Accounts Are Later Abandoned
A large number of companies have been registered to handle these transfers, and the accounts are abandoned after being used a handful of times. The names of various port cities in Heilongjiang are used in the company names, along with variations on the words "economic and trade," "trade" and "LTD." Since the cities are all along the Russia-China border, the criminals can be based in either country. The FBI did not indicate in the advisory where the thieves are suspected to be located. The criminal gang also sent domestic Automated Clearing House and wire transfers to money mules in the United States shortly after sending the unauthorized wire transfers to China. It is unclear at this time where those funds end up. Automated Clearing House is an electronic network that processes large volumes of financial transactions, whether that's consumers paying mortgage and insurance bills or businesses making direct deposit payroll and vendor payments.The domestic wire transfers range from $200 to $200,000, and the ACH transfers range from $222,500 to $1.2 million.Most of the affected organizations have accounts at local community banks and credit unions, many of which use third-party service providers for online banking, said the advisory. This makes it easier for the criminals to remain inconspicuous as the individual wire transfers range from tens of thousands of dollars to $985,000. The criminals are generally more successful in receiving the illegal transfers when the sent amounts are less than $500,000, according to the FBI. The FBI warning seems to confirm the emerging threat that attackers are beginning to target small and midsize companies in online fraud. In the recent Business Banking Trust Study from Ponemon Institute and Guardian Analytics, 56 percent of businesses reported experiencing payments fraud or attempted fraud in the past year. In 78 percent of the cases, banks failed to stop the illegal wire transfers, the report found. The FBI recommended that financial institutions notify their business customers of any wire transfers going to the Heilongjiang port-cities, including Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning. The institutions should also be scrutinizing all wire activity going to those cities, especially if the customer has no prior history with that region of the world. Several data-stealing Trojans have been used in this type of fraud, including Zeus, Backdoor.bot and Spybot, according to the FBI. The Zeus Trojan can steal codes generated by multifactor authentication tokens and use them to log in to accounts requiring usernames, password and token IDs. Backdoor.bot has a worm, downloader and keylogger. Both Backdoor.bot and Spybot run in the background and allow attackers to remotely access the compromised machine.