Authorities in Spain have arrested three men they suspect were the masterminds and herders behind the Mariposa botnet, a worm that infected more than 13 million PCs around the world and attempted to steal credit card numbers and other personal information. The botnet was largely shut down in December of 2009 after an investigation by the FBI and Spanish Civil Guard found a way to separate the network from its command-and-control servers. Authorities managed to arrest one botnet-runner when he attempted to log into the network without obfuscating his network address; two other suspects were subsequently identified and arrested.
Authorities haven’t released the names of the suspects, but say all are Spanish citizens and none of them have criminal records. They’re also described as having limited technical knowledge: the Mariposa botnet isn’t something they developed themselves, but rather malware from other sources that the individuals leveraged to steal personal information such as passwords, usernames, credit card information. Mariposa particularly focused on social networking sites and online email services. The botnet runners earned money by selling stolen credentials, but also by renting out the Mariposa botnet to other cybercriminals. The Spanish Civil Guard says more arrests may be forthcoming.
One of the suspects arrested was found to have some 800,000 pieces of personal data on his machine; the Mariposa botnet infected PCs are more than half of Fortune 1000 companies and at least 40 banks.
