Scammers Transfer $11 Million Stolen from SMBs to China

By Fahmida Y. Rashid  |  Posted 2011-04-28

Scammers Transfer $11 Million Stolen from SMBs to China

Scammers successfully transferred more than $11 million stolen from small and midsize businesses to companies in China in the past year, according to the FBI.

Cyber-criminals stole banking credentials from companies and public institutions in the United States to fraudulently wire millions of dollars to Chinese companies, warned the FBI in a fraud alert issued April 26. There were 20 such incidents between March 2010 and April 2011, where the attackers attempted to steal $20 million and succeeded in stealing about $11 million, according to the federal agency.

In most cases, the thieves use phishing emails or rogue Websites loaded with data-stealing malware to compromise the computer of someone within the targeted company. When the victim, who generally has the authority to initiate funds transfers, tries to log into the Website, he or she is redirected to a page claiming the site is under maintenance.

At this point, criminals use the stolen log-in credentials to transfer money from the victims' accounts to intermediary accounts at a different United States bank, often located in New York. The funds are then transferred overseas to an account owned by one of the "economic and trade companies" located in China's Heilongjiang province. The stolen money is immediately withdrawn or transferred again from that Chinese account, the FBI said.

"It is unknown who is behind these unauthorized transfers, if the Chinese accounts were the final transfer destination, or if the funds were transferred elsewhere, or why the legitimate companies received the unauthorized funds," said the advisory. The FBI alert listed both the Agricultural Bank of China and the Industrial and Commercial Bank of China in the advisory.

Accounts Are Later Abandoned


A large number of companies have been registered to handle these transfers, and the accounts are abandoned after being used a handful of times. The names of various port cities in Heilongjiang are used in the company names, along with variations on the words "economic and trade," "trade" and "LTD." Since the cities are all along the Russia-China border, the criminals can be based in either country. The FBI did not indicate in the advisory where the thieves are suspected to be located.

The criminal gang also sent domestic Automated Clearing House and wire transfers to money mules in the United States shortly after sending the unauthorized wire transfers to China. It is unclear at this time where those funds end up. Automated Clearing House is an electronic network that processes large volumes of financial transactions, whether that's consumers paying mortgage and insurance bills or businesses making direct deposit payroll and vendor payments.

The domestic wire transfers range from $200 to $200,000, and the ACH transfers range from $222,500 to $1.2 million.

Most of the affected organizations have accounts at local community banks and credit unions, many of which use third-party service providers for online banking, said the advisory. This makes it easier for the criminals to remain inconspicuous as the individual wire transfers range from tens of thousands of dollars to $985,000. The criminals are generally more successful in receiving the illegal transfers when the sent amounts are less than $500,000, according to the FBI.

The FBI warning seems to confirm the emerging threat that attackers are beginning to target small and midsize companies in online fraud. In the recent Business Banking Trust Study from Ponemon Institute and Guardian Analytics, 56 percent of businesses reported experiencing payments fraud or attempted fraud in the past year. In 78 percent of the cases, banks failed to stop the illegal wire transfers, the report found.

The FBI recommended that financial institutions notify their business customers of any wire transfers going to the Heilongjiang port-cities, including Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning. The institutions should also be scrutinizing all wire activity going to those cities, especially if the customer has no prior history with that region of the world.

Several data-stealing Trojans have been used in this type of fraud, including Zeus, and Spybot, according to the FBI. The Zeus Trojan can steal codes generated by multifactor authentication tokens and use them to log in to accounts requiring usernames, password and token IDs. has a worm, downloader and keylogger. Both and Spybot run in the background and allow attackers to remotely access the compromised machine.

Rocket Fuel