Prosecutors In N.Y. Charge Dozens With Cybercrime
MELISSA BLOCK, host:
Federal prosecutors in New York say foreign hackers have stolen at least $3 million from American bank accounts. They're charging more than 60 people, mainly Russians and other Eastern Europeans.
As NPR's Martin Kaste reports, the computer virus they allegedly used in the scam is not new, but it's proved to be tough to stop.
MARTIN KASTE: This is not reassuring news for your elderly relatives who are afraid of online banking. In a news conference this afternoon, Preet Bharara, the U.S. attorney for the southern district of New York, made the Internet sound like the domain of digital John Dillingers.
PREET BHARARA (U.S. Attorney, Southern District of New York): The modern high-tech bank heist does not require a gun, a mask, a note or a getaway car. It requires only the Internet and ingenuity, and it can be accomplished in the blink of an eye with just a click of the mouse and at a distance of thousands of miles.
KASTE: Still, these alleged scammers were not able to just zap the money out of the United States. According to prosecutors, big international wire transfers would be too risky. Instead, the hackers allegedly recruited foreigners living in the U.S. to set up accounts in American banks to receive the stolen money and then move it overseas more discreetly. That's apparently how the operation was detected. The feds have concentrated on these mules, as they're called.
But for American banking customers, the more urgent question is how did the hackers get access to the victims' bank accounts? Bharara blames a virus or malware called the Zeus Trojan.
Mr. BHARARA: The malware would get lodged on someone's computer when a benign-seeming email that was, in fact, not benign was opened. And then that software would keep track of keystrokes on the part of the computer user, so when that computer user logged into his or her bank account, that information would be retained and then transmitted, and so people could access the bank account information.
KASTE: American banks usually say not to worry. If somebody logs into your account and steals money this way, they'll replace the funds. But they also counsel caution. Kirk Lindsey of Bank of America gives the usual computer safety advice.
Mr. KIRK LINDSEY (Senior Vice President, Bank of America): Keep your computer operating system and browser up to date with the latest software and security downloads, even - you get patches and you get service packs that your software provider has, please, you know, just keep those up to date.
KASTE: So update your computer, use virus software and so on. Will that be enough to protect those elderly relatives as they bank online?
Mr. DANIEL SCHWALBE (Assistant Director of Security Services, Office of the CISO, University of Washington): It may not.
KASTE: Daniel Schwalbe does computer security services at the University of Washington in Seattle.
Mr. SCHWALBE: I have seen systems compromised that were fully patched and were running current anti-virus software.
KASTE: Schwalbe believes this kind of hacker attack is a greater danger now than just a couple of years ago. And one of the most persistent threats is the Zeus Trojan, the malware that prosecutors in New York blame for the bank heists there.
Mr. SCHWALBE: It's sort of made a name for itself because there's something called the Zeus kit, which you can actually buy off the black market, and it's highly customizable. Depending on what information you would like your Trojan to steal, you can just turn on and off options and then deploy it, and it will steal that particular information.
KASTE: And somebody is making good money just selling the virus itself, Schwalbe says. If you buy the Zeus kit online, it will cost you about $5,000. But don't try pirating it. It comes with a strict site license to keep its authors from getting ripped off.
Martin Kaste, NPR News.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.