Check counterfeiting using botnets and money mules

LAS VEGAS--A Russian group is doing check counterfeiting in the U.S. using malware, botnets, virtual private networks, and money mules recruited online, according to research expected to be revealed at the Black Hat hacker conference here on Wednesday.

The SecureWorks Counter Threat Unit investigated the bizarre operation over three months and is now working with law enforcement to find out who is responsible for the scam, which is believed to have netted as much as $9 million from fake checks in the last year.

SecureWorks researchers uncovered the complicated operation in April when it discovered a unique variant of the well-known Zeus Trojan that targets Windows-based PCs. In addition to stealing login credentials, the Trojan established a virtual private network (VPN) connection from the infected computer to a remote server using the PPTP (Point-to-Point Tunneling Protocol) functionality in Windows and listened to a random TCP (Transmission Control Protocol) port in order to serve as a SOCKS proxy.

SecureWorks researchers analyzed the Zeus sample and found the term "big boss finance" in the code and decided to dub the operation "Big Boss."

"It was surprising. The whole purpose was to do large-scale check counterfeiting, which I'd never seen in conjunction with a botnet before," Joe Stewart, director of malware research at SecureWorks, told CNET on Tuesday. "They're using new techniques to do an old-school crime."

Using the VPN technology built into Windows allows the attackers to defeat signature-based network intrusion detection and prevention systems and makes it appear that the botnet controller is offline while it is still serving commands and stealing data, Stewart said. The proxy aspect allows the attackers to use the botnet to access Web sites without being blocked easily.

The infected PCs were being used to spam Web-based e-mail services with money mule job offer messages; scrape new e-mail addresses off job Web sites; automate the breaking of captcha technologies; abuse URL-shortening services designed to obfuscate dubious links in spam; scrape check images from sites archiving processed checks stored in digital format; and purchase overnight package delivery service self-print postage labels to send checks to money mules; all in an automated fashion, according to the report.

Basically, the scammers would send spam to job seekers on employment Web sites and send them e-mails recruiting them for vague jobs in which they were promised a commission for cashing checks and wiring money to Russia, Stewart said. The scammers would even call money mules who failed to wire the money immediately, he said.

More than 2,800 job seekers were listed in the scammers' money mule database, however, it appeared that most of them did not complete the transaction and wire the money either because they were alerted to the fraud by the bank or they got suspicious, he said.

The checks the group was sending to the money mules looked authentic but contained poor grammar and misspellings. They were created using image data stolen from processed checks at digital storage sites that were mostly compromised with stolen login credentials obtained via SQL injection or other attacks on the sites, Stewart said.

Meanwhile, the scammers used stolen credit cards to rack up more than $65,000 in fraudulent overnight shipping charges.

The Big Boss group also was found to be sending spear-phishing email designed to entice recipients to download credential-stealing malware, the report said. The recipients were largely involved in processing financial transactions for companies.