Feeds

Russian gang uses botnets to automate check counterfeiting

Old-school crime with 21st century twist

Choosing a cloud hosting partner with confidence

Black Hat A researcher has uncovered a sophisticated check counterfeiting ring that uses compromised computers to steal and print millions of dollars worth of bogus invoices and then recruit money mules to cash them.

The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks, Joe Stewart, director of malware research for Atlanta-based SecureWorks, told The Register. It then scrapes online job sites for email addresses of people looking for work and sends personalized messages offering them positions performing financial transactions for an international company. The scammers then use stolen credit card data to ship near exact replicas of the checks to those who respond.

“They're able to utilize this high-tech botnet to go out there, get the shipping labels, print them and pay for them with stolen credit cards,” said Stewart, who was in Las Vegas for the Black Hat security conference that begins Wednesday. “That's the cleverness of it. So much of it is reliant on 21st century botnet technology to carry out what's an old-school kind of crime.”

Stewart was able to track the operation by infecting a lab computer and observing its interactions with command and control channels. A database file the criminals carelessly exposed showed that 3,285 checks had been printed since June of 2009 and 2,884 job seekers had responded to the employment offer. Assuming each check was written in amounts of $2,800 – a threshold sum that brings increased scrutiny to transactions – Stewart estimates the checks were valued at about $9m.

Ironically, many of the check images were downloaded from services that merchants use to prevent check fraud. One of the sites was breached using a SQL injection attack. In other cases, they were accessed using account credentials from legitimate users that were stolen using the Zeus and Gozi password-stealing trojans.

“They're actually abusing anti-fraud systems in order to commit fraud,” Stewart said. “The systems that are designed to prevent check fraud are actually being used to help the bad guys commit check fraud.”

Stewart said he contacted some of the money mules who were recruited to cash the checks and send it along to Russia in return for keeping a percentage of the sum. Most told Stewart that the transactions hadn't gone through. Still, the scheme cost shipping companies at least $65,000 in costs to deliver the counterfeit checks. Stewart has dubbed the group, which he says is located in Russia, the “BigBoss Operation” because one of their malware components reaches out to a server located at bigbossfinance.net.

The scheme first came to Stewart's attention in April during an unrelated investigation. When probing a new strain of the Zeus crimeware family, he discovered malware that used the PPTP, or point-to-point tunneling, protocol included in Microsoft Windows to establish a virtual private network with a remote server. Fearing the malware represented a new threat, the researcher began to dig deeper.

Eventually, Stewart found the VPN functionality was used only to evade firewalls and network address translation services, rather than to encrypt traffic as it passed from command and control channels.

“We found out it was a lot more boring that that,” Stewart said. “It was not using any of these advanced features. I don't know if it's an evolution or something that shows [that] an old-school criminal who's been doing this for a long time is able to adapt them for their own purposes. The couldn't do it without these modern components.” ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.