[real-eyes] PC Invader Costs Ky. County $415,000
- From: "Steve" <kcpadfoot@xxxxxxxxx>
- To: <real-eyes@xxxxxxxxxxxxx>
- Date: Sat, 4 Jul 2009 08:02:00 -0500
The following is from:
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
Please go to the above link if you wish to access any of the links mentioned
in this article.
Steve
Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt
County,
Kentucky this week. The crooks were aided by more than two dozen
co-conspirators
in the United States, as well as a strain of malicious software capable of
defeating
online security measures put in place by many banks.
bullittcar.JPG
Bullitt County Attorney
Walt Sholar
said the trouble began on June 22, when someone started making unauthorized
wire
transfers of $10,000 or less from the county's payroll to accounts belonging
to at
least 25 individuals around the country (some individuals received multiple
payments).
On June 29, the county's bank realized something was wrong, and began
requesting
that the banks receiving those transfers start reversing them, Sholar said.
"Our bank told us they would know by Thursday how many of those transactions
would
be able to be reversed," Sholar said. "They told us they thought we would
get some
of the money back, they just weren't sure how much."
Sholar said the unauthorized transfers appear to have been driven by "some
kind computer
virus."
Security Fix
has been communicating with a cyber crime investigator who is familiar with
the
case. What follows is a description of the malicious software used, a
blow-by-blow
account of how the attackers worked the heist, as well interviews with a
couple of
women hired to receive the stolen funds and forward the money on to
fraudsters in
Ukraine. This case also serves as an example of how e-mail scams can be used
to dupe
unknowing victims in serving as accomplices in their plan.
According to my source, who asked not to be identified because he's still
investigating
different sides of this case, the criminals stole the money using a custom
variant
of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included
two new
features. The first is that stolen credentials are sent immediately via
instant message
to the attackers. But the second, more interesting feature of this malware,
the investigator
said, is that it creates a direct connection between the infected Microsoft
Windows
system and the attackers, allowing the bad guys to log in to the victim's
bank account
using the victim's own Internet connection.
Many online banks will check to see whether the customer's Internet address
is coming
from a location already associated with the customer's user name and
password, or
at least from a geographic location that is close to where the customer
lives. By
connecting through the victim's PC or Internet connection, the bad guys can
avoid
raising any suspicions.
This might be enough to fool retail banks that serve regular online banking
users,
but Bullitt County's bank, like many other commercial banks, use even more
rigorous
authentication schemes. For instance, some technologies adopted by
commercial bank
Web sites will use special Javascript programming techniques to look at
various aspects
of the customer's system -- including screen size, browser version,
operating system,
and a myriad other variables -- to create a unique "fingerprint" of their
customers'
computers. In such cases, even if criminals have hijacked a victim's
Internet connection,
a bank using this approach should still be able to detect that the customer
is connecting
from a different computer because the fingerprints won't match.
Also, the process of creating and approving outgoing wire transfers from the
county's
account could not be completed without two different authorized users
signing off
on the transaction. In the case of Bullitt County, that checks-and-balances
system
was designed to be carried out by the county treasurer and a local judge.
Finally, if for whatever reason the bank's system noticed that either
account was
being used from a PC with an unknown fingerprint, that login attempt would
fail,
and that user would be prompted to check their e-mail account for a special,
one-time
passphrase that would need to be re-entered along with the username and
password,
in order to gain access to the account.
According to the investigator, the attack against Bullitt County's bank
account went
down like this:
- The attackers somehow got the Zeus Trojan on the county treasurer's PC,
and used
it to steal the username and password the treasurer needed to access e-mail
and the
county's bank account.
- The attackers then logged into the county's bank account by tunneling
through the
treasurer's Internet connection.
- Once logged in, the criminals changed the judge's password, as well as
e-mail address
tied to the judge's account, so that any future notifications about one-time
passphrases
would be sent to an e-mail address the attackers controlled.
- They then created several fictitious employees of the county (these were
the 25
real-life, co-conspirators hired by the attackers to receive the stolen
funds), and
created a batch of wire transfers to those individuals to be approved.
- The crooks then logged into the county's bank account using the judge's
credentials
and a computer outside of the state of Kentucky. When the bank's security
system
failed to recognize the profile of the PC, the bank sent an e-mail with the
challenge
passphrase to an e-mail address the attackers controlled.
- The attackers then retrieved the passphrase from the e-mail, and logged in
again
with the judge's new credentials and the one-time passphrase. Once logged
in, the
crooks were able to approve the batch of wire transfers.
When asked to comment on this version of events, County Attorney Sholar said
he was
limited in what he could say, because the FBI had asked him not to discuss
details
of the case. But he did say that "We know there were initiations and
approvals for
wire transfers that were both generated and sent to the bank by computers
that were
physically located outside of the state of Kentucky."
The Role of the Money Mules - Scammed Into Serving
With the help of the cyber crime investigator, I was able to reach two of
the 25
so-called "money mules" who were hired to act as intermediaries in this
scam. Both
were females under the age of 35 who initially were contacted after placing
their
resumes on Careerbuilder.com. Each received e-mails from a company calling
itself
Fairlove Delivery Service. Both women agreed to speak with Security Fix on
the condition
of anonymity.
Both were hired by Fairlove to edit documents for grammar and flow, and
promised
a pay of $8 for each kilobyte of data they processed (see the initial
Careerbuilder
scam e-mail
here
). The documents they were hired to edit often were full of grammatical
errors and
faulty or missing punctuation. Both money mules said it appeared that
whoever wrote
the letters was not a native English speaker.
It's not clear whether the cyber scammers first enlisted the mules as text
editors
in order to test their trustworthiness, or because they really needed their
help
making their scam letters look more believable. What is clear from looking
at copies
of the letters they were asked to edit, is that they were editing missives
that would
be sent to recruit and scam other mules. Have a look at some of those
yet-to-be-edited
messages sent to our anonymous mules, viewable at
this link here
.
The first person I spoke with, a 34 year-old woman from Miami, had been
editing texts
e-mailed to her by Fairlove representatives for a couple of weeks. Shortly
after
she inquired about when she would be paid for her work, she received an
e-mail asking
if she'd be interested in a position as a "local agent," for the company.
The Fairlove
representative who contacted her via e-mail said something about how the
company
often had trouble getting money to its clients overseas as quickly as they
needed
it, and desperately needed help speeding up that process (at least they were
honest
on that claim). A description of the local agent job position, as sent to
this woman,
is available
here
.
Last Thursday, she received a deposit of more than $9,900, with instructions
to wire
all but about $500 (her 5 percent "commission") via Western Union to a bank
account
in Ukraine. The woman said she began to grow suspicious that "something
wasn't right
about the whole thing," and only wired $3,000 of the money. After being
contacted
by Security Fix about the scam, she learned from her bank that her account
was frozen.
Her bank assured her if she could come in and produce the e-mails showing
she'd been
caught up in a scam, they might be able to work something out.
The second woman I spoke with, a 27-year-old single mom, also from Florida,
was not
so lucky. She had more than $9,700 transferred into her checking account
from Bullitt
County's bank by the fraudsters on Monday. She pulled nearly all of that
amount out
of her bank almost immediately, wiring nearly $9,200 to the scammers in the
Ukraine.
Shortly after that, her bank reversed the initial $9,700 deposit at the
request of
Bullitt County's bank. Her bank now says she is on the hook for that amount:
her
checking account balance is now almost $9,000 in the red.
Here are a couple of observations and tips so you don't get scammed, however
obvious
they may be:
- Avoid responding to job offers sent via e-mail. If you use job search Web
sites
like Monster.com and CareerBuilder.com, at least be aware that criminal
gangs use
these sites also, to recruit the desperate, unwary, and the greedy.
- If you get in bed with a company that you haven't even researched on
Google, expect
to regret that decision: A search on
Fairlove Delivery Service
returns little but page after page of complaints from other job searchers
scammed
by these criminals.
- Avoid clicking on links in e-mails that you are not expecting, and be
particularly
wary of any e-mail that warns of dire consequences unless you act or respond
immediately.
The malware used to infect Bullitt County's computers was part of a
huge Zeus/Zbot spam campaign
that has been ongoing for the past several weeks now, variously disguised
as alerts
about greeting cards, package tracking numbers, and security updates from
Microsoft.
- The last time I wrote about money mule scams, some readers wrote in to
say, in
effect: "The mules were stupid: They should have just taken ALL of the
money." These
readers miss the fundamental point about these scams that the bad guys
understand
all too well: it's all about the timing. The bank will always recall the
deposit.
It's just a matter of when.
- Be extremely wary -- nay, run away from -- any transaction in which the
other party
asks you to convert a revocable transaction into an irrevocable one. Hard
cash sent
via Western Union, Moneygram and other wire transfer services, is an example
of an
irrevocable transaction: Once it's done, there's no undoing it. On the other
hand,
checks can be canceled, and deposits can be reversed.
By Brian Krebs | July 2, 2009; 5:14 PM ET
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
- » [real-eyes] PC Invader Costs Ky. County $415,000 - Steve
