Secureworks [http://www.secureworks.com/cyber-threat-intelligence/threats/gozi/]. This is from the summary of that analysis:
" Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.
Highlights
A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.
- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million"
The convicted Calovskis has a lawyer who says Mr. Calovskis didn’t create or disseminate the actual virus, didn’t join the conspiracy until years after the virus’s creation, and received only $1,000 for his participation.
[see http://www.wsj.com/articles/latvian-hacker-deniss-calovskis-sentenced-to-time-served-1452032841] Calovskis developed part of the code that changed the appearance of banks websites on infected computers to trick victims into giving up personal information that would allow the hackers to steal money from their bank accounts. The Journal article suggests the judge actually considered exceeding the amount of time because there would be little deterrent value in the sentence actually given. I have heard this story before.
The Computer Fraud and Abuse Act, which has expanded quite a bit since it was written, had it first prosecution while I was still teaching at the Defense Security Institute, in the 80's. People were saying the same thing then, only in that first case, they had a point. That guy was stealing information on the tracks of forestry being sold off by the Federal Government and he got a suspended sentence of 6 months. That resulted in a legislative panic and the stiffening of sentences that has been going on since then. It never seems to be enough, but it is more than a 6-month suspended sentence.
I don't know how many criminals are in Russia paying for the development of this kind of software, but I do know that Calovskis was one of their employees who did good work. Many of those selling these kinds of software hire good people and develop good products worthy of the amount of money they charge for them. Calovskis had the misfortune to live in Latvia and get caught. Those living in Russia do not. There is a certain injustice in the whole process to bring an action against ones who are not safe from prosecution, and let all those others go. So, before we jump to the conclusion that "time served" is not a real punishment, think about the context of what he did. The punishment seems to fit the crime.
No comments:
Post a Comment