Gozi Trojan financial web injection hacker pleads guilty

Financial malware web injection technique hacker Deniss Calovskis says he 'knew he was breaking the law'

Deniss Calovskis prior to his extradiction from Latvia
Deniss Calovskis prior to his extradiction from Latvia

Latvian malware code engineer Deniss Calovskis has appeared in court in Manhattan this month to plead guilty to charges concerning the transmission of the Gozi Trojan.

Widely described as one of the most financially destructive computer viruses in history, the malware itself was first uncovered in 2007.

Gozi infected more than a million computers around the world including a number at NASA.

A US federal indictment statement has explained that Gozi was capable of, “Stealing personal bank account information (such as account numbers, usernames and passwords) from computers across Europe on a vast scale, while remaining virtually undetectable in the computers it infected."

The conspiracy collection-pack

Criminal prosecution procedures have been ongoing for a number of years. Calovskis faces charges pinned to bank fraud conspiracy, conspiracy to commit computer intrusion and wire-fraud conspiracy.

As this case has played out, Calovskis initially made a wholly comprehensive denial of being any part of Gozi as recently as August 2013. The 30-year old Latvian was subsequently extradited to the United States in February of 2015.

According to the Reuters news agency, Calovskis has now stated to the court, "I knew what I was doing was against the law."

Create, transmit, distribute - in that order              

The indictment against Calovskis is accompanied by associated charges made against Russian national Nikita Kuzmin, the original creator of the virus itself. Romanian Mihai Ionut Paunescu is also indicted for his role in running a service that is claimed to have enabled the Trojan's distribution.

Reuters explains that Calovskis worked from his base in the Latvian capital Riga to develop code that would increase the effectiveness of the Gozi virus. His hacks included malware designed to alter the appearance of banks' websites to fool users into revealing their personal information.

How the web injection worked

As Gozi itself has grown and developed in terms it being a piece of software, the code was augmented to perform sophisticated web injection techniques. Infected computers visiting a banking website would find that (in addition to their login information being stolen) the site itself could be compromised and configured (through the injected code) to ask the user for additional transaction actions.

As explained on Ars Technica, these web injection procedures made it virtually impossible for users to know whether it was their bank or the hackers asking for additional information which could relate to social security numbers, driver's license information, a mother's maiden name, PIN codes etc.

In an email to SCMagazineUK.com, Jan Širmer, senior malware analyst at Avast said: “In recent years, cybernetic attacks against banks have become more and more popular. The number of people accessing their bank accounts online has steadily increased, however, their knowledge of computer security is often insufficient. Attackers using web injections to steal victims' data are very sophisticated and have become a popular method of attack, because of the potential profits.”

He said that cyber-criminals can use web injections to steal data that is stored on the victim's computer by, for example, adding fields to be filled out by the customer which can prompt them to supply PIN numbers and social security numbers. “Victims often do not expect any security risks when using online banking and, therefore, provide very personal and sensitive data,” he said. 

Sentencing in this case is scheduled for 14 December 2015.