Showing posts with label MALWARE. Show all posts
Showing posts with label MALWARE. Show all posts

Sunday, July 5, 2015

FTC ANNOUNCES SETTLEMENT WITH APP DEVELOPER ACCUSED OF HIJACKING PHONES TO MINE CRYPTOCURRENCY

FROM:  U.S. FEDERAL TRADE COMMISSION
App Developer Settles FTC and New Jersey Charges It Hijacked Consumers’ Phones to Mine Cryptocurrency
Defendants’ App Installed Malware that Left Phones With Drained Batteries, Depleted Data Plans

A smartphone app developer has agreed to settle charges by the Federal Trade Commission and the New Jersey Attorney General that it lured consumers into downloading its “rewards” app, saying it would be free of malware, when the app’s main purpose was actually to load the consumers’ mobile phones with malicious software to mine virtual currencies for the developer.

The Ohio-based defendants behind the app, called “Prized,” agreed to a settlement that will permanently ban them from creating and distributing malicious software.

“Hijacking consumers’ mobile devices with malware to mine virtual currency isn’t just deplorable; it’s also illegal,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “These scammers are now prohibited from trying such a scheme again.”

The defendants, Equiliv Investments and Ryan Ramminger, began marketing the Prized app around February 2014, making it available in the Google Play Store, Amazon App Store and others. Thousands of consumers downloaded the app believing they could earn points for playing games or downloading affiliated apps and then spend those points on rewards such as clothes, gift cards and other items. Consumers were promised that the downloaded app would be free from malicious software – malware – or viruses, according to the complaint.

What consumers got instead, according to the complaint, was an app that contained malware that took control of the device’s computing resources to “mine” for virtual currencies like DogeCoin, LiteCoin and QuarkCoin.

Virtual currencies are created by solving complex mathematical equations, and the complaint alleges that the app attempted to harness the power of many users’ devices to solve the equations more quickly, thus generating virtual currency for the defendants. The use of that power caused the device’s battery to drain faster and recharge more slowly, and to burn through consumers’ monthly data plans.

“Consumers downloaded this app thinking that at the very worst it would not be as useful or entertaining as advertised,” said Acting New Jersey Attorney General John J. Hoffman. “Instead, the app allegedly turned out to be a Trojan horse for intrusive, invasive malware that was potentially damaging to expensive smartphones and other mobile devices.”      

The complaint in the case alleges that the defendants violated both the FTC Act and the New Jersey Consumer Fraud Act. In addition to the ban on creating and distributing malicious software, the court order also requires the defendants to destroy all information about consumers that they collected through the marketing and distribution of the app.

The settlement also includes a $50,000 monetary judgment against the defendants payable to the state of New Jersey, of which $44,800 is suspended upon payment of $5,200 and compliance with the injunctive provisions of the stipulated order.

This case is part of the FTC’s ongoing work to protect consumers taking advantage of new and emerging financial technology, also known as FinTech. As technological advances expand the ways consumers can store, share, and spend money, the FTC is working to keep consumers protected while encouraging innovation for consumers’ benefit.

The Commission vote authorizing the staff to file the complaint and approving the proposed stipulated court order was 5-0. The FTC and state of New Jersey filed the complaint and order in the U.S. District Court for the District of New Jersey.

Sunday, October 26, 2014

COURT SHUTS DOWN TECH SUPPORT SCAMMERS WHO SOLD SOFTWARE AVAILABLE FOR FREE

FROM:  FEDERAL TRADE COMMISSION 
At FTC’s Request, Court Shuts Down New York-Based Tech Support Scam Business

At the request of the Federal Trade Commission, a federal court has shut down a company that scammed computer users by tricking them into paying hundreds of dollars for technical support services they did not need, as well as software that was otherwise available for free.

According to the FTC’s complaint, Pairsys, Inc., cold-called consumers masquerading as representatives of Microsoft or Facebook, and also purchased deceptive ads online that led consumers to believe they were calling the technical support line for legitimate companies.

“The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security’ software and programs that had no value at all,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “We are pleased that the court has shut down the company for now, and we look forward to getting consumers’ money back in their pockets.”

Whether consumers were cold-called by the company or drawn in by deceptive ads, the FTC’s complaint notes that what followed was a deceptive and high-pressure sales pitch conducted by scammers in an overseas call center. The scammers would convince a consumer to allow them to have remote control over the individual’s computer, in order to analyze the supposed issues.

Once they had access to a consumer’s computer, the FTC alleges, the scammers would lead the consumer to believe that benign portions of the computer’s operating system were in fact signs of viruses and malware infecting the consumer’s computer. In many cases, they implied that the computer was severely compromised and had to be “repaired” immediately.

At that point, consumers were pressured into paying for bogus warranty programs and software that was freely available, usually at a cost of $149 to $249, though in some cases, the defendants charged as much as $600 for the supposed products. The FTC’s filings in the case allege that the company made nearly $2.5 million since early 2012.

The defendants have agreed to the terms of a preliminary injunction issued by the court that prohibits the defendants in the case from making misrepresentations to consumers about what company they represent or whether consumers have viruses or spyware on their computer. They are also banned from deceptive telemarketing practices, and may not sell or rent their customer lists to any third party. The injunction requires that their websites and telephone numbers must be shut down and disconnected, and their assets be frozen.

The defendants in the case, Pairsys, Inc., Uttam Saha and Tiya Bhattacharya, are accused by the FTC of violating both the FTC Act and the Telemarketing Sales Rule. In its complaint, the FTC asks the court to permanently shut down the company and require the defendants to return their ill-gotten gains. The FTC previously brought cases against a number of tech support scammers in 2012 and has received settlements and judgments totaling more than $5 million in those cases.

The Commission vote authorizing the staff to file the complaint was 5-0. The complaint was filed in the U.S. District Court for the Northern District of New York. The stipulated preliminary injunction was entered by the court on Oct. 9. 2014.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by the court.

Tuesday, August 5, 2014

TECH SUPPORT OPERATORS TO PAY OVER $5.1 MILLION FOR MASQUERADING AS MAJOR COMPUTER COMPANIES

FROM:  U.S. FEDERAL TRADE COMMISSION 

Federal Court Orders Tech Support Scammers to Pay More Than $5.1 Million
A U.S. District Court has ordered the operators of several international tech support scams to pay more than $5.1 million, acting on Federal Trade Commission charges that they masqueraded as major computer companies, tricked consumers into believing their computers were riddled with malware and then charged consumers to “fix” them.

The U.S. District Court for the Southern District of New York issued default judgments against fourteen corporate defendants and fourteen individual defendants that allegedly operated the tech support scams. The operations were mostly based in India and targeted English-speaking consumers in the United States and several other countries.

The default judgments permanently ban the defendants from marketing any computer security-related technical support service.  The judgments also ban them from continuing their deceptive tactics and from disclosing, selling or failing to dispose of information they obtained from victims. The judgments in each case are:

The FTC filed the complaints in September 2012 as part of an FTC crackdown on tech support scammers. According to the complaints filed by the agency, the defendants claimed they were affiliated with legitimate companies, including Dell, Microsoft, McAfee, and Norton, and told consumers they had detected malware that posed an imminent threat to their computers. The defendants then charged these consumers hundreds of dollars to remotely access and “fix” the computers.

The FTC charged the defendants with violating the FTC Act, which bars unfair and deceptive commercial practices.  In five of the cases, the FTC also charged the defendants with violating the Telemarketing Sales Rule and with illegally calling numbers on the Do Not Call Registry.

On April 24, 2013 and November 12, 2013, two of the individuals in the PCCare247 case agreed to settle FTC charges and give up ill-gotten gains.  On April 25, 2013, two of the defendants in the Marczak case agreed to settle FTC charges and give up ill-gotten gains.  The default judgments entered by the U.S. District Court apply to the remaining defendants in the tech support cases.            

Wednesday, July 16, 2014

ASSISTANT AG CALDWELL TESTIFIES BEFORE SENATE COMMITTEE ON "BOTNET" THREAT

FROM:  U.S. JUSTICE DEPARTMENT 
Assistant Attorney General Leslie R. Caldwell Testifies Before the Senate Committee on the Judiciary Subcommittee on Crime and Terrorism
Washington, D.C. ~ Tuesday, July 15, 2014

Good afternoon, Chairman Whitehouse, Ranking Member Graham, and Members of the Subcommittee.  Thank you for the opportunity to appear before the Subcommittee today to discuss the Department of Justice’s fight against botnets.  I also particularly want to thank the Chair for holding this hearing and for his continued leadership on this important issue.

The threat from botnets—networks of victim computers surreptitiously infected with malicious software, or “malware,” that are controlled by an individual criminal or an organized criminal group—has increased dramatically over the past several years.  The computers of American citizens and businesses are, as we speak, under attack by individual hackers and organized criminal groups using state-of-the-art techniques seemingly drawn straight from a science fiction movie.  Unfortunately, this cybercrime wave is all too real.  Botnet attacks are intended to undermine Americans’ privacy and steal from unsuspecting victims.  If left unchecked, they will succeed.

The Department of Justice, working through highly trained prosecutors and Federal Bureau of Investigation (FBI) agents, recognizes this threat, and is working day and night to protect our citizens, our national security interests, and our businesses.  We responsibly employ the investigative and remedial tools Congress has given us, and we leverage our strengths by teaming up with partners across the federal government and, where appropriate, in the private sector and foreign law enforcement.  As in the recent disruption of the Gameover Zeus botnet, which I will discuss more later, we find ourselves matched against increasingly sophisticated cyber criminals, and must evolve our tools and tactics minute-by-minute to prevent further harm to innocent victims.

Our successful effort to suppress the Gameover Zeus botnet should remind us that those who use botnets to cause harm are increasing in number and sophistication, and we cannot expect continued success if we merely rest on our laurels.  The Department is armed with the laws and resources that we have been granted, but those tools must be updated and enhanced.  If we want to remain effective in protecting our citizens and businesses, our laws and our resources must keep pace with the tactics and numbers of our adversaries.  Our adversaries are always adapting.  So must we.  In my testimony, I will outline several legislative proposals that will assist the Department in its efforts to counter the threat posed by botnets.  Finally, I will outline our resource needs—in particular the need for additional specialized criminal prosecutors.

Current DOJ Anti-Botnet Activities

Cybercrime overall has increased dramatically over the last decade, and caused enormous financial damage and innumerable invasions of Americans’ privacy.  The advances in computing technology that have powered our economy have also empowered those who seek to do us harm.  Today, cyber criminals can steal personal and financial information from tens of millions of citizens in a single breach.  To be sure, thefts of such information were committed long before the digital revolution.  But stealing ten million credit card numbers previously would have required burglarizing thousands of stores, whereas now it can be done from a basement with a laptop.  And some crimes have been uniquely adapted in the digital age.  For example, in a new, disturbing twist on extortion, hackers have secretly activated the cameras on victims’ laptop computers, taken compromising pictures or videos, and demanded payments not to expose those pictures or videos to the public.  All the while, technological advances, including advances designed to protect privacy, such as anonymizing software and encryption, are being used to frustrate criminal or civil investigations and, perversely, protect the wrongdoers.  Our cyber crimefighters must be equipped with the tools and expertise to compete with and overcome our adversaries.

Over the same time period, botnets have emerged as a major threat.  Sometimes called “botmasters” or “botherders,” cyber criminals who control botnets can use advances in communications technology to take control of thousands, or even hundreds of thousands, of victim computers, or “bots.”  They can then command the computers they control to, for example, deluge an internet site with junk data, overwhelming it and knocking it offline.  They may conduct such distributed denial-of-service (DDOS) attacks out of malice, as ideological attacks on those with whom they disagree, or even as a paid service to other criminals.  They can also use the infected bots to steal banking credentials, credit card numbers, and other financial information.  They can use them to send spam—email messages that range from advertising for illegal and dangerous pharmaceutical products, to fraud schemes aimed at artificially inflating the price of stocks, to “phishing” messages that gather sensitive information.  Moreover, cybercriminals can use botnets to engage in other online crime by using their networks of infected computers as “proxies.”  This activity allows such criminals to conceal their identity and location while they commit crimes that range from fraud and theft of data to drug dealing and the sexual exploitation of children.

Botnets pose a threat to the United States, our citizens, and our businesses that must not be underestimated.  By hijacking numerous victims’ identities, credit cards, and bank accounts, criminal groups already have stolen hundreds of millions of dollars.  And every day cyber criminals violate the privacy of Americans on a staggering scale, by stealing financial information, personally identifiable information, login credentials, and other information from victims who often do not even realize their computers have been compromised.  Because botnets can be so lucrative, their designers use sophisticated code, locate their servers in countries around the world, and employ the latest in encryption methods—all designed to frustrate personal and corporate cybersecurity efforts, and to prevent law enforcement from responding effectively.  Indeed, recent cases and ongoing investigations reveal that botnets are used by criminals halfway around the world to commit crimes of a scope and sophistication that was difficult to imagine only a few years ago.

To counter this significant and complex threat, the Justice Department is vigorously responding to botnets and other cybercrimes through the tenacious work of the Criminal Division’s Computer Crime and Intellectual Property Section, also known as CCIPS, and the Computer Hacking and Intellectual Property Coordinators and National Security Cyber Specialists in U.S. Attorneys’ Offices across the country.  These prosecutors, along with colleagues in the National Security Division (NSD), form a network of almost 300 Justice Department cybercrime prosecutors.  In addition, the FBI has made combating cyber threats one of its top national priorities, working through Cyber Task Forces in each of its 56 field offices and continuing to strengthen the National Cyber Investigative Joint Task Force.  The FBI has also moved aggressively to counter the botnet threat through Operation Clean Slate, a major FBI initiative designed to identify and eliminate the most significant criminal botnets.  The United States Secret Service also focuses on cyber threats to financial networks and the personal financial information of Americans.  Through a network of 35 Electronic Crimes Task Forces across the country and in key foreign countries, Secret Service investigations have resulted in the arrest and successful prosecution of the criminals responsible for some of the largest data breaches.  U.S. Immigration and Customs Enforcement, Homeland Security Investigations (HSI), through the HSI Cyber Crimes Center (C3), has also dedicated significant resources to equip its Special Agents with the tools and knowledge necessary to combat transnational cybercrime.

The Department’s response to botnets takes two tracks, often at the same time.  First, whenever possible, we seek to arrest, prosecute, and incarcerate the criminals who use botnets to victimize Americans.  For example, in January 2014, Aleksandr Andreevich Panin, a Russian national, pled guilty in federal court in Atlanta, Georgia to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye.”  According to industry estimates, SpyEye has infected over 1.4 million computers in the United States and abroad.  SpyEye secretly infected victims’ computers and enabled cyber criminals to remotely control them through command and control servers.  Designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information, SpyEye was the preeminent malware toolkit used from approximately 2009 to 2011.  Panin sold versions of the SpyEye virus to other criminals for prices ranging from $1,000 to $8,500.  Panin is believed to have sold the SpyEye virus to at least 150 “clients” who, in turn, used it to set up their own botnets.  One of Panin’s clients alone was reported to have stolen over $3.2 million in a six-month period using SpyEye.  Panin is awaiting sentencing, and four of his clients and associates were arrested by foreign law enforcement agencies.

Similarly, in federal court in New York in May 2014, Michael Hogue pled guilty, and an indictment was unsealed against Alex Yucel, in connection with their development of a particularly insidious piece of computer malware known as Blackshades.  This malware was sold and distributed to thousands of people in more than 100 countries and was used to infect more than half a million computers worldwide.  Once installed on a computer, the malware could collect the user’s financial information and even turn on the computer’s camera to spy on the unsuspecting user.  An individual who helped market and sell the malware and two Blackshades users who bought the malware and then unleashed it upon unsuspecting computer users were also charged and arrested in the U.S.  The charges and guilty plea were part of a law enforcement operation involving 18 other countries.  More than 90 arrests have been made so far, and more than 300 searches have been conducted worldwide.  

Arresting and convicting key players can disrupt criminal enterprises, but such actions are not always sufficient to counter the threat, particularly given the transnational nature of cybercrime.  They also will not always remedy the harm caused by a botnet.  Accordingly, the Department has pursued a second approach to botnets:  the use of seizures, forfeitures, restraining orders, and other civil and criminal legal process to dismantle criminal infrastructure.  In cases such as Gameover Zeus, Blackshades, and a 2011 case involving the Coreflood botnet, the Department used these legal authorities, with judicial authorization and oversight, to wrest domains and servers from cyber criminals’ control, prevent infected computers from communicating with the criminals’ command and control infrastructure, and liberate hundreds of thousands of computers.

In May of this year, CCIPS, the United States Attorney for the Western District of Pennsylvania, and the FBI, in partnership with other federal and private-sector organizations, disrupted a botnet that illustrates the magnitude of the threat.  Before it was disrupted, the Gameover Zeus botnet was widely regarded as the most sophisticated criminal botnet in existence.  One common and sinister method used by Gameover Zeus was a “man-in-the-middle” attack, in which victims trying to access websites for purposes such as online banking were tricked into entering login credentials, passwords, and other personal information that communicated that information to criminals at the same time they were passed onto their destination.  With the click of a mouse, the botmasters then used this stolen information to rob small businesses, hospitals, and other victims, transferring funds from victim accounts to their own accounts.  From September 2011 through May 2014, Gameover Zeus infected between 500,000 and 1 million computers and caused more than $100 million in financial losses.  In one case alone, nearly $7 million was fraudulently transferred from a regional bank.  Other victims included an Indian tribe, a corporation operating assisted living facilities, and a composite materials company.

Gameover Zeus was also used to install Cryptolocker—a type of malware known as “ransomware”—on infected computers.  Cryptolocker enabled cyber criminals to encrypt key files on the infected computers.  Victims then saw a splash screen on their computer monitors, telling them that their files were encrypted and that they had three days to pay a ransom, usually between about $300 and $750, if they wanted to receive the decryption key.  The victims found themselves confronted with the loss of critical data, such as family photographs or essential business records.  In the short period between its emergence in mid-to-late 2013 and the disruption action in May 2014, the Cryptolocker malware infected more than 260,000 computers worldwide.  Many victims simply paid the ransom that was demanded of them.  These victims included the police department of Swansea, Massachusetts, which paid approximately $750 to recover its investigative files and arrest photographs.  Others refused to pay the ransom and tried to defeat the malware.  A Pittsburgh insurance company was eventually able to restore data from a backup, but only after incurring an estimated $70,000 in losses and sending employees home during remediation.  A Florida company lost critical files, which resulted in an estimated $30,000 in loss.  And a North Carolina business, whose main files and backup were both encrypted, lost its critical files despite engaging a computer forensics firm to try to restore its access.  That company has lost about $80,000, and the owner told the FBI that he may have to lay off employees as a result.

Disrupting and mitigating these threats requires determination, technical skill, and creativity.  In response to previous efforts to disable botnets, the creators of the Gameover Zeus botnet designed a novel and resilient structure, including three distinct layers of command and control infrastructure that rendered the botnet particularly difficult to overcome.  The Department’s successful disruption began with a complex international investigation conducted in close partnership with the private sector.  It continued through the Department’s use of an inventive combination of criminal and civil legal process to obtain authorization to stop infected computers from communicating with each other and with other servers around the world.  The operation simultaneously targeted all three command and control layers of Gameover Zeus, and stopped Cryptolocker from encrypting additional computers.  The investigation and court-authorized operation ultimately permitted the team not only to identify and charge one of the leading perpetrators, but also to stop the botnet and ransomware from functioning.  Moreover, the FBI was able to identify victims and, working with the Department of Homeland Security, foreign governments, and private-sector partners, facilitate the removal of malware from many victim computers.  Disclosure to, and engagement with, the public was critical to this remediation effort.  DOJ and DHS released a technical alert to raise awareness of the botnet and lay out resources available to help affected entities minimize the damage.

I cannot emphasize enough the importance to our anti-botnet efforts of the cooperation of foreign governments and our U.S. government and private-sector partners.  In every case I have mentioned, foreign law enforcement services took carefully coordinated steps worldwide to disrupt the scheme and investigate the offenders, by seizing servers, interviewing subjects, making arrests, and providing evidence to U.S. investigators.  The Department has devoted substantial resources to building the relationships with foreign law enforcement partners that made these coordinated efforts possible.  The FBI, for example, maintains more than 60 legal attachés in embassies around the world.  The Criminal Division’s Office of International Affairs provides immeasurable legal support to evidence collection and extradition.  CCIPS conducts training programs to help our allies develop cyber laws, and our federal law enforcement partners work to improve investigative capacities.  Due in large part to our extensive engagement with, and training of, foreign criminal prosecutors and law enforcement officers, we have developed highly productive international relationships that are critical to the success of our investigations and prosecutions.

One factor has harmed our relationships with foreign law enforcement agencies, however:  our inability to rapidly respond to foreign requests for electronic evidence located in the United States.  Our capacity to do so simply has not kept up with the demand.  The President’s budget for fiscal year 2015 requests additional prosecutors, together with support personnel, to be assigned to the Criminal Division and to United States Attorneys’ Offices to streamline and facilitate the process of handling Mutual Legal Assistance Treaty (MLAT) requests between the United States and its law enforcement partners around the world.  The FY 2015 request, if granted, will enable the Department to meet the Administration’s commitment to cut MLAT response times in half by the end of 2015 and reduce the amount of time to comply with legally sufficient requests to a matter of weeks, as well as to strengthen the Department’s relationships with our foreign law enforcement partners, particularly in regard to cyber investigations.

Like the value of our relationships with foreign law enforcement, the expertise, dedication, and cooperation of private-sector entities have been crucial to our success.  For example, security researchers develop highly specialized expertise in particular botnets and help develop countermeasures that match the botnets in sophistication.  Their technical contributions are truly astounding.  Private-sector companies also serve a critical function when they notify victims that their computers have been compromised and supply the tools needed to clean up those computers.  Because the vast majority of the internet is owned and operated by the private sector, we simply could not conduct anti-botnet operations without the firm commitment of network service providers to protecting their customers.

Proposals to Enhance Anti-Botnet and other Cyber Capabilities

The Department is dedicated to using innovative means to target increasingly complex botnet threats as they emerge.  But there is a lot more work to be done, and we ask that Congress continue its support of these critical efforts.  I would like to highlight some of the Department’s legislative and budgetary proposals that would enhance our ability to identify botnet perpetrators, bring them to justice, disrupt their criminal enterprises, and protect the security, privacy, and property of Americans.

Department prosecutors rely on criminal statutes to bring cyber criminals to justice and to halt their criminal activity.  One of the most important of these laws is the Computer Fraud and Abuse Act, also called the “CFAA.”  The CFAA is the primary Federal law against hacking.  It protects the public against criminals who hack into computers to steal information, install malware, and delete files.  The CFAA, in short, reflects our shared baseline expectation that people are entitled to have control over their own computers and are entitled to trust that the information they store in their computers remains safe.

The CFAA was first enacted in 1986, at a time when the problem of cybercrime was still in its infancy.  Over the years, a series of measured, modest changes have been made to the CFAA to reflect new technologies and means of committing crimes and to equip law enforcement with tools to respond to changing threats.  But the CFAA has not been amended since 2008, and the intervening years have again created the need for the enactment of modest, incremental changes.  The Administration’s May 2011 legislative proposal proposed revisions to keep Federal criminal law up to date.  We continue to support changes like these that will keep up with rapidly evolving technologies and uses.

In addition, our investigations of those responsible for creating and using botnets and our efforts to disrupt botnets rely substantially on the availability of legal investigative process pursuant to the Electronic Communications Privacy Act (“ECPA”).  ECPA governs the Department’s access to much of the electronic evidence necessary to investigate botnets, hold perpetrators accountable, and develop methods to free unsuspecting victims.  It is essential to the success of our anti-botnet initiatives, and to our efforts against cybercrime as a whole, that the government maintain the ability to obtain relevant electronic evidence in a responsible, timely and effective manner.

Selling Access to Botnets

In the years since 2011, experience has revealed additional shortcomings in the criminal law.  For example, while botnets can be used for various nefarious purposes, including theft of personal or financial information, the dissemination of spam, and DDOS attacks, the creators and operators of botnets do not always commit those crimes themselves.  Frequently they sell, or even rent, access to the infected computers to others.  The CFAA does not clearly cover such trafficking in access to botnets, even though trafficking in infected computers is clearly illegitimate, and can be essential to furthering other criminal activity.  We thus propose that section 1030(a)(6) of the CFAA be amended to cover trafficking in access to botnets.

In addition, section 1030(a)(6) presently requires proof of an intent to commit a financial fraud.  Such intent is often difficult—if not impossible—to prove because the traffickers of unauthorized access to computers often have a wrongful purpose other than the commission of fraud.  Indeed, sometimes they may not know or care why their customers are seeking unauthorized access to other people’s computers.  This reality has made it more challenging in many cases for our prosecutors to identify a provable offense, even when we can establish beyond a reasonable doubt that individuals are selling access to thousands of infected computers.  We therefore recommend that Congress amend section 1030(a)(6) of the CFAA to address this shortcoming.

Enhancing Judicial Authority to Disrupt Botnets and other Malware

Under current law, two federal statutes, 18 U.S.C. §§ 1345 & 2521, give the Attorney General the authority to bring civil suits against defendants who are engaged in or “about to” engage in wiretapping or the violation of specified fraud crimes. [1]   See 18 U.S.C. §§ 1345(a), 2521.  The court is then empowered to enjoin the violation, “or take such other action, as is warranted to prevent a continuing and substantial injury to the United States or to any person or class of persons for whose protection the action is brought.”  18 U.S.C. § 1345(b); see also 18 U.S.C. § 2521.  Due process is ensured by the balancing test applied by the court to determine whether an injunction is appropriate and by the applicable Federal Rules of Civil Procedure.

These authorities played a prominent role in the Department’s successful disruptions of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014.  These botnets collected online financial account information as it was transmitted from infected computers, thus violating the Wiretap Act, and the criminals used their access to steal from victims’ bank accounts, which constitutes wire and bank fraud.  Because these botnets violated statutes against fraud and wiretapping, courts were authorized to issue orders under sections 1345 and 2521 that permitted the United States to take corrective action necessary to disrupt them.

No analogous statutory authority exists, however, for violations of the CFAA that do not involve fraud or the interception of communications.  As a result, the law does not provide a clear statutory remedy for the government to use against botnets or other types of malware that criminals employ for other purposes, such as DDOS attacks.  Similar to frauds and illegal wiretaps, these types of computer hacking—which are prohibited under section 1030—present serious threats that can cause severe and continuing damage as long as they persist.  We would welcome the opportunity to work with the Committee to ensure that the law appropriately addresses this challenge.

Criminalizing the Overseas Sale of Stolen U.S. Financial Information

To ensure that we can take action when cyber criminals acting overseas steal data from U.S. financial institutions, we also recommend a modification to what is known as the access device fraud statute, 18 U.S.C. § 1029.  One of the most common motivations for criminal hacking is to obtain financial information.  The access device fraud statute proscribes the unlawful possession and use of “access devices,” such as credit card numbers and devices such as credit card embossing machines.  Not only do lone individuals commit this crime, but, more and more, organized criminal enterprises have formed to commit such intrusions and to exploit the stolen data through fraud.

The Department of Justice recommends that the statute be expanded to enable prosecution of offenders based in foreign countries who directly and significantly harm United States financial institutions and citizens.  Currently, a criminal who trades in credit card information issued by a U.S. financial institution, but who otherwise does not take one of certain enumerated actions within the jurisdiction of the United States, cannot be prosecuted under section 1029(a)(3).  Such scenarios are not merely hypothetical.  United States law enforcement agencies have identified foreign-based individuals selling vast quantities of credit card numbers issued by U.S. financial institutions where there is no evidence that those criminals took a specific step within the United States to traffic in the data.  The United States has a compelling interest in prosecuting such individuals given the harm to U.S. financial institutions and American citizens, and the statute should be revised to cover this sort of criminal conduct.

Enhancing Resources to Combat Botnets and other Cyber Threats

This last May, the Department submitted to Congress a multiyear cyber threat strategic plan.  The report identified six strategic initiatives:

Ensure that all of DOJ's investigators and attorneys receive training on cybercrime and digital evidence.
Increase the number of digital forensic experts and the capacity of available digital forensic hardware.
Enhance DOJ's expertise in addressing complex cyber threats.
Improve information sharing efforts with the private sector.
Expand and strengthen relationships with international law enforcement and criminal justice partners on cybercrime to enhance the sharing of electronic evidence.
Enhance capacity in the area of cyber policy development and associated legislative work.
The plan repeatedly highlighted the disruption of botnets as a key priority.  In order to properly address the threat of botnets and other cybercrimes, components across the Department, such as CCIPS, NSD, and the United States Attorneys’ Offices, need additional resources.

The Department confronts an increasing demand for its anti-cybercrime expertise.  CCIPS, for example, conducts its own prosecutions, receives requests for consultation of its attorneys or digital investigative analysts, provides advice to law enforcement agencies, engages with the private sector regarding the implementation of investigative authorities, and delivers domesic and international training.  This escalation in activity is due in part to the ever-expanding nature of the cyber threat.  Prosecutorial needs have also resulted from the expansion of investigative efforts, as the FBI has increased its resources in support of the Next Generation Cyber Initiative to enhance the technical capabilities of investigative personnel, increase cyber investigations, and improve cyber collection and analysis.

The Department would like to thank the Senate for its continued support of our national security-related cyber efforts, including fiscal year 2014 funding increases that are allowing the Department to hire more than a dozen additional national security cyber professionals, including attorneys, in furtherance of our efforts to combat cyber-based terrorism and nation state-sponsored cyber intrusions.  Just this summer, thanks in part to your support, those efforts yielded historic results, with the indictment of five members of the Chinese military on charges of cyber-based economic espionage.  Cyber threats to the national security continue to evolve, and to outpace our growth, but the Department is committed to following the facts and evidence where they lead to detect, deter, and disrupt them.  We look forward to continuing to work with you on this front.

Conclusion

I very much appreciate the opportunity to discuss with you the Department’s efforts to combat botnets.  We are committed to using all available tools to disrupt these networks and bring perpetrators to justice, as we seek to protect Americans’ security, privacy, and property.    
Thank you for the opportunity to discuss the Department’s work in this area, and I look forward to answering any questions you might have.

Tuesday, June 3, 2014

ASSISTANT AG CALDWELL'S REMARKS FOR GAMEOVER ZEUS AND CRYPTOLOCKER OPERATIONS AND RELATED CYBER THREAT

FROM:  U.S. JUSTICE DEPARTMENT 
Assistant Attorney General Leslie R. Caldwell Delivers Remarks for the Gameover Zeus and Cryptolocker Operations and Related Criminal Charges
Washington ~ Monday, June 2, 2014

Good afternoon and thank you, Deputy Attorney General Cole, for the warm welcome.   It is indeed a pleasure to return to the Justice Department, and an honor to serve as the head of the Criminal Division.   I am reminded today, however, of how much the cyber threat landscape has changed since I last worked as a federal prosecutor.

Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cyber crimes that you might not believe if you saw them in a science fiction movie.   By secretly implanting viruses on computers around the world, they built a network of infected machines – or “bots” – that they could infiltrate, spy on, and even control, from anywhere they wished.   Sitting quietly at their own computer screens, the cyber criminals could watch as the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims typed into computers and networks in the United States.   And then the criminals turned that information into cash by emptying the victims’ bank accounts and diverting the money to themselves.   Typically, by the time victims learned they had been infected with Gameover Zeus, it was too late.

The Cryptolocker scheme, by contrast, was brutally direct about obtaining victims’ money.   Rather than watch and wait, the cyber criminals simply took the victim’s computer hostage until the computer owner agreed to pay a ransom directly to them.   They used sophisticated encryption – a tool originally designed to protect data from theft – to make it impossible for victims to access any data stored on their computers.  The criminals effectively held for ransom every private email, business plan, child's science project, or family photograph – every single important and personal file stored on the victim’s computer.   In order to get their data back, computer owners had to hand over their cash.   As with Gameover Zeus, once you learned you were infected with the Cryptolocker malware, it was too late.

As the Deputy Attorney General mentioned, these schemes were highly sophisticated and immensely lucrative, and as you can imagine, Bogachev and his co-conspirators did not make them easy to reach or disrupt.   But under the leadership of the Justice Department, federal prosecutors, FBI agents and analysts, foreign law enforcement authorities in more than 10 different countries, and numerous private sector partners joined together to disrupt both these schemes.

Here is what we did: first, on May 7, in coordination with the FBI, Ukrainian authorities seized and copied key Gameover Zeus command servers in Kiev and Donetsk.   Then, on Monday, May 19, as you will hear from U.S. Attorney Dave Hickton, we obtained sealed criminal charges against Bogachev in Pittsburgh charging him with illegal hacking, fraud and money laundering.   We took more steps on Wednesday, May 28, obtaining civil court orders against Bogachev and his co-conspirators based on federal laws that prohibit ongoing fraud and the illegal interception of communications.   These orders allowed us to cause the computers infected with Gameover Zeus to cease communicating with computer servers controlled by the criminals, and instead to contact a server established by the court order.   The court also authorized us to collect information necessary to identify the victim computers so that we can provide that information to public- and private-sector entities that can help the victims rid their computers of the infection.   At the same time, our foreign law enforcement partners seized critical computer servers used to operate Cryptolocker, which resulted in Cryptolocker being unable to encrypt victim files.

Beginning in the early morning hours on Friday and continuing through the weekend, the FBI and foreign law enforcement then began the coordinated seizure of computer servers around the world that had been the backbone of Gameover Zeus and Cryptolocker.   These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the United Kingdom.   Recognizing that seizures alone would not be enough because cyber criminals can quickly establish new servers in other locations, our team began a carefully timed sequence of technical measures to wrest from the criminals the ability to send commands to hundreds of thousands of infected computers, and to direct those computers to contact the server that the court had authorized us to establish.   Working from command posts in the United States and at the European Cybercrime Centre in the Hague, Netherlands, the FBI and our foreign counterparts—assisted by numerous private sector partners—worked feverishly around the clock to accomplish this re-direction and to defeat various defenses built into the malware, as well as countermeasures attempted in real time over the weekend by the cyber criminals who were trying to retain control over their network.

I am pleased to report that our actions have caused a major disruption of the Gameover Zeus botnet.   Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week.   We have already begun providing victim information to private sector parties who are poised to assist them.   I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled.    Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.  

Over the next few days and weeks, our investigators and prosecutors will work with private-sector partners to notify infected victims and provide links to safe and trusted tools that can help them rid themselves of Gameover Zeus and Cryptolocker and then close the vulnerabilities through which their computers were infected.  We will work with our foreign partners to continue the disruption of the botnet’s technical infrastructure and identify additional victims.  And we will do our best to ensure that the operators cannot re-establish control over the infected machines and thus continue their lucrative enterprise.

These legal and technical measures, as cutting edge as they are, are far from a complete solution to these sophisticated threats.   We fully expect that these schemes will re-emerge and evolve as the criminals target and infect new victims.   That is why we are combining these measures with criminal charges against the defendant Evgeniy Bogachev for his role as an administrator of both schemes.   We are asking Russian law enforcement to take action to bring this defendant and those working with him to justice, and will work with our counterparts to do so.   As Deputy Attorney General Cole stated, it is only by combining traditional law enforcement actions with the type of innovative legal and technical measures announced today that we can begin to fully address modern cyber threats.

I want to thank all those who contributed to this operation, and in particular our private sector and international partners who worked so closely with us on this sophisticated operation.   And now I would like to invite U.S. Attorney Dave Hickton of the Western District of Pennsylvania to make remarks.

Thank you.

Saturday, May 24, 2014

FTC TESTIFIES BEFORE SENATE HOMELAND SECURITY SUBCOMMITTEE REGARDING ONLINE ADVERTISING

FROM:  FEDERAL TRADE COMMISSION 
FTC Outlines Recommendations for Online Advertising In Testimony Before Senate Homeland Security Subcommittee

The Federal Trade Commission testified before Congress today on the agency’s ongoing efforts to protect consumers from emerging threats related to online advertising, as well as the Commission’s recommendations in this area.

Testifying on behalf of the Commission before the Senate Committee on Homeland Security and Governmental Affairs’ Permanent Subcommittee on Investigations, Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, outlined steps the agency is taking to address concerns related to online advertising through enforcement and consumer education.

The testimony highlights work by the Commission on three consumer protection issues affecting the online advertising industry: privacy, spyware and other malware, and data security.

In the area of privacy, the testimony notes the recommendations put forth in the Commission’s 2012 privacy report, which encourages businesses to provide consumers with simpler and more streamlined privacy choices about their data, through a robust universal choice mechanism for online behavioral advertising.

The testimony also addresses a number of privacy cases brought by the FTC against companies in the online advertising industry.  For example, the testimony describes the FTC’s 2012 settlement with Google, in which the company agreed to pay a $22.5 million civil penalty to resolve charges that it misrepresented to some consumers that it would not place tracking cookies or serve targeted ads to them.

The testimony also describes the FTC’s cases to combat spyware and other malware. These cases support three core principles: first, that a consumer’s computer belongs to him or her, and it must be the consumer’s choice whether to install software; second, that buried disclosures about material information necessary to correct an otherwise misleading impression are not sufficient in connection with software downloads; and third, that a consumer should be able to disable or uninstall any software they do not want on their computer.

The testimony also highlights the FTC’s extensive consumer education work aimed at helping consumers avoid and detect spyware and other malware, including its sponsorship of OnGuardOnline.gov.

On the topic of data security, the testimony underscores the Commission’s enforcement actions, noting that the agency has obtained settlements in 53 data security cases, including recent cases against the mobile app company Snapchat, as well as with Credit Karma, Fandango and home security camera maker TRENDnet.

The testimony recommends expanding efforts to educate both consumers and businesses, and also encourages industry self-regulation efforts aimed at protecting consumers from malicious online advertisements.

In addition, the testimony renews the Commission’s call for the enactment of a strong federal data security and breach notification law, noting that a national law would simplify compliance for businesses while ensuring that all consumers are protected. The testimony also notes that supplementing the Commission’s existing data security authority with the ability to seek civil penalties in appropriate circumstances would provide a deterrent to those engaging in unlawful conduct that puts consumers’ personal data at risk.

The Commission vote approving the testimony and its inclusion in the formal record was 5-0.    

Wednesday, February 12, 2014

FTC WARNING: SCAMMERS ARE SENDING FAKE "FUNERAL NOTICES"

FROM:  FEDERAL TRADE COMMISSION 
FTC: Scammers Hit New Low by Sending Fake “Funeral Notices”

Scam artists are forever trying to trick people into clicking on links that will download malware to their computers. But the latest scam takes the trick to a new low. Scammers are sending bogus emails with the subject line “funeral notification.” The message appears to be from a legitimate funeral home, offers condolences, and invites you to click on a link for more information about the upcoming “celebration of your friend’s life service.” But instead of sending you to the funeral home’s website, the link downloads malware to your computer.

In “Fake funeral notice can be deadly – for your computer,” the FTC’s new blog post about this scam, consumers will find tips to reduce the risk of downloading unwanted malware and spyware.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them.

Saturday, September 8, 2012

MASTER OF MALWARE SENTENCED TO PRISON

FROM: THE U.S. DEPARTMENT OF JUSTICE
Thursday, September 6, 2012

Arizona Man Sentenced to 30 Months in Prison for Selling Access to Botnets

WASHINGTON – Joshua Schichtel, 30, of Phoenix, was sentenced today to 30 months in prison for selling command-and-control access to and use of thousands of malware-infected computers, announced Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division and U.S. Attorney for the District of Columbia Ronald C. Machen Jr.

Schichtel was sentenced by Chief U.S. District Judge Royce C. Lamberth in the District of Columbia. In addition to his prison term, Schichtel was ordered to serve three years of supervised release.

Schichtel entered a guilty plea on Aug. 17, 2011, to one count of attempting to cause damage to multiple computers without authorization by the transmission of programs, codes or commands, a violation of the Computer Fraud and Abuse Act.

According to court documents, Schichtel sold access to "botnets," which are networks of computers that have been infected with a malicious computer program that allows unauthorized users to control infected computers. Individuals who wanted to infect computers with various different types of malicious software (malware) would contact Schichtel and pay him to install, or have installed, malware on the computers that comprised those botnets. Specifically, Schichtel pleaded guilty to causing software to be installed on approximately 72,000 computers on behalf of a customer who paid him $1,500 for use of the botnet.

This case was investigated by the Washington Field Office of the FBI. The case is being prosecuted by Corbin Weiss, Senior Counsel in the Criminal Division’s Computer Crime and Intellectual Property Section and Special Assistant U.S. Attorney for the District of Columbia.

Search This Blog

Translate

White House.gov Press Office Feed