3 min read

Bayrob malware gang convicted of infecting over 400,000 computers worldwide, stealing millions through online auction fraud


April 12, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Bayrob malware gang convicted of infecting over 400,000 computers worldwide, stealing millions through online auction fraud

A US court has convicted two Romanian hackers belonging to the Bayrob malware gang after they infected over 400,000 computers around the world, and stole millions of dollars.

Bogdan Nicolescu (aka “Masterfraud”) and Radu Miclaus (aka “Minolta”), both of Bucharest, Romania, have been convicted by a federal jury of 21 counts related to the infection of hundreds of thousands of computers with malware in order to steal credit card details, mine for cryptocurrency, and engage in online auction fraud.

36-year-old Nicolescu, 37-year-old Miclaus, and a co-conspirator – Tiberiu Danet (aka “Amightysa”) – who pleaded guilty, started their criminal campaign in 2007 with the creation of malware which they spammed out posing as communications from the likes of Western Union, the IRS, and Norton AntiVirus.

Unsuspecting recipients of the emails who clicked on the attachments had malware surreptitiously installed on their PCs, hijacking them into a botnet. Once in place the malware would access contact details of other potential victims from email accounts and address books in order to spread further.

Further exploiting the infected computers, the hackers commanded the compromised PCs in the botnet to create email accounts with AOL. In all, more than 100,000 email accounts were created with the service, and then used to send tens of millions of malicious emails.

That would be bad enough. But infected computers were also harvested by the remote hackers to steal personal information, such as passwords, usernames, and payment card details.

For instance, when users visited websites such as Facebook, eBay and PayPal, the malware would intercept the browser request and redirect infected computers to a phishing site. In this way the hackers were able to steal account credentials. Hacked accounts and stolen credit card details was put to use by the criminals to fund their criminal activities, including the rental of server space, buying domain names using fictitious identities, and the purchase of VPN services to cover their online tracks.

As a press release from the US Department of Justice makes clear, the hackers’ criminal endeavours didn’t stop at that:

The defendants were also able to inject fake pages into legitimate websites, such as eBay, to make victims believe they were receiving and following instructions from legitimate websites, when they were actually following the instructions of the defendants.

They placed more than 1,000 fraudulent listings for automobiles, motorcycles and other high-priced goods on eBay and similar auction sites. Photos of the items were infected with malware, which redirected computers that clicked on the image to fictitious webpages designed by the defendants to resemble legitimate eBay pages.

Naturally, anyone who fell for the bogus eBay listings never received the items they believed they had purchased, and never got their money back. All they got was a slideshow of the car they hoped they were buying, with an unpleasant bonus of a malware infection.

Security researchers discovered that to string victims along, the criminals even created a fake transportation firm which would supposedly truck purchased vehicles to their new owner, with an accompanying website to appear more credible. The bogus company even operated a phone line to appear more convincing as it informed victims that delivery of their vehicle had been delayed.

Finally, in addition to all of the above, in an attempt to avoid detection, the malware was able to disable anti-virus protection and blocked victims’ browsers from accessing law enforcement websites.

This clearly was a highly organised and sophisticated criminal operation, and federal prosecutors spent more than two weeks presenting evidence to the jury about how it was co-ordinated, and how the gang successfully stole more than four million dollars.

But what also emerged during the trial were the elementary mistakes that the hackers made which led to their capture.

For instance, in 2013 Miclaus accidentally logged into AOL with his personal account, rather than the one used for the criminal operation. Because of this AOL was able to link the two accounts to each other.

Furthermore, in 2015 when Dinet travelled to Miami to visit friends, he made the mistake of bringing a smartphone which he used to communicate with his fellow criminals about their activities. The FBI seized the opportunity to act on a search warrant and covertly accessed his smartphone, spilling the group’s secrets.

Nicolescu, Miclaus and Danet were arrested in Bucharest in September 2016 and extradited to the United States three months later.

According to Justice Department senior counsel Brian Levine, the three email accounts used by the gang went silent after their arrest.

Sentencing of the two men is scheduled for August 14, 2019.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like