By Kelly Jackson Higgins
July 28, 2010
BLACK HAT USA -- Las Vegas -- A researcher has blown wide open a
sophisticated online check-counterfeiting operation out of Russia that
used a combination of a VPN'ed botnet, Zeus, and Gozi Trojans, SQL
injection attacks, and money mules to print around $9 million worth of
counterfeited U.S. checks in the past year.
The so-called "Big Boss" operation was uncovered during the past three
months by Joe Stewart, director of malware research for the counter
threat unit at Secureworks, who came across a new variant of the Zeus
Trojan while dissecting another bit of malware. He then traced Zeus
malware to a botnet, which he infiltrated, discovering that the traffic
it was supporting was a counterfeiting checking operation.
"I've never seen this before. Check counterfeiting has always been an
offline crime," Stewart says. Law enforcement has been alerted, and the
operation remains under way as of now, he says.
In the end, Stewart found that the Russian-backed operation had printed
and mailed out -- but not necessarily cashed in -- some $9 million in
counterfeit checks from 1,280 bank accounts (mostly businesses and one
U.S. government entity). The 3,285 checks that were mailed out tallied
$65,000 in fraud against an overnight shipping firm. Some 2,884
job-seekers on online job sites responded to email messages from the
counterfeit operation that posed as employers, using fake names, like
Global Business Payments Ltd., in order to appear legitimate. They lured
the money mules by offering them jobs such as that of a check-processing
Stewart says the botnet used some sophisticated and novel techniques,
such as a VPN connection over the Windows Point-to-Point Tunneling
Protocol. But the botnet itself wasn't as intriguing as the traffic it
moved, that of the counterfeiting operation, he says.
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com