FBI teams up with hackers to bust bank robbing botnet

cyber hack outbreak

American and British police have managed to stop a massive hacking operation that infected computers worldwide, stealing at least $10 million from the United States alone.

On Tuesday, U.S. prosecutors announced a victory in the war on malware.

Law enforcement -- with the help of several cybersecurity firms -- took control of a network of machines that distributed malicious software known as "Bugat," "Cridex" or "Dridex."

This malware preyed on unsuspecting people by slipping into their computers, stealing passwords and siphoning money from bank accounts.

For distribution, it relied on a network of enslaved computers. Experts say the botnet infected maybe 125,000 computers a year.

Separately, the U.S. Department of Justice also filed criminal charges against Andrey Ghinkul, a 30-year-old man who is believed to have been the hacker at the helm of the operation.

Ghinkul was recently arrested in Cyprus, and American prosecutors are seeking to have him extradited to stand trial in the United States.

U.S. Attorney David J. Hickton of Pennsylvania said: "We have struck a blow to one of the most pernicious malware threats in the world."

According to the indictment, Ghinkul's high-tech thievery stretches back years -- and he wasn't alone.

Investigators believe Ghinkul and others sent official-looking spam that tricked people to open poisonous email attachments. Using that method, they were able to steal $3.5 million from Penneco Oil in Pennsylvania in 2012 and send that to bank accounts in Belarus and Ukraine, according to the indictment.

The same way, Ghinkul tried to steal nearly $1 million from the Sharon City School District in Pennsylvania in 2011, but wasn't able to pull it off, investigators said.

The takedown was conducted by government agents from the FBI, the British National Crime Agency, Europol's European Cybercrime Centre and the German Bundeskriminalamt.

But private companies were pivotal. Dell SecureWorks told CNNMoney it led the operation of actually hacking the botnet that spread the malware. It was supported by cybersecurity companies Fox-IT, S21sec, Spamhaus and others.

Computer researchers at Dell SecureWorks were the first to discover the bank-credential-stealing computer program back in 2010. Bugat, as it was called then, would spy on peoples' Web browsing, recognize when they visited a bank website, then intercept the usernames and passwords and send them back to hackers.

Bugat evolved over the years into smarter and more capable versions. Researchers called later it Cridex, then eventually Dridex.

The massive botnet distribution system -- the one that was just shut down -- made Dridex the most popular malware bombarding corporate computer networks. If work email got hit with spam, it's likely much of it was Dridex.

Hackers sent out waves of up to 350,000 Dridex-laced spam emails every day, according to Proofpoint, a cybersecurity firm that provides a service that secures company emails.

Earlier this year, researchers at Dell SecureWorks started working on a project to disrupt the monstrous botnet. It teamed up with law enforcement, and received legal permission to hack the botnet, according to the company.

The major event happened on Aug. 28, 2015, when police in Cyprus arrested Ghinkul. The spread of Dridex malware immediately stopped, according to experts.

Then came the operation to grab the botnet itself. Last week, Dell SecureWorks employees stationed all over the world began a secret, multi-day operation to sneak into the "host" computers that sit atop a massive pyramid of enslaved, spam-spewing computers.

"We were able to wrestle away the network of infected computers out of the control of the hackers," Dell SecureWorks researcher Jeff Williams told CNNMoney. "They can't continue to harvest data."

The botnet is now under the control of an organization called The Shadowserver Foundation, a little-known group of professional hackers who volunteer to make the Internet safer for the public.

Experts say this was only a temporary setback for hackers. Police have taken out a distribution network -- but not the malware itself. In fact, Proofpoint has seen Dridex being distributed by other botnets at the same levels as before.

"It's not over. It's not even close to over," said Kevin Epstein, a researcher at Proofpoint. "Dridex is back with a vengeance. If you're selling drugs and someone takes out your distributor, does it take the drugs off the street?"

Hackers are learning to spy on you on YouTube
Hackers are learning to spy on you on YouTube

CNNMoney Sponsors