How Cybercriminals Used Banks, Facebook, And Amazon For A World Tour Of Theft

Hamza Bendelledj is believed to have stolen funds from 127 American banks over the past six years using a Zeus-powered botnet. A new report suggests it infected more than a third of the world's IP addresses and sent 1.5 million fake Facebook emails in a single day.

Cybercrime—in both its information-stealing and cash-stealing incarnations—is widespread and lucrative. August institutions like the New York Times and Wall Street Journal found their networks riddled with cyberspies after writing stories critical of China. And @barackobama himself likely fell victim to a Twitter breach. This past fall, $70 million in assets were stolen from European and American bank customers by a sophisticated botnet called Zeus. Even Google head Eric Schmidt writes in his upcoming book The New Digital Age that Chinese cyberattacks are a global “threat.”

That's, in part, because cybercrime hops borders with ease. Take the case of Zeus. A new report describes how its creator robbed American and European banks blind. In January Thai authorities (on behalf of Malaysian authorities) arrested a 24-year-old Algerian believed to be a botmaster behind Zeus. He's now awaiting extradition to the United States.


Hamza Bendelledj, who was believed to have used the alias “bx1” online, is suspected of stealing funds from 127 American banks over the past six years. As of press time, the FBI has not announced what crimes Bendelledj will be charged with—cybersecurity experts such as Brian Krebs believe he set up a sophisticated network of hacked financial sites designed to turn non-tech savvy Internet users' computers into nodes in a massive botnet that attacked banks worldwide.

Krebs claims Bendelledj was one of the most prolific botmasters using Zeus. Upon his arrest, Bendelledj was dubbed “The Smiling Hacker” by the tabloidriffic Thai press for his beaming smile during airport detainment. “When asked what he did with the money, he said he spent it on traveling and a luxurious life, like flying first class and staying in luxury places," Bangkok Immigration Police Chief Pharnu Kerdlarpphon told reporters at a news conference.

According to cybersecurity firm F-Secure's Second Half of 2012 Threat Report, Zeus was intentionally designed to target intelligent but non-tech-savvy Internet banking users in North America and Europe.

Cybercriminals initially purchased Zeus through hacker websites located either on the conventional internet or in the Tor-accessible underweb—Zeus is a for-profit product designed intentionally for robbing banks.

F-Secure's research focused on the peer-to-peer variant of Zeus, which created a large botnet operated by multiple cybercriminals. From August until mid-November 2012, the company found that the United States and Canada were disproportionately targeted. These botnets were, in a word, massive. The Dell Secureworks Counter Threat Unit was able to connect to approximately 100,000 peer-to-peer Zeus bots.

According to F-Secure's paper, 33.53% of all American IP addresses in their random sample were infected by Zeus. While not all of these bots were used at once, they were available on an as-needed basis by the cybercriminals. This was caused by a flurry of cyberattacks and phishing attacks—more than 1.5 million fake emails were sent via Facebook to spread Zeus on one day in October 2009 alone.

The interesting part—and the secret sauce—is what kind of websites Zeus bot operators hacked in order to spread their trojan. Online banking sites, corporate online banking sites, investment sites, credit card sites, and popular consumer websites such as Facebook and Amazon were all targeted. Zeus operators intentionally relied on trusted brands and financial institutions to gain bots. Once infected, users' computers operated as they did before except for occasionally helping to silently siphon into bank accounts and infect other computers—customers were largely unaware. While many previous botnets disproportionately relied on pornography and gambling sites to spread, Zeus operators went straight to the financial sector.

Zeus is believed to have originated in Eastern Europe; in late 2010, the program's creator claimed he was retiring and donating his source code to a competitor. Since then, numerous botnets based on Zeus have popped up alongside the original Zeus, which continues to cost banks worldwide—and the customers whom the cost is passed on to by corporate beancounters—tens of millions of dollars annually. Newer versions of Zeus-based botnets even allow operators to loan out their botnets to carry out DDoS attacks on websites for third parties. In the peer-to-peer version of Zeus, cybercriminals altered the program to jam banks with a flood of fraudulent transactions.

[Image: Flickr user colin.brown]

Add New Comment

2 Comments

  • Wolfgang

    Ref: "According to F-Secure's paper, 33.53% of all American IP addresses in their random sample were infected by Zeus." You are misreading the report. It is not 33.53 % of ALL American IPs that are infected, but 33.53% of the 5395 samples that they investigated where from the US.