Microsoft says raid damaged cybercrime operation

Microsoft and the banking industry Monday provided a detailed, behind-the-scenes account of an operation they said disrupted a major cybercrime operation that used malicious software to allegedly steal $100 million from consumers over the last five years.

A senior attorney from Microsoft's digital crimes unit, Richard Boscovich, said the companies used a creative legal strategy as part of a civil lawsuit that targeted a network of computers suffering from an infection known as "Zeus." Those computers were under the remote control of a criminal group that stole personal information, financial credentials and money. The Zeus network has not been eliminated, Boscovich said, but the action has made it much more difficult and expensive for the criminals to operate.

"This was an initial volley," according to Boscovich, who said Microsoft and other companies will continue to target the Zeus network.

A federal judge approved a warrant authorizing the raid in late March against computer servers at hosting centers in Illinois and Pennsylvania. Attorneys for Microsoft, the Electronic Payments Association and the Financial Services Information Sharing and Analysis Center had filed a civil lawsuit claiming the Zeus network had infected 13 million computers since 2007. Boscovich said he believes the people behind the Zeus botnets are located in Eastern Europe. He declined to be more specific because the case is ongoing.

United States marshals accompanied employees of Microsoft on the sweep, according to Boscovich, who described the legal strategy as a creative model for dealing with cybercriminals. The company relied on existing laws covering trademark infringement and racketeering, and the federal judge in New York granted their request for what Boscovich and others described as a "takedown" of the network's command and control servers.

"The court really understood what we were trying to do," Boscovich said.

Boscovich and two other executives — Janet Estep of the Electronic Payments Association and Bill Nelson of the Information Sharing and Analysis Center — discussed the Zeus raid, called Operation b71, during a presentation at a conference in Baltimore.

The Zeus network sent spam email with corporate trademarks, including Microsoft's and the payment association's, and a message that directed victims to download an attached file or open an attached link, according to records filed in federal court by attorneys for Microsoft and the industry groups. These so-called "phishing" emails would tell users the files or links contained important information about their finances or were software security updates that needed to be installed as soon as possible.

Estep said a visible measure of Operation b71's impact is a significant reduction in spam blamed on the payment association or using the organization's logo. Prior to the raid, nearly 11.5 million of these emails were being sent each week to unsuspecting users and that number has dropped to about 1 million, she said.