Feeds

Russian gang uses botnets to automate check counterfeiting

Old-school crime with 21st century twist

Providing a secure and efficient Helpdesk

Black Hat A researcher has uncovered a sophisticated check counterfeiting ring that uses compromised computers to steal and print millions of dollars worth of bogus invoices and then recruit money mules to cash them.

The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks, Joe Stewart, director of malware research for Atlanta-based SecureWorks, told The Register. It then scrapes online job sites for email addresses of people looking for work and sends personalized messages offering them positions performing financial transactions for an international company. The scammers then use stolen credit card data to ship near exact replicas of the checks to those who respond.

“They're able to utilize this high-tech botnet to go out there, get the shipping labels, print them and pay for them with stolen credit cards,” said Stewart, who was in Las Vegas for the Black Hat security conference that begins Wednesday. “That's the cleverness of it. So much of it is reliant on 21st century botnet technology to carry out what's an old-school kind of crime.”

Stewart was able to track the operation by infecting a lab computer and observing its interactions with command and control channels. A database file the criminals carelessly exposed showed that 3,285 checks had been printed since June of 2009 and 2,884 job seekers had responded to the employment offer. Assuming each check was written in amounts of $2,800 – a threshold sum that brings increased scrutiny to transactions – Stewart estimates the checks were valued at about $9m.

Ironically, many of the check images were downloaded from services that merchants use to prevent check fraud. One of the sites was breached using a SQL injection attack. In other cases, they were accessed using account credentials from legitimate users that were stolen using the Zeus and Gozi password-stealing trojans.

“They're actually abusing anti-fraud systems in order to commit fraud,” Stewart said. “The systems that are designed to prevent check fraud are actually being used to help the bad guys commit check fraud.”

Stewart said he contacted some of the money mules who were recruited to cash the checks and send it along to Russia in return for keeping a percentage of the sum. Most told Stewart that the transactions hadn't gone through. Still, the scheme cost shipping companies at least $65,000 in costs to deliver the counterfeit checks. Stewart has dubbed the group, which he says is located in Russia, the “BigBoss Operation” because one of their malware components reaches out to a server located at bigbossfinance.net.

The scheme first came to Stewart's attention in April during an unrelated investigation. When probing a new strain of the Zeus crimeware family, he discovered malware that used the PPTP, or point-to-point tunneling, protocol included in Microsoft Windows to establish a virtual private network with a remote server. Fearing the malware represented a new threat, the researcher began to dig deeper.

Eventually, Stewart found the VPN functionality was used only to evade firewalls and network address translation services, rather than to encrypt traffic as it passed from command and control channels.

“We found out it was a lot more boring that that,” Stewart said. “It was not using any of these advanced features. I don't know if it's an evolution or something that shows [that] an old-school criminal who's been doing this for a long time is able to adapt them for their own purposes. The couldn't do it without these modern components.” ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.