Anti-Malware , Black Hat , Events

Lessons from Gameover Zeus Takedown How Banking Trojans Are Used for Cyber Espionage
Lessons from Gameover Zeus Takedown
Eward Driehuis

The May 2014 takedown of the botnet behind the Gameover Zeus banking Trojan taught law enforcement and banking institutions many lessons, says Eward Driehuis of the cybersecurity and threat intelligence firm Fox-IT. For example, the takedown made it clear that banking malware is not just used to take over bank accounts and steal money; it's also used to steal corporate data for cyberespionage.

In an Aug. 5 presentation at the Black Hat conference in Las Vegas, representatives of Fox-IT, along with the Federal Bureau of Investigation, discussed their joint investigation into Gameover Zeus and what they learned about the criminals behind it.

"Gameover Zeus for several years, up until 2014, was considered by many to be the most notorious and successful cybercrime gang out there," Driehuis says in an interview with Information Security Media Group to discuss the presentation.

Fox-IT began investigating the gang in 2006 because the Trojan had been used against several of its bank customers, Driehuis says. Fox-IT then shared with the FBI the information it had gathered about the Trojan and the actors behind it.

The investigation determined that more than 50 cybercriminals were behind Gameover Zeus, and the gang used the Trojan to steal more than 30 terabytes of data and more than $100 million from victims throughout the world, Driehuis says.

"They called themselves the Business Club, and they had a leadership of two people," he says. "They had a support crew of four to six people. They had trusted suppliers and they had the botnet."

The botnet, which initially was used to steal online banking account credentials to perpetrate account takeover fraud was later used for cyber-espionage, Driehuis says.

The actors behind Gameover Zeus apparently tried to maximize their return on investment in the botnet by marketing it for other purposes, such as to wage Cryptolocker attacks for ransomware and conduct espionage, he says.

"We have definitely seen financial criminals and the corporate espionage criminals converging their methods," Driehuis says. "Since 2011, we have seen financial criminals selling individual bots or multiple bots that they thought were in corporate accounts to spies, and we saw actual espionage tools related to those bots in our investigation."

During this interview, Driehuis also discusses:

  • Details about the masterminds behind Gameover Zeus;
  • Why the takedown of Gameover Zeus is deemed a success; and
  • Why educating corporate customers about the threats banking Trojans pose is the best defense banking institutions can implement.

Driehuis is the director of the product management and marketing at Fox-IT, where he works with financial institutions, e-commerce companies and other corporate enterprises in the U.S., Europe, the Middle East, Asia and Australia. Before joining Fox-IT, Driehuis spent 18 years working as a chief technology officer and business director for various companies.

Around the Network