Russian Gang Used Botnets for Sophisticated Check Counterfeiting

A sophisticated check counterfeiting gang has been uncovered by Joe Stewart, Director of malware Research at SecureWorks. The gang uses a group of compromised computers (called botnet) to pilfer and print millions of dollars worth fake invoices and later, hire money mules to encash them, as per the news published by The Register on July 28, 2010.

Cyber criminals commit widespread check forgery by using complex and innovative scheme. As per Stewart, the highly automated scam starts by breaking into the online check archiving and verification services which contain a large number of previously cashed checks.

Later, the scam scrapes job websites to find our email addresses of those people who are searching work and sends them personalized messages providing them positions related to financial transactions for a foreign firm.

Stewart disclosed about 1,000 to 2,000 strong networks of computers had been used in a complicated scam to pilfer check information and wire money overseas.

The attackers download images of checks by exploiting SQL injection vulnerabilities in Web sites of check archiving services. Besides, the attackers steal accountholder names, bank routing numbers and other associated information.

There were many check images downloaded from those services used by merchants to avoid check fraud. With the help of SQL injection attack, one of the websites washacked. In some cases, the attackers were accessed account details from legal users which were stolen with the help of Zeus and Gozi password-stealing Trojans.

The company's database stored the check images. Hence, the hackers evidently used the company's credentials to approach them.

The sophisticated scheme was first noticed by Stewart in April 2010, as per the reports. The analysis further revealed that it had established a virtual private network (VPN) connection between infected computers and a remote server. This was done using the point-to-point tunneling protocol functionality built into Microsoft Windows.

The VPN tunnel permits the attackers to proxy traffic back to bots and bypassing any network address translations or firewalls which would ordinarily block incoming connections from the Web.

The security experts said that most of the organized hacking rings targeting bank were stealing login credentials these days. They took advantage of the relatively new opportunities offered by online account access such as wire transfers and other means for mis-shipping electronic funds.

Related article: Russian Hackers Break into NOAA to Push Pills

» SPAMfighter News - 8/7/2010