Spanish police arrest Mariposa botnet ringleaders

Three Spanish men stand accused of masterminding a botnet that infected nearly 13 million computers in 190 countries, including in many big corparations.

Arrest

Spanish police have arrested three men believed to be the masterminds behind one of the world's largest botnets.

The men are accused of running the Mariposa botnet, which is believed to have infected nearly 13 million PCs with a virus that stole credit card details and other data.

The Spanish Guardia Civil made the arrests after two internet security firms Canada's Defence Intelligence Inc and Spain's Panda Security SL were able to infiltrate the ring and shut it down just before Christmas.

By that point Mariposa the Spanish word for butterfly - had affected 12.7 million computers in 190 countries around the world, with victims including government agencies, schools, more than half of the world's 1,000 largest corporations and 40 per cent of banks.

The virus was programmed to take control of infected machines and record every key stroke made, sending the data back to Mariposa's servers, where it was analysed to try and identify passwords, credit card numbers and other private information.

Mariposa first appeared in December 2008, and spread through removable USB drives, MSN Messenger and peer-to-peer networks. The virus helped the three ringleaders steal banking credentials and launch distributed denial-of-service attacks, though unlike with some other botnets they did not use it to try and sell fake security software.

It was first spotted in April last year, and was taken down on December 23 last year thanks to the efforts of an informal group of volunteers calling itself the Mariposa Working Group.

"It was so nasty, we thought 'we have to turn this off. We have to cut off the head'," said Chris Davis, chief executive of Defense Intelligence. Security experts believe the total cost of removing the program could run into the millions.

The three men known only by their web handles "Netkairo", "Johnyloleante" and "Ostiator" at this stage weren't skilled programmers, but had contacts who were. All three are Spanish citizens and have no previous convictions, according to Guardia Civil captain Cesar Lorenza.

"They're not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits. The most frightening thing is they are normal people who are earning a lot of money with cybercrime," Lorenza commented.

According to Panda Security, not only did the men use their network of infected PCs to collect data, they also rented them out to other hackers. One of the three was caught in possession of 800,000 personal credentials. They each face up to six years in prison if convicted.

However, security experts warn it is likely that more than three people were behind Mariposa, and the network could easily be put back in place by others. "Mariposa's the biggest ever to be shut down, but this is only the tip of the iceberg. These things come up constantly," Mark Rasch, former head of the US Department of Justice computer crimes unit, told Reuters.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021