A Romanian duo has been convicted for infecting hundreds of thousands of computers with malware that scooped up credentials and financial information, and scamming victims out of millions of dollars.
The two, Bogdan Nicolescu, 36, and Radu Miclaus, 37, were convicted by a federal jury in Ohio on Thursday for allegedly developing and spreading malware that infected more than 400,000 computers in the U.S. The malware scooped up credentials, financial data, personal information and more.
Nicolescu and Miclaus “were convicted after a 12-day trial of conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering and 12 counts each of wire fraud,” according to a press release by the Department of Justice (DoJ). “Sentencing has been set for Aug. 14, 2019 before Chief Judge Patricia A. Gaughan of the Northern District of Ohio.”
The two allegedly began developing and spreading the malware in 2007, the DoJ said, Computers were first infected via malicious emails purporting to be from legitimate entities such as Western Union, Norton AntiVirus and the IRS.
But when recipients clicked on an attached file, the malware was installed onto their systems. From there, it harvested personal data, credit card information, user names and passwords, disabled victims’ malware protection tools, and blocked their access to websites associated with law enforcement.
The pair were able to copy victims’ email contacts using the malware, and consequently sent those contacts malicious emails as well. In addition, the malware activated files forcing victims’ systems to register AOL accounts, and then sent more victims malicious emails from these legitimate email addresses.
The two registered more than 100,000 email accounts using this method, and were able to send tens of millions of malicious emails, according to the DoJ.
Nicolescu and Miclaus also injected fake webpages into legitimate websites, such as eBay, to intercept victims’ visits to these legit websites and trick them into entering credentials into the spoofed webpage.
“When victims with infected computers visited websites such as Facebook, PayPal, eBay or others, the defendants would intercept the request and redirect the computer to a nearly identical website they had created,” said the DoJ. “The defendants would then steal account credentials. They used the stolen credit card information to fund their criminal infrastructure, including renting server space, registering domain names using fictitious identities and paying for Virtual Private Networks (VPNs) which further concealed their identities.”
Finally, the two placed more than 1,000 fraudulent listings for automobiles, motorcycles and more on eBay. The two put malware-ridden photos on the listings, which then redirected victims who clicked on them to spoofed webpages that looked like the legitimate eBay page. These webpages tricked victims into paying for the “items” through a nonexistent “eBay Escrow Agent” – which turned out simply to be a person hired by the pair to collect the money and give it to them. This scam resulted in a loss of millions of dollars, according to DoJ.
The duo are only the latest to be indicted as part of the DoJ’s cybercrime crackdown over the past year. In December, the DoJ charged two Chinese hackers with stealing “hundreds of gigabytes” of data from more than 45 other governmental organizations and U.S.-based companies. And in August, the DoJ nabbed three suspected members of the FIN7 cybercrime group, accused of hacking more than 120 U.S.-based companies with the intent of stealing bank cards.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.