Microsoft and the banking industry on Monday provided a detailed, behind-the-scenes account of an operation they said disrupted a major cybercrime operation that used malicious software to allegedly steal $100 million from consumers over the last five years.
A senior attorney from Microsoft's digital crimes unit, Richard Boscovich, said the company and financial industry associations used a creative legal strategy as part of a civil lawsuit that targeted a global network of computers suffering from an infection known as "Zeus." Those computers were under the remote control of a criminal group that stole personal information, financial credentials and money, according to court records. The Zeus network has not been eliminated, Boscovich said, but the action has made it much more difficult and expensive for the criminals to operate.
"This was an initial volley," according to Boscovich, who said Microsoft and the industry groups will continue to target the Zeus network.
A federal judge approved a warrant authorizing the raid in late March against computer servers at hosting centers in Illinois and Pennsylvania. Attorneys for Microsoft, the Electronic Payments Association and the Financial Services Information Sharing and Analysis Center had filed a civil lawsuit claiming the Zeus network had infected 13 million computers since 2007. Boscovich said he believes the people behind the Zeus botnets are located in Eastern Europe. He declined to be more specific because the case is ongoing.
United States marshals accompanied employees of Microsoft on the sweep, according to Boscovich, a former U.S. prosecutor. The company and the industry groups relied on existing federal laws, including the 1946 Lanham Act that covers trademark infringement and the Racketeer Influenced and Corrupt Organizations Act, a statute that has been used to prosecute members of the mafia and the Hells Angels motorcycle gang. Congress envisioned that civil litigants would use both laws to protect their own interests, according to Boscovich.
A federal judge in New York granted their request for what Boscovich and others described as a "takedown" of the network's command and control servers. ""The framework has always been there," he said. "The court really understood what we were trying to do."
Boscovich and two other executives _ Janet Estep of the Electronic Payments Association and Bill Nelson of the Information Sharing and Analysis Center _ discussed the Zeus raid, called Operation b71, during a presentation at a conference in Baltimore.
The Zeus network sent spam email with corporate trademarks, including Microsoft's and the Electronic Payment Association's, and a message that directed victims to download an attached file or open an attached link, according to records filed in federal court by attorneys for Microsoft and the industry groups. These so-called "phishing" emails would tell users the files or links contained important information about their finances or were software security updates that needed to be installed as soon as possible.
About three and half million infected computers are now being directed to Microsoft instead of the Zeus command and control servers, Boscovich said.
Estep said a visible measure of Operation b71's impact is a significant reduction in spam blamed on the payment association or using the organization's logo. Prior to the raid, nearly 11.5 million of these emails were being sent each week to unsuspecting users and that number has dropped to about 1 million, she said.
Operation b71 shows how the private sector is not waiting for U.S. lawmakers to create a system for giving the private sector access to sensitive information gathered by U.S. intelligence agencies about threats in cyberspace. The House on Thursday passed the Cyber Intelligence Sharing and Protection Act despite a White House veto threat over concerns the bill fails to protect privacy rights.
In the Senate, a coalition of Democrats and Republicans prefer a bill by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, that would give the Homeland Security Department the primary role in overseeing domestic cybersecurity and the authority to set security standards. The House bill does not give Homeland Security that authority. The White House favors the Senate measure.
Greg Garcia, a former assistant secretary for cybersecurity and communications at the Homeland Security Department and the moderator of Monday's discussion, said a framework for exchanging cyberthreat data would create even more opportunities for cases against cybercriminals.
"There are very many instances of cyberthreats out in the wild that the government and the intelligence community know the specifics about," Garcia said.