Feeds

Russian gang uses botnets to automate check counterfeiting

Old-school crime with 21st century twist

3 Big data security analytics techniques

Black Hat A researcher has uncovered a sophisticated check counterfeiting ring that uses compromised computers to steal and print millions of dollars worth of bogus invoices and then recruit money mules to cash them.

The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks, Joe Stewart, director of malware research for Atlanta-based SecureWorks, told The Register. It then scrapes online job sites for email addresses of people looking for work and sends personalized messages offering them positions performing financial transactions for an international company. The scammers then use stolen credit card data to ship near exact replicas of the checks to those who respond.

“They're able to utilize this high-tech botnet to go out there, get the shipping labels, print them and pay for them with stolen credit cards,” said Stewart, who was in Las Vegas for the Black Hat security conference that begins Wednesday. “That's the cleverness of it. So much of it is reliant on 21st century botnet technology to carry out what's an old-school kind of crime.”

Stewart was able to track the operation by infecting a lab computer and observing its interactions with command and control channels. A database file the criminals carelessly exposed showed that 3,285 checks had been printed since June of 2009 and 2,884 job seekers had responded to the employment offer. Assuming each check was written in amounts of $2,800 – a threshold sum that brings increased scrutiny to transactions – Stewart estimates the checks were valued at about $9m.

Ironically, many of the check images were downloaded from services that merchants use to prevent check fraud. One of the sites was breached using a SQL injection attack. In other cases, they were accessed using account credentials from legitimate users that were stolen using the Zeus and Gozi password-stealing trojans.

“They're actually abusing anti-fraud systems in order to commit fraud,” Stewart said. “The systems that are designed to prevent check fraud are actually being used to help the bad guys commit check fraud.”

Stewart said he contacted some of the money mules who were recruited to cash the checks and send it along to Russia in return for keeping a percentage of the sum. Most told Stewart that the transactions hadn't gone through. Still, the scheme cost shipping companies at least $65,000 in costs to deliver the counterfeit checks. Stewart has dubbed the group, which he says is located in Russia, the “BigBoss Operation” because one of their malware components reaches out to a server located at bigbossfinance.net.

The scheme first came to Stewart's attention in April during an unrelated investigation. When probing a new strain of the Zeus crimeware family, he discovered malware that used the PPTP, or point-to-point tunneling, protocol included in Microsoft Windows to establish a virtual private network with a remote server. Fearing the malware represented a new threat, the researcher began to dig deeper.

Eventually, Stewart found the VPN functionality was used only to evade firewalls and network address translation services, rather than to encrypt traffic as it passed from command and control channels.

“We found out it was a lot more boring that that,” Stewart said. “It was not using any of these advanced features. I don't know if it's an evolution or something that shows [that] an old-school criminal who's been doing this for a long time is able to adapt them for their own purposes. The couldn't do it without these modern components.” ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.