Cyberthugs, Run as Fast as You Can: FBI Is On a Victorious Roll

While I don't always agree with some of the actions taken by the FBI, not all agents are partaking in warrantless surveillance and we need to cheer the FBI "good guys." These FBI agents are just as important and heroic as our troops in keeping our great nation safe. Like some kind of modern-day cyber cowboys, the feds have come out with cyberguns blazing, blowing away bad guys in cyberspace. Here are some of the very busy FBI agents very big white hat wins lately.

In unprecedented move in April, the FBI was granted the authority to seize control of Coreflood Botnet and to send commands to individual PCs that were infected in order to tell the machines to stop running the botnet and remotely disable Coreflood. The FBI had replaced Coreflood servers with a sinkhole server it controlled. Then it collected IP addresses of malware infected machines that were communicating with criminals' servers, thereby aiding cybercriminals' schemes to commit wire and bank fraud.

Krebs on Security reported the "FBI scrubbed 19,000 PCs snared by Coreflood Botnet" and posted a court-filed declaration of this FBI victory by Kenneth Keller, special agent with the FBI Cyber Crime Squad [PDF]. After "Identifiable Victims" gave their permission, the FBI issued 19,000 uninstall commands to approximately 24 infected computers without any adverse consequences to those machines. Keller said Coreflood Botnet has been reduced by more than 95%, in part due to the FBI notifying "hundreds of Identifiable Victims" as well as involving about 25 of the largest US ISPs, overseas law enforcement, and anti-virus vendors.

Softpedia reported that Coreflood has been around since 2002, making it one of the oldest botnets. "During its life it infected a total of 2.3 million computers and from March 2009 to February 2010 alone it stole 190 GB of sensitive data including online banking passwords." Now that the Coreflood Botnet has been reduced, FBI Cyber Squad Agent Keller asked for permission to take the FBI's monitoring server offline as monitoring it was consuming "considerable law enforcement resources." Keller also declared that since the size of botnet has been significantly reduced, the government is not requesting permission for a 'blanket' uninstall to remove Coreflood from all infected computers. This should come as a welcome relief to some privacy watchdogs.

Security and privacy guru Bruce Schneier previously called the FBI remote uninstall the "obvious solution for botnets," but he also wrote, "The problem as I see it is the slippery slope. Because next, the RIAA is going to want to remotely disable computers they feel are engaged in illegal file sharing. And the FBI is going to want to remotely disable computers they feel are encouraging terrorism. And so on."

The Department of Justice announced another big win for it and the FBI in an international anti-cybercrime sting. FBI cyberguns took aim at two Latvian cybercriminal gangs accused of using fraudulent computer security scareware to make more than $74 million from over one million computer users. 22 computers in the US were seized during Operation Trident Tribunal and, by collaborating with international law enforcement partners in 12 nations, another 25 PCs and servers were seized in other countries as well as some bank accounts in Latvia.

Scareware is a big problem that victimizes users from all over the globe. Scareware tactics include popup messages which claim your computer is infected and you need to buy the advertised antivirus software. If you don't buy it, some scareware can competely render your computer inaccessible. Cyberthugs attempt to make their scareware fearmongering sites look authentic and sometimes include ransomeware that blocks Internet access until you cough up the "required" mula, or encrypts your files and demands payment to decrypt them.

According to the FBI indictment, one group infected and victimized about 960,000 PCs with a fake anti-virus scareware scheme that cost users $72 million. The second group of cybercrooks made about $2 million and was indicted for creating a phony advertising agency supposedly representing a hotel chain and placed fake ads on the Minneapolis Star Tribune's website. The FBI has listed tips for how to spot scareware on your computer as well as how to file a scareware complaint.

In yet another move, the FBI seems to be closing in on LulzSec and raided a datacenter in Reston, VA, that potentially is linked to the FBI's investigation into LulzSec and any affiliated hackers. According to The New York Times, an unnamed government official said the FBI "had teamed up with other agencies in this effort, including the Central Intelligence Agency and cybercrime bureaus in Europe."

Chief executive Sergej Ostroumow for DigitalOne, a Switzerland-based co-location company, had been working with the FBI to pinpoint servers for a specific IP address. But because its servers were in with some "naughty servers," Ostroumow, told the NYTimes in an email, "The agents took entire server racks, perhaps because they mistakenly thought that one enclosure is = to one server." Since FBI agents seized three racks of blade servers, popular and legitimate websites for "tens of clients" were adversely affected. According to the LATimes, the FBI raid knocked out more than 100 companies' innocent sites.

At around the same time as the FBI raid, The Telegraph reported 19-year-old suspected LulzSec member "Ryan Cleary was being arrested by Scotland Yard's specialist cyber crime unit at his family home in Wickford. He remains in custody on suspicion of offences under the Computer Misuse Act and Fraud Act."

Last but not least, after 16 years of chasing and an international manhunt, the FBI arrested ruthless Boston mob boss Whitey Bulger in Santa Monica, California. The feds had used social networking sites like Twitter, Facebook and YouTube to assist in the hunt. Bulger is now 81-years-old and had a $2 million reward on his head after Osama bin Laden was killed and Bulger rose to number 1 on FBI's Ten Most Wanted list.

Subscribe to the Security Watch Newsletter

Comments