January 28, 2014

Botnet Bust

SpyEye Malware Mastermind Pleads Guilty

Computer Linked to Other Computers

Today, Russian national Aleksandr Andreevich Panin pled guilty in an Atlanta federal courtroom to a conspiracy charge associated with his role as the primary developer and distributor of malware—called SpyEye—created specifically to facilitate online theft from financial institutions, many of them in the U.S.

SpyEye infected more than 1.4 million computers—many located in the U.S.—obtaining victims’ financial and personally identifiable information stored on those computers and using it to transfer money out of victims’ bank accounts and into accounts controlled by criminals.

Ultimately, though, Panin sold his malware online to the wrong customer—an undercover FBI employee. And after an investigation involving international law enforcement partners as well as private sector partners, a dangerous cyber threat was neutralized.

How the conspiracy operated. From 2009 to 2011, Panin conspired with others, including co-defendant Hamza Bendelladj (charged and extradited to the U.S. last year), to advertise and develop various versions of SpyEye in online criminal forums. One ad described the malware as a “bank Trojan with form grabbing possibility,” meaning it was designed to steal bank information from a web browser while a user was conducting online banking. Another ad said that the malware included a “cc grabber,” which scans stolen victim data for credit card information.

Panin sold the SpyEye malware to more than 150 “clients” who paid anywhere from $1,000 to $8,500 for various versions of it. Once in their hands, these cyber criminals used the malware for their own nefarious purposes—infecting victim computers and creating botnets (armies of hijacked computers) that collected large amounts of financial and personal information and sent it back to servers under the control of the criminals. They were then able to hack into bank accounts, withdraw stolen funds, create bogus credit cards, etc.

In February 2011, a search warrant allowed the FBI to seize a key SpyEye server located in Georgia. It was several months after that when the FBI bought SpyEye online from Panin—which turned out to be very incriminating because that particular version contained the full suite of features designed to steal confidential financial information, make fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with malware.

Panin was arrested in July 2013 while he was flying through Hartsfield-Jackson Atlanta International Airport.

The investigation into the SpyEye malware is just one initiative worked under Operation Clean Slate, a broad public/private effort recently undertaken to eliminate the most significant botnets affecting U.S. interests by targeting the criminal coders who create them and other key individuals who provide their criminal services to anyone who’ll pay for them. Much like the FBI’s other investigative priorities where we focus on taking down the leaders of a criminal enterprise or terrorist organization, under Clean Slate we’re going after the major cyber players who make botnets possible.

And FBI Executive Assistant Director Rick McFeely warns potential hackers: “The next person you peddle your malware to could be an FBI undercover employee...so regardless of where you live, we will use all the tools in our toolbox—including undercover operations and extraditions—to hold cyber criminals accountable for profiting illicitly from U.S. computer users.”