One grenade, £80K cash and four arrests in malware banking fraud

Four people have been arrested, and two charged, in connection with £1 million online banking fraud.

GCHQ 'intercepted LinkedIn and Slashdot traffic to plant malware'
GCHQ 'intercepted LinkedIn and Slashdot traffic to plant malware'

Four people have been arrested, and two charged, in connection with £1 million malware-driven online banking fraud that proves links with hard-nosed criminality.

Following the arrests in the Enfield and London Islington areas on Tuesday in connection with an online banking malware-driven fraud, the Metropolitan Police's new cybercrime unit, the MPCCU, have charged two of the gang members on conspiracy charges.

The arrests – which were made on Tuesday morning – prove the connection between Trojan malware-driven fraud using software such as Zeus and SpyEye, and the very real world of criminality, as officers found one of the gang members in possession of a hand grenade, as well as £80,000 in cash.

News of the arrests and charges coincide with reports that a 64-bit version of the Zeus malware has been spotted by Kaspersky Lab.

According to the MPCCU, the four arrested are thought to have been at the centre of a million pound online banking fraud against two UK banks, with customers being infected with malware that allowed their credentials to be misused - and their money to be siphoned off to so-called money mule accounts.

Two men – both 31 years of age – have now been charged, whilst the two women, aged 24 and 27, have been bailed until the New Year.

The MPCCU says that it carried out the arrests after it was alerted by two UK banks. The banks say that their customers had been infected with malware after receiving an email supposedly from their bank.

The malware is known and has been used to assist in the unauthorised transfer of at least a million pounds to money mule accounts, many of which have been frozen as part of the investigation.

Along with the £80,000 in cash and hand grenade, Police also seized a Range Rover, designer jewellery and other luxury goods.

Detective Inspector Jason Tunn said: "These arrests by the Met's cybercrime unit follow an investigation into what we suspect is an international and organised crime targeting a number of bank customers in London and across the UK.

“The victims have been hoodwinked by malware-carrying emails purporting to be from their banks, and subsequently had money taken from their accounts."

The two men – who were due to appear at Westminster Magistrates Court on Thursday afternoon – have been charged with multiple offences, including conspiring to conceal, disguise, convert, transfer or remove criminal property; conspiring together with other persons unknown to conceal, disguise, convert or transfer criminal property; and conspiring to commit fraud by false representation, an offence under the Fraud Act 2006.

Commenting on the arrests, Keith Bird, the managing director of security software vendor Check Point, said that, late last year, the ‘Eurograbber' attack siphoned £30 million from bank accounts in Europe using sophisticated malware that infected users' PCs from infected emails.

“These attacks are [both] complex and stealthy, and exploit customers' trust,” he said, adding that online banking users should be wary of emails containing links or attachments which appear to come from their bank, as these could be infected by malware.

Users should also, he explained, keep their anti-virus software up-to-date, and install a personal firewall on their PC.

This week's arrests and charges in connection with the latest online banking Trojan fraud coincide with reports that the popular Zeus malware – thought to have been central to the fraud – has been updated to support 64-bit platforms.

According to Kaspersky researcher Dmitry Tarakanov, the 64-bit version of Zeus uses the same modus operandi as its 32-bit edition, using Web injects to steal banking credentials to drain online accounts, steal digital certificates and logging keystrokes.

A new feature of Zeus-64 is that the malware also communicates with its remote command-and-control servers over the Tor anonymity network.

Tarakanov says that, whilst the 64-bit version of Zeus – which has been traced back to its development in June - may be viewed by many as a marketing gimmick, supporting 64-bit browsers is a great way to advertise the product and to lure the botnet herders, the buyers of the malware.

Sign up to our newsletters