Cyber-criminals are using a complex, innovative scheme to commit widespread check forgery. According to research by SecureWorks revealed at Black Hat, the ring has counterfeited an estimated $9 million in checks in the last year.
A three-month investigation by SecureWorks has uncovered an innovative check
fraud operation that is estimated to have counterfeited $9 million in
checks in the past year.
Gone are the days when thieves had to use low-tech methods such as check
kiting to defraud banks. According to SecureWorks, a group of Russian
cyber-criminals are using a mix of malware, money
and SQL injection to get their hands on data from check image
repositories run by services that archive checks on behalf of businesses.
"You write a check, it goes off to some processor somewhere, and at
some point at the end of the chain it will get scanned electronically ... [and
archived] in some database somewhere," explained Joe Stewart, director of
malware research at SecureWorks. "That's what these guys were hitting with
From the Black Hat security conference in Las Vegas,
Stewart pulled the covers off a 1,000- to 2,000-strong network of computers
being used in a complicated scam to steal
and wire money overseas. Using SQL injection vulnerabilities
in Web sites of check archiving services, the attackers download images of
checks used by businesses-along with bank routing numbers, accountholder names
and other associated information.
Next, the scammers use off-the-shelf commercial check printing software
utilized by legitimate companies to print counterfeit checks that are then
given to money mules to deposit. The mules are tasked with wiring the money to
bank accounts in St. Petersburg, Russia,
where Stewart speculated the money may be transferred into Web money and then
converted into cash.
"The quicker [the attackers] can get the money wired out ... the better
their chances are of not getting discovered and having a bank withdraw the
funds from the account," Stewart said. "So they are very, very
urgently trying to convey to the mule, 'you got to get this processed as fast
as you can.'"
Stewart uncovered the operation after analyzing a variant of the Zeus Trojan
that established a virtual private network (VPN) connection between infected
computers and a remote server using the point-to-point tunneling protocol
functionality built into Microsoft Windows. The VPN tunnel allowed the
attackers to proxy traffic back to the bots, bypassing any firewalls or
network address translations that would ordinarily block incoming connections
from the Web.
Ironically, the attackers did not take the additional steps of encrypting
the VPN traffic, nor did they route the Zeus
"phone-home" traffic over the VPN, Stewart said.
A SecureWorks analysis of a copy of a database the scammers
left in a public location on the Internet revealed the names and
addresses of 2,884 job seekers who responded to recruitment e-mails as well as
account information and check templates for five companies. For a two-week
period, counterfeit checks totaling $40,880 written on these accounts were set
to be printed and sent to 14 money mules.
It's not clear just how much of that money made it to Russia,
however. In interviews with six of the money mules, SecureWorks found that several
became suspicious of the operation, and in one case a bank declared a check
of the mules
thought that they were initially signing up for legitimate
jobs and were certainly anxious to get a job, so it was quite disappointing to
them," Elizabeth Clarke, vice president of corporate communications for
SecureWorks, told eWEEK.
"People caught on when they got the second set of instructions that
says, 'OK, now you are going to send the money to St.
Petersburg in this amount,'" Stewart said. "It
becomes very real."
SecureWorks has contacted the FBI and advised businesses to use "positive pay" services
banks to help ensure only authorized checks are paid out.
"There [are] a lot of different weaknesses ... these guys are taking
advantage of all over the place," Stewart said. "The desperation of
job seekers, the easy access to their e-mail accounts through job sites, the
SQL injection flaws or the weak authentication schemes that everybody uses-all
of this has to be in place for them to do this on this scale."