How the feds put a bullet in a “bulletproof” Web host

Being an online criminal isn't always easy. For one thing, there's all that tedious administrative overhead of deploying command and control servers, finding proxies to mask them, and shifting IP addresses to stay off of private security blacklists. Today's savvy cyber criminal, therefore, often outsources the work to so-called "bulletproof" hosting operations, which rent servers to criminals and take care of all the dirty details needed to keep them online. That was the approach taken by the Russian creator of malware known as Gozi—malicious password-stealing software which the US government today called "one of the most financially destructive computer viruses in history"—to store his stolen data. But as the malware man found out, bulletproof hosts can be taken down with enough effort. Even when they're based in Romania.

Gozi was coded back in 2005 and deployed in 2007. Back then, it largely targeted Europeans. When installed on a computer, the virus waited until the user visited an online banking site and then grabbed account names and passwords—anything that might be needed for a criminal to transfer money out of the user's account. This information was then sent silently to the Gozi command and control servers, from which it was harvested on a regular basis.

By 2010, the malware innovated in two important ways. First, it had gained the capability to do sophisticated Web injection. When an infected computer was pointed at a banking website, the virus wouldn't simply steal account login information; it could be configured to inject additional data requests right into the bank's webpage. This made it almost impossible to tell the requests were not being made by the bank itself. In this way, the malware could be tweaked to ask for Social Security numbers, driver's license information, a mother's maiden name, PIN codes—anything a client wanted.

Read 13 remaining paragraphs | Comments