Feeds

Russian gang uses botnets to automate check counterfeiting

Old-school crime with 21st century twist

Security for virtualized datacentres

Black Hat A researcher has uncovered a sophisticated check counterfeiting ring that uses compromised computers to steal and print millions of dollars worth of bogus invoices and then recruit money mules to cash them.

The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks, Joe Stewart, director of malware research for Atlanta-based SecureWorks, told The Register. It then scrapes online job sites for email addresses of people looking for work and sends personalized messages offering them positions performing financial transactions for an international company. The scammers then use stolen credit card data to ship near exact replicas of the checks to those who respond.

“They're able to utilize this high-tech botnet to go out there, get the shipping labels, print them and pay for them with stolen credit cards,” said Stewart, who was in Las Vegas for the Black Hat security conference that begins Wednesday. “That's the cleverness of it. So much of it is reliant on 21st century botnet technology to carry out what's an old-school kind of crime.”

Stewart was able to track the operation by infecting a lab computer and observing its interactions with command and control channels. A database file the criminals carelessly exposed showed that 3,285 checks had been printed since June of 2009 and 2,884 job seekers had responded to the employment offer. Assuming each check was written in amounts of $2,800 – a threshold sum that brings increased scrutiny to transactions – Stewart estimates the checks were valued at about $9m.

Ironically, many of the check images were downloaded from services that merchants use to prevent check fraud. One of the sites was breached using a SQL injection attack. In other cases, they were accessed using account credentials from legitimate users that were stolen using the Zeus and Gozi password-stealing trojans.

“They're actually abusing anti-fraud systems in order to commit fraud,” Stewart said. “The systems that are designed to prevent check fraud are actually being used to help the bad guys commit check fraud.”

Stewart said he contacted some of the money mules who were recruited to cash the checks and send it along to Russia in return for keeping a percentage of the sum. Most told Stewart that the transactions hadn't gone through. Still, the scheme cost shipping companies at least $65,000 in costs to deliver the counterfeit checks. Stewart has dubbed the group, which he says is located in Russia, the “BigBoss Operation” because one of their malware components reaches out to a server located at bigbossfinance.net.

The scheme first came to Stewart's attention in April during an unrelated investigation. When probing a new strain of the Zeus crimeware family, he discovered malware that used the PPTP, or point-to-point tunneling, protocol included in Microsoft Windows to establish a virtual private network with a remote server. Fearing the malware represented a new threat, the researcher began to dig deeper.

Eventually, Stewart found the VPN functionality was used only to evade firewalls and network address translation services, rather than to encrypt traffic as it passed from command and control channels.

“We found out it was a lot more boring that that,” Stewart said. “It was not using any of these advanced features. I don't know if it's an evolution or something that shows [that] an old-school criminal who's been doing this for a long time is able to adapt them for their own purposes. The couldn't do it without these modern components.” ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.