Feeds

Russian gang uses botnets to automate check counterfeiting

Old-school crime with 21st century twist

Top 5 reasons to deploy VMware with Tegile

Black Hat A researcher has uncovered a sophisticated check counterfeiting ring that uses compromised computers to steal and print millions of dollars worth of bogus invoices and then recruit money mules to cash them.

The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks, Joe Stewart, director of malware research for Atlanta-based SecureWorks, told The Register. It then scrapes online job sites for email addresses of people looking for work and sends personalized messages offering them positions performing financial transactions for an international company. The scammers then use stolen credit card data to ship near exact replicas of the checks to those who respond.

“They're able to utilize this high-tech botnet to go out there, get the shipping labels, print them and pay for them with stolen credit cards,” said Stewart, who was in Las Vegas for the Black Hat security conference that begins Wednesday. “That's the cleverness of it. So much of it is reliant on 21st century botnet technology to carry out what's an old-school kind of crime.”

Stewart was able to track the operation by infecting a lab computer and observing its interactions with command and control channels. A database file the criminals carelessly exposed showed that 3,285 checks had been printed since June of 2009 and 2,884 job seekers had responded to the employment offer. Assuming each check was written in amounts of $2,800 – a threshold sum that brings increased scrutiny to transactions – Stewart estimates the checks were valued at about $9m.

Ironically, many of the check images were downloaded from services that merchants use to prevent check fraud. One of the sites was breached using a SQL injection attack. In other cases, they were accessed using account credentials from legitimate users that were stolen using the Zeus and Gozi password-stealing trojans.

“They're actually abusing anti-fraud systems in order to commit fraud,” Stewart said. “The systems that are designed to prevent check fraud are actually being used to help the bad guys commit check fraud.”

Stewart said he contacted some of the money mules who were recruited to cash the checks and send it along to Russia in return for keeping a percentage of the sum. Most told Stewart that the transactions hadn't gone through. Still, the scheme cost shipping companies at least $65,000 in costs to deliver the counterfeit checks. Stewart has dubbed the group, which he says is located in Russia, the “BigBoss Operation” because one of their malware components reaches out to a server located at bigbossfinance.net.

The scheme first came to Stewart's attention in April during an unrelated investigation. When probing a new strain of the Zeus crimeware family, he discovered malware that used the PPTP, or point-to-point tunneling, protocol included in Microsoft Windows to establish a virtual private network with a remote server. Fearing the malware represented a new threat, the researcher began to dig deeper.

Eventually, Stewart found the VPN functionality was used only to evade firewalls and network address translation services, rather than to encrypt traffic as it passed from command and control channels.

“We found out it was a lot more boring that that,” Stewart said. “It was not using any of these advanced features. I don't know if it's an evolution or something that shows [that] an old-school criminal who's been doing this for a long time is able to adapt them for their own purposes. The couldn't do it without these modern components.” ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.