Black Hat: Massive Russian Cheque Fraud Disclosed

Cyber-criminals are using a complex, innovative scheme to commit widespread check forgery

A three-month investigation by SecureWorks has uncovered an innovative check fraud operation that is estimated to have counterfeited $9 million (£5.76m) in cheques in the past year.

Gone are the days when thieves had to use low-tech methods such as cheque kiting to defraud banks. According to SecureWorks, a group of Russian cyber-criminals are using a mix of malware, money mules and SQL injection to get their hands on data from cheque image repositories run by services that archive checks on behalf of businesses.

“You write a cheque, it goes off to some processor somewhere, and at some point at the end of the chain it will get scanned electronically … [and archived] in some database somewhere,” explained Joe Stewart, director of malware research at SecureWorks. “That’s what these guys were hitting with this botnet.”

Black Hat, Las Vegas

From the Black Hat security conference in Las Vegas, Stewart pulled the covers off a 1,000- to 2,000-strong network of computers being used in a complicated scam to steal cheque information and wire money overseas. Using SQL injection vulnerabilities in Web sites of check archiving services, the attackers download images of cheques used by businesses—along with bank routing numbers, account holder names and other associated information.

Next, the scammers use off-the-shelf commercial check printing software utilised by legitimate companies to print counterfeit cheques that are then given to money mules to deposit. The mules are tasked with wiring the money to bank accounts in St. Petersburg, Russia, where Stewart speculated the money may be transferred into Web money and then converted into cash.

“The quicker [the attackers] can get the money wired out … the better their chances are of not getting discovered and having a bank withdraw the funds from the account,” Stewart said. “So they are very, very urgently trying to convey to the mule, ‘you got to get this processed as fast as you can.'”

Stewart uncovered the operation after analyzing a variant of the Zeus Trojan that established a virtual private network (VPN) connection between infected computers and a remote server using the point-to-point tunneling protocol functionality built into Microsoft Windows. The VPN tunnel allowed the attackers to proxy traffic back to the bots, bypassing any firewalls or network address translations that would ordinarily block incoming connections from the Web.

Ironically, the attackers did not take the additional steps of encrypting the VPN traffic, nor did they route the Zeus “phone-home” traffic over the VPN, Stewart said.
A SecureWorks analysis of a copy of a database the scammers left in a public location on the Internet revealed the names and addresses of 2,884 job seekers who responded to recruitment e-mails as well as account information and check templates for five companies. For a two-week period, counterfeit checks totaling $40,880 written on these accounts were set to be printed and sent to 14 money mules.

Money Mules

It’s not clear just how much of that money made it to Russia, however. In interviews with six of the money mules, SecureWorks found that several became suspicious of the operation, and in one case a bank declared a check invalid. “All of the mules thought that they were initially signing up for legitimate jobs and were certainly anxious to get a job, so it was quite disappointing to them,” Elizabeth Clarke, vice president of corporate communications for SecureWorks, told eWEEK. “People caught on when they got the second set of instructions that says, ‘OK, now you are going to send the money to St. Petersburg in this amount,'” Stewart said. “It becomes very real.”

SecureWorks has contacted the FBI and advised businesses to use “positive pay” services provided by banks to help ensure only authorized cheques are paid out. “There [are] a lot of different weaknesses … these guys are taking advantage of all over the place,” Stewart said. “The desperation of job seekers, the easy access to their e-mail accounts through job sites, the SQL injection flaws or the weak authentication schemes that everybody uses—all of this has to be in place for them to do this on this scale.”