investigation and ultimately identified one of the Cardshop subjects—Michael Hogue—and Alex Yucel as the Blackshades co-developers. Yucel, the alleged head of the organization that sold the malware, was previously arrested in Moldova and is awaiting extradition to the U.S.

Our investigation revealed that several different types of Blackshades malware products were available for purchase by other cyber criminals through a website; the popular Blackshades RAT could be bought for as little as $40. In addition to its low price, the Blackshades RAT was very attractive because it could be customized by the criminals who bought it, depending on their particular requirements.

Yucel ran his organization like a business—hiring and firing employees, paying salaries, and updating the malicious software in response to customers’ requests. He employed several administrators to facilitate the operation of the organization, including a director of marketing, a website developer, a customer service manager, and a team of customer service representatives.

New York FBI Assistant Director in Charge George Venizelos said that today’s announcement “showcases the top to bottom approach the FBI takes to its cases...starting with those who put it [malware] in the hands of the users—the creators and those who helped make it readily available, the administrators. We will continue to work with our law enforcement partners to bring to justice anyone who uses Blackshades maliciously.” 

We’re currently working with Internet service providers to notify domestic victims of the Blackshades malware. But in the meantime, we’re providing information here on how to check your computer for a possible Blackshades infection.

Protect Your Computer from Malware

  • Make sure you have updated antivirus software on your computer.
  • Enable automated patches for your operating system and web browser.
  • Have strong passwords, and don’t use the same passwords for everything.
  • Use a pop-up blocker.
  • Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
  • Don’t open e-mail attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.