[ISN] Researcher Exposes Massive Automated Check Counterfeiting Operation Out of Russia

From: InfoSec News <alerts_at_private>
Date: Thu, 29 Jul 2010 04:03:06 -0500 (CDT)
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226300183

By Kelly Jackson Higgins
DarkReading
July 28, 2010 

BLACK HAT USA -- Las Vegas -- A researcher has blown wide open a 
sophisticated online check-counterfeiting operation out of Russia that 
used a combination of a VPN'ed botnet, Zeus, and Gozi Trojans, SQL 
injection attacks, and money mules to print around $9 million worth of 
counterfeited U.S. checks in the past year.

The so-called "Big Boss" operation was uncovered during the past three 
months by Joe Stewart, director of malware research for the counter 
threat unit at Secureworks, who came across a new variant of the Zeus 
Trojan while dissecting another bit of malware. He then traced Zeus 
malware to a botnet, which he infiltrated, discovering that the traffic 
it was supporting was a counterfeiting checking operation.

"I've never seen this before. Check counterfeiting has always been an 
offline crime," Stewart says. Law enforcement has been alerted, and the 
operation remains under way as of now, he says.

In the end, Stewart found that the Russian-backed operation had printed 
and mailed out -- but not necessarily cashed in -- some $9 million in 
counterfeit checks from 1,280 bank accounts (mostly businesses and one 
U.S. government entity). The 3,285 checks that were mailed out tallied 
$65,000 in fraud against an overnight shipping firm. Some 2,884 
job-seekers on online job sites responded to email messages from the 
counterfeit operation that posed as employers, using fake names, like 
Global Business Payments Ltd., in order to appear legitimate. They lured 
the money mules by offering them jobs such as that of a check-processing 
manager.

Stewart says the botnet used some sophisticated and novel techniques, 
such as a VPN connection over the Windows Point-to-Point Tunneling 
Protocol. But the botnet itself wasn't as intriguing as the traffic it 
moved, that of the counterfeiting operation, he says.

[...]


5B
_________________________________________________________________
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com
Received on Thu Jul 29 2010 - 02:03:06 PDT

This archive was generated by hypermail 2.2.0 : Thu Jul 29 2010 - 02:13:20 PDT