Gang tried to trick victims by posing as medics and telling them they had cancer in £20m bank cyber heist
The Eastern European cybercriminals sent infected emails to unsuspecting customers that allowed them to steal private banking information
An Eastern European criminal gang behind a £20m hi-tech heist on British banks planned to trick victims into exposing their financial details by pretending to be medics and telling them they had cancer, the US authorities have revealed.
The “tightly-knit” group of cybercriminals sent hundreds of thousands of infected emails to unsuspecting customers that allowed them to steal private banking information and use it to transfer millions of pounds from Britain to accounts in Russia, the Ukraine and Belarus.
It is suspected that a criminal group hired a Moldovan computer expert Andrey Ghinkul – known as Smilex - to run the scam, who was arrested while on holiday in Cyprus in August.
Mr Ghinkul was described as the leader of a group that included four other Russian-based criminals who infected hundreds of thousands of computers worldwide, according to US court documents. Britain was particularly targeted in the scam, according to experts.
The gang’s ability to steal the money depended on unwitting victims clicking on email attachments that contained the malware [malicious software] – known as Dridex - which sat on the computer until online banking sites were used.
It allowed the conspirators to capture banking details or even hijack the computer session to present a fake online banking webpage to collect personal information.
The spam emails sent included some suggesting that a package had been sent, or by informing the user that a large sum of money had been transferred to their accounts. But during a chat conversation on the internet, Mr Ghinkul, 30, in March 2014, allegedly told another member of the gang of the cancer” plan, according to indictment released by the US authorities.
The plan was that “the purported originator of the email was a medical institution and that the victim recipient had tested positive for cancer”, according to the document. It was not clear if the tactic had been used.
“They were opportunistic and used any means to get people to inadvertently install malware so they could steal money,” said Don Smith, Technology Director at Dell SecureWorks which cracked open the fraud. “They would use any ploy – however weird or wacky – to persuade people to do that.”
Details of the case emerged after the FBI, the National Crime Agency (NCA) and private security firms revealed their role in taking down the cyber scam described by one US attorney as “one of the most pernicious malware threats in the world”.
The NCA have declined to name the banks hit by the fraud in Britain because the institutions feared reputational damage from the incident. It said that the £20 million figure could rise.
The Moldovan kingpin and the Russians – named in court documents and known by their online monikers as “nintutu”, “caramba” and “aqua” – ran a sophisticated operation using false identities, anonymous internet-based payment systems and a network of money mules to launder the funds during the cyber bank jobs, according to US court documents.
During its online investigation, the FBI found discovered an email account attributed to Mr Ghinkul in which he appeared to have sent himself a version of the malware.
During online chats using the instant messaging service jabber, he suggests that he is struggling to infect computers using the email technique and asked for help from other criminals, according to the US court papers.
Mr Ghinkul had been staying in the coastal Cypriot city of Paphos when he was arrested, and claimed that he had travelled there because his daughter had a health condition that was helped by the warm weather. He had visited France, Poland and Romania, according to the Cyprus Mail, before he travelled to the island to stay in the £1,200-a-week Meltemi Villas Resort, where each villa has its own private swimming pool.
He was remanded in custody after the Cypriot authorities turned down his request that he be freed on 20,000 euro bail. Prosecutors said that in the past suspects had fled by private jet or yacht when facing extradition hearings.
Days after his arrest, The NCA launched the operation to intercept communications between infected computers and the gang. It said it expected further arrests.
The US is seeking Mr Ghinkul’s extradition to stand trial for a sophisticated operation that also netted the gangsters $10m from institutions in the United States.
The targets for the scam in the United States included an oil company, a school district and two banks, according to papers released in the United States. The member of staff of the oil company, Penneco Oil, unwittingly downloaded the malware on to a company computer which resulted in $3.5m (£2.3m) to be transferred in two separate tranches to accounts in Russia and Belarus.
Executive Assistant Director Robert Anderson, from the FBI, said: “Cyber criminals often reach across international borders, but this operation demonstrates our determination to shut them down no matter where they are.”
Previous banking cyberscams
The Dridex banking trojan, that breached the security of computers in 27 countries, was one of a number of criminal projects that filled the void after a multinational police operation against the Gameover Zeus operation in 2014. Gameover Zeus – which operated in a similar way to Dridex – was estimated by the FBI to have netted more than US$100m.
The alleged mastermind of that operation, Evgeniy Mikhailovich Bogachev, remains at large and is believed to be in Russia. He is on the FBI’s list of most wanted cybercriminals with a reward of $3m for information leading to his arrest. Experts said that Dridex failed to match the sophistication, size and criminal success of Gameover Zeus.