Ride the Lightning

Two Law Firms Lost Over $117K to Cybercrime Network

May 21, 2019

I have been following this story for several days thanks to Dave Ries, but found that yesterday's ABA Journal contained a very concise summary.

A law firm in Washington, D.C., and a law office in Wellesley, Massachusetts, are among the victims of malware attacks by an overseas cybercrime network.

The law firms were not identified in a Department of Justice press release announcing the dismantling of the cybercrime network in an international law enforcement operation. The Associated Press has coverage here. The May 16 press releases are here and here.

The cybercrime operation used GozNym malware to infect computers and capture banking login credentials. The conspirators allegedly created lookalike internet pages for the victims’ financial institutions. They then accessed the bank accounts and transferred money, converting it to bitcoin.

Members of the network are being prosecuted in four different countries. In the United States, indictments have been filed in the Western District of Pennsylvania. Prosecutions also are pending in the countries of Ukraine, Moldova and Georgia.

Bulgarian authorities arrested one of the accused men, Krasimir Nikolov, and extradited him to the United States in December 2016. Ten others have been charged, including five Russians who remain at large. Alexander Konovolov of Tbilisi, Georgia, is the alleged network ringleader.

According to the indictment, filed April 17, the conspirators sent a phishing email in February 2016 to the D.C. law firm from the “Quicken Billpay-center.” The recipient was directed to click a link to view the invoice. Clicking the link caused the GozNym malware to be downloaded onto the recipient’s computer.

About nine days later, one of the defendants used the recipient’s credentials to gain access to a Bank of America account. The defendant tried to access $97,520, resulting in a loss of $76,178.

A defendant who used GozNym to capture banking credentials at the Wellesley, Massachusetts, law office gained access to a Brookline Bank account using online banking login credentials. The defendant transferred $41,000 from the account.

As you might imagine, other businesses were also victimized. Tens of thousands of computers were infected worldwide, primarily in the US and Europe.

According to the Indictment, the defendants conspired to infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials; use the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts; and steal money from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants reside in Russia, Georgia, Ukraine, Moldova and Bulgaria. The DOJ said the operation was an unprecedented international effort to share evidence and initiate criminal prosecutions against members of the same criminal network in multiple countries.

Nicely done DOJ and its partners. And this is yet another reminder of the importance of educating law firm employees about phishing attacks! 

Email:    Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson