Black Hat: Massive Russian Cheque Fraud Disclosed

A three-month investigation by SecureWorks has uncovered an innovative check fraud operation that is estimated to have counterfeited $9 million (£5.76m) in cheques in the past year.

Gone are the days when thieves had to use low-tech methods such as cheque kiting to defraud banks. According to SecureWorks, a group of Russian cyber-criminals are using a mix of malware, money mules and SQL injection to get their hands on data from cheque image repositories run by services that archive checks on behalf of businesses.

“You write a cheque, it goes off to some processor somewhere, and at some point at the end of the chain it will get scanned electronically … [and archived] in some database somewhere,” explained Joe Stewart, director of malware research at SecureWorks. “That’s what these guys were hitting with this botnet.”

Black Hat, Las Vegas

From the Black Hat security conference in Las Vegas, Stewart pulled the covers off a 1,000- to 2,000-strong network of computers being used in a complicated scam to steal cheque information and wire money overseas. Using SQL injection vulnerabilities in Web sites of check archiving services, the attackers download images of cheques used by businesses—along with bank routing numbers, account holder names and other associated information.

Next, the scammers use off-the-shelf commercial check printing software utilised by legitimate companies to print counterfeit cheques that are then given to money mules to deposit. The mules are tasked with wiring the money to bank accounts in St. Petersburg, Russia, where Stewart speculated the money may be transferred into Web money and then converted into cash.

“The quicker [the attackers] can get the money wired out … the better their chances are of not getting discovered and having a bank withdraw the funds from the account,” Stewart said. “So they are very, very urgently trying to convey to the mule, ‘you got to get this processed as fast as you can.'”

Stewart uncovered the operation after analyzing a variant of the Zeus Trojan that established a virtual private network (VPN) connection between infected computers and a remote server using the point-to-point tunneling protocol functionality built into Microsoft Windows. The VPN tunnel allowed the attackers to proxy traffic back to the bots, bypassing any firewalls or network address translations that would ordinarily block incoming connections from the Web.

Ironically, the attackers did not take the additional steps of encrypting the VPN traffic, nor did they route the Zeus “phone-home” traffic over the VPN, Stewart said.
A SecureWorks analysis of a copy of a database the scammers left in a public location on the Internet revealed the names and addresses of 2,884 job seekers who responded to recruitment e-mails as well as account information and check templates for five companies. For a two-week period, counterfeit checks totaling $40,880 written on these accounts were set to be printed and sent to 14 money mules.

Money Mules

It’s not clear just how much of that money made it to Russia, however. In interviews with six of the money mules, SecureWorks found that several became suspicious of the operation, and in one case a bank declared a check invalid. “All of the mules thought that they were initially signing up for legitimate jobs and were certainly anxious to get a job, so it was quite disappointing to them,” Elizabeth Clarke, vice president of corporate communications for SecureWorks, told eWEEK. “People caught on when they got the second set of instructions that says, ‘OK, now you are going to send the money to St. Petersburg in this amount,'” Stewart said. “It becomes very real.”

SecureWorks has contacted the FBI and advised businesses to use “positive pay” services provided by banks to help ensure only authorized cheques are paid out. “There [are] a lot of different weaknesses … these guys are taking advantage of all over the place,” Stewart said. “The desperation of job seekers, the easy access to their e-mail accounts through job sites, the SQL injection flaws or the weak authentication schemes that everybody uses—all of this has to be in place for them to do this on this scale.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

5 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

7 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

8 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

1 day ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

1 day ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

1 day ago