E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: eWeek

Posted on August 2, 2010

A three-month investigation by SecureWorks has uncovered an innovative cheque fraud operation that is estimated to have counterfeited $9 million in cheques in the past year.

Gone are the days when thieves had to use low-tech methods such as cheque kiting to defraud banks. According to SecureWorks, a group of Russian cyber-criminals are using a mix of malware, money mules and SQL injection to get their hands on data from cheque image repositories run by services that archive cheques on behalf of businesses.

"You write a cheque, it goes off to some processor somewhere, and at some point at the end of the chain it will get scanned electronically ... [and archived] in some database somewhere," explained Joe Stewart, director of malware research at SecureWorks. "That's what these guys were hitting with this botnet."

From the Black Hat security conference in Las Vegas, Stewart pulled the covers off a 1,000- to 2,000-strong network of computers being used in a complicated scam to steal cheque information and wire money overseas. Using SQL injection vulnerabilities in Web sites of cheque archiving services, the attackers download images of cheques used by businesses - along with bank routing numbers, accountholder names and other associated information.

Next, the scammers use off-the-shelf commercial cheque printing software utilized by legitimate companies to print counterfeit cheques that are then given to money mules to deposit. The mules are tasked with wiring the money to bank accounts in St. Petersburg, Russia, where Stewart speculated the money may be transferred into Web money and then converted into cash.

"The quicker [the attackers] can get the money wired out ... the better their chances are of not getting discovered and having a bank withdraw the funds from the account," Stewart said. "So they are very, very urgently trying to convey to the mule, 'you got to get this processed as fast as you can.'"

Stewart uncovered the operation after analyzing a variant of the Zeus Trojan that established a virtual private network (VPN) connection between infected computers and a remote server using the point-to-point tunneling protocol functionality built into Microsoft Windows. The VPN tunnel allowed the attackers to proxy traffic back to the bots, bypassing any firewalls or network address translations that would ordinarily block incoming connections from the Web.

Ironically, the attackers did not take the additional steps of encrypting the VPN traffic, nor did they route the Zeus "phone-home" traffic over the VPN, Stewart said.

A SecureWorks analysis of a copy of a database the scammers left in a public location on the Internet revealed the names and addresses of 2,884 job seekers who responded to recruitment e-mails as well as account information and check templates for five companies. For a two-week period, counterfeit cheques totaling $40,880 written on these accounts were set to be printed and sent to 14 money mules.

It's not clear just how much of that money made it to Russia, however. In interviews with six of the money mules, SecureWorks found that several became suspicious of the operation, and in one case a bank declared a cheque invalid.

"All the mules thought that they were initially signing up for legitimate jobs and were certainly anxious to get a job, so it was quite disappointing to them," Elizabeth Clarke, vice president of corporate communications for SecureWorks, told eWEEK.

"People caught on when they got the second set of instructions that says, 'OK, now you are going to send the money to St. Petersburg in this amount,'" Stewart said. "It becomes very real."

SecureWorks has contacted the FBI and advised businesses to use "positive pay" services provided by banks to help ensure only authorized cheques are paid out.

"There [are] a lot of different weaknesses ... these guys are taking advantage of all over the place," Stewart said. "The desperation of job seekers, the easy access to their e-mail accounts through job sites, the SQL injection flaws or the weak authentication schemes that everybody uses - all of this has to be in place for them to do this on this scale."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.