The FBI, Microsoft and financial services industry leaders successfully disrupted more than 1 000 botnets built on Citadel malware in a massive global cybercrime operation that is estimated by the financial services industry to have been responsible for over half a billion dollars in financial fraud.
The botnets were responsible for stealing people’s online banking information and personal identities. This co-ordinated disruption resulted from an extensive investigation that Microsoft and its financial services and technology industry partners began in early 2012.
After looking into this threat, Microsoft and its partners discovered that once a computer was infected with Citadel malware, that malware began monitoring and recording a victim’s keystrokes.
This tactic, known as keylogging, provides cybercriminals information to gain direct access to a victim’s bank account or any other online account in order to withdraw money or steal personal identities. This means that when victims are using their computers to access their bank or online accounts, cybercriminals can use the stolen information to quietly pilfer those same accounts as well.
Microsoft also found that, in addition to being responsible for more than half a billion dollars in losses among people and businesses worldwide, the Citadel malware has affected upwards of 5-million people, with some of the highest number of infections appearing in the US, Europe, Hong Kong, Singapore, India and Australia.
Citadel is a global threat that is believed may have already infected victims in more than 90 countries worldwide since its inception.
“The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world,” says Brad Smith, Microsoft general counsel and executive VP: legal and corporate affairs.
“Today’s co-ordinated action between the private sector and law enforcement demonstrates the power of combined legal and technical expertise and we’re going to continue to work together to help put these cybercriminals out of business.”
Last week, supported by declarations from financial services leaders and other industry partners, Microsoft filed a civil suit against the cybercriminals operating the Citadel botnets, receiving authorisation from the US District Court for the Western District of North Carolina for Microsoft to simultaneously cut off communication between 1 462 Citadel botnets and the millions of infected computers under their control.
On June 5, Microsoft, escorted by the US Marshals, seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania.
Microsoft also provided information about the botnets’ operations to international Computer Emergency Response Teams (CERTs), so these partners could take action at their discretion on additional command and control infrastructure for the botnets located outside of the US.
Richard McFeely, executive assistant director of the Criminal, Cyber, Response and Services branch of the FBI, says the FBI provided information to foreign law enforcement counterparts so that they could also take voluntary action on botnet infrastructure located outside of the US. The FBI also obtained and served court-authorised search warrants domestically related to the botnets.
“Today’s actions represent the future of addressing the significant risks posed to our citizens, businesses, and intellectual property by cyber-threats and malicious software, which are often enabled by counterfeit and unlicensed software,” McFeely says.
“Creating successful public-private relationships – in which tools, knowledge, and intelligence are shared – is the ultimate key to success in addressing cyber-threats and is among the highest priorities of the FBI.
“We must ensure that, as cyber- policy is developed, the ability of the private sector to co-ordinate in realtime with the FBI is encouraged so that a multi-prong attack on our cyber adversaries can be as effective as possible.” The actions are part of a larger US government strategy led by the National Cyber Investigative Joint Task Force (NCIJTF) to target botnet creators and distributors.