RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas.
The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.
Laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before the scam ended earlier this year.
The operation masqueraded as a company called "Air Parcel Express," and it had an authentic-looking Web site, RSA said. However, there is a legitimate shipping firm with the same name that is completely unassociated with the scam.
The use of unwitting accomplices to re-ship items purchased fraudulently in the U.S. to other countries is not new. However, the degree to which the scammers went in creating the illusion of legitimacy is noteworthy, RSA said.
"They had a really professional, highly executed effort in recruiting the re-shippers, which is fairly novel," said Sean Brady, senior manager of identity protection and verification at RSA. "The average re-shipping campaign is based on e-mail or ads that direct people to a crude location" on the Web, he added.
Here's how the scams work. Criminals get credit card numbers through phishing, Trojan attacks, and hacking databases, like that of Heartland Payment Systems and RBS WorldPay. They use the information to make online purchases of items, typically electronics goods that they can resell at a high profit and typically purchased in the U.S., where they are cheaper.
The criminals recruit U.S. residents to receive and re-ship the goods out. Re-shippers are asked to unpack the item from the merchant's box and put it in a plain box, probably so the boxes face less scrutiny at customs, Brady said.
To find the mules, the criminals advertise on legitimate employment Web sites and on search engines. Usually, the re-shippers don't get paid as promised, RSA said.
"What's interesting is that criminals in Eastern Europe can orchestrate the campaign, recruit in the U.S., and ship to Europe without ever needing to have any level of personal contact" with the re-shippers, Brady said.
More information on how job seekers can detect scams is available from the Privacy Rights Clearinghouse, as well as Monster.com and the U.S. Federal Trade Commission.
The Web site for the re-shipping operation (shown here) looked legitimate, RSA says.
(Credit: RSA)
(Credit:
FBI)
Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.
"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.
The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.
Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.
Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.
The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.
The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.
In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.
Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.
Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.
"Money mule activity is essentially electronic money laundering...," the FDIC statement said.
Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.
"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."
Pamela Warren, cybercrime strategist at McAfee
(Credit: Daniel Q. McDowell)Editor's note: This is part of a series of stories about the recession's effect on the tech industry.
Last month, McAfee cybercrime strategist Pamela Warren sat down with a senior executive at a Sydney bank to discuss the risks to the corporate network from workers using social networking.
After going over the trade-offs associated with allowing insiders to use social networks at work, his team confirmed that they would use data leak prevention technology to monitor the network traffic--balancing the desire to benefit from such new technologies while ensuring company secrets remain protected.
Warren had a similar meeting with a U.S. government agency last week to discuss strategies for dealing with public employees using Web apps at work and mobile devices, which can introduce viruses and other security problems into a corporate network. And she's been preparing for the launch early next year of McAfee's Cybercrime Response Unit, a site where consumers can go when they think they've been victimized by online scams.
She's sharpening her focus on protecting Internet users because malware attacks are up now that economic times are tough. Online scammers have been going into overdrive with phishing and other online schemes aimed at people confused about the banking consolidation or who are desperate because of a layoff or foreclosure. In fact, there are direct correlations between targeted cyberattacks on consumers and the stock market decline over the past few months.
"It's a ripe economy to take advantage of people," she said.
Consumers are being scammed in a variety of ways. People are receiving phishing e-mails asking them to provide their bank account information so as to avoid having their bank account closed in a merger. They provide their bank information and their account balance is plundered.
People also are getting e-mails and seeing ads on the Web for work-from-home "jobs" where all they have to do to become an "international sales rep" is open a bank account to receive money in and then wire the money to some international third party. In reality, the transaction is nothing more than a money-laundering move, known as a "cyber mule operation," to transfer money to another country and hide the trail in an illegal deal. Typically, the transaction is a payment for some kind of illegal activity such as the exchange of lists of credit card information or personal data that can be used for identity fraud. (McAfee published a report about the rise in cybercrime earlier this week.)
An example of a cybermule ad.
(Credit: McAfee)People who get involved in the schemes don't always realize that they can be arrested for using their bank accounts in this manner, although most arrests so far seem to have been made outside the U.S. Money mules are much more likely to get caught than the operators of the scheme.
"If this happened five years ago, it would have been different. But today we share so much information online. We are much more comfortable with sharing personal information. We are more susceptible," Warren said. "Then you add the concept of a down economy where people need money. It's like a perfect storm brewing up."
Malware that aims to steal personal data has risen from 130,000 pieces last year to 1.3 million this year, while suspicious money mule solicitations rose 33 percent in the first half of 2008 over all of last year, according to McAfee.
"Our prediction is it is going to get worse," Warren said, echoing what experts are saying about the economy in general.
Warren's strong sense of right and wrong and her desire to protect the innocent are in her blood; her father and her younger brother are police officers.
"I was never the kind of person, like my dad or brother, that wants to walk around with a gun every day and go after that kind of criminal, so I chose the intelligence business path," she said. "The core of the entire Warren family is about helping other people. We are just driven by that."
The 43-year-old grew up in Williamsburg, Va., and studied international affairs at Florida State University before getting a master's in telecommunications from George Washington University. She's also a certified information system security professional and certified information privacy professional.
She worked in the U.S. intelligence community for about 10 years, primarily with the National Security Agency looking at threats against the U.S. "I had to understand the security of networks to help track down governments or individuals who were trying to harm the U.S." she said, declining to elaborate due to the sensitivity of the work. Before joining McAfee in January, Warren worked on security programs and consulting at Nortel Networks and security of chipsets at Intel.
Now, Warren, who spends her free time running with her dog, a Shiba Inu named Joey, in the mornings and volunteering at a marine mammal rehabilitation center in Sausalito, Calif., is helping "track the bad guys" on behalf of consumers and private companies.
The recent rise in threats aimed at financially downtrodden consumers offends her moral sensibilities. "You see the growth in identity theft and online fraud and you see what's happening to us worldwide in terms of the economic situation and it makes everything we do here more urgent," she said. "I think it's important to help people day to day around the world protect their privacy and protect themselves from loss.
Warren is adamant that people should not let the security risks associated with Internet applications keep them from taking advantage of what the technology has to offer. For instance, she relies on the Internet to keep connected with her nephew fighting in Iraq and would suffer if she were at a job where access to certain Web applications was restricted.
"Getting to see my nephew when he's in the middle of Iraq fighting in a war zone and I get snippets of his life on Facebook...it all helps motivate me on a daily basis," she said.
Next in the series: A contractor's roller-coaster ride in Redmond.
Amid the global downturn in the economy, cybercrminals appear to be winning in the war against law enforcement. That's the sobering conclusion drawn by a panel of experts in a report from McAfee released Tuesday.
"We saw the cybercriminals take advantage of economic messaging very, very quickly," said Dave Marcus, director of security research and communications for McAfee Avert Labs. He said cybercriminals are cashing in on consumer anxiety, particularly around the holidays and noted that as more and more people go online looking for better deals, criminals are preying on their inexperience in order to lure them to bogus sites and old-fashioned "get rich quick" scams.
In the last 12 months the volume of malware has risen dramatically, according to McAfee.
(Credit: McAfee)One scam involves online job seekers responding to ads for "international sales representatives" or "shipping managers" being recruited as "cybermules" to launder the cybercriminal profits. "It's not a 'mule' in the traditional drug sense, where they're carrying drugs across the country or across a border," Marcus said, " but they are ultimately lured into what they think is like an Internet sales marketer or an Internet sales manager position." In reality they are laundering funds, putting it through additional hands, so that law enforcement has a few more obstacles in their path toward finding the thieves themselves.
Marcus recommends online job seekers go to legitimate job finding sites such as Monster.com rather than respond to Google ads.
Unfortunately, we're on our own, he said. As governments begin to focus on internal economic hardships, the fight against cybercrime slips further in funding and support. McAfee predicts that in the fourth quarter of 2008 cybercrime will continue to escalate in severity.
Once again, McAfee found that there is a shortage of computer specialists in law enforcement. And those who are specially trained are often hired away to high-salaried jobs at private companies. Of the remaining law enforcement, they're often bound to national borders, said Marcus, with international jurisdictional disputes further slowing online investigations.
The McAfee report said Russia and China remain the largest safe havens for cybercriminals, while Brazil and Moldova have become the fastest-growing countries to be most often blamed for cybercrime.
(Credit:
Disney)
Teens and young adults interested in downloading High School Musical-related music and video on peer-to-peer networks should be wary of malware, warns Panda Security.
While this may be obvious to older computer uses, younger users may not yet have experience with the social engineering used by malware writers, the security vendor said Friday in a press release.
Social engineering is not new, of course, and its creators are constantly trying new ways to hook people in. The day after the U.S. presidential election, for example, there was a wave of Barack Obama-related video links that attempted to download malware as well.
If a person opens a High School Musical-themed video or song on any peer-to-peer network such as eMule or eDonkey, his or her computer may be infected with infected by VB.ADQ, the Agent.KGR Trojan, the adware Koolbar, or another strain of malicious code.
Panda recommends being cautious when downloading files. In particular, notice the file extension. Many of the malicious files have the extension ".exe," but that is rarely the case with a legitimate music or video file.
Several antivirus vendors are reporting on Monday a new round of exploitation of Microsoft's out-of-cycle security bulletin last month. The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predict any exploitation will be bundled within an existing Trojan horse or botnet package because that's where criminals can make the most money from the malware code.
Ken Dunham of iSIGHT Partners said his company was looking at three samples of interest.
One is what F-Secure is calling Rootkit.Win32.KernelBot.dg; another is what Symantec calls W32.Wecorl. A third appears to be a weak variant of the Wecorl. "All appear to be related to bots, components for building a botnet, than the Gimmiv Trojan, one of the first to exploit the vulnerability in MS08-067 and was used to steal personal information.
Dunham said these samples of malware appear to be autorooters, malicious programs that are designed to automatically scan and attack targeted computers. He stressed that what we're seeing today are not worms, but autorooters, which are still a manual process but are nonetheless a major step toward automating the code.
The way the attack works is that the criminal points his computer at a target PC. The autorooter goes out to the Internet and pulls down exploit code for vulnerabilities including MS08-067. Once the target computer is compromised, the criminal then installs "code of choice." Dunham said so far he's seen a back door version of the eMule client application installed along with a few other files. This gives the criminal anonymous access and control to the compromised machine and makes it part of a larger botnet. So far the botnet has been used to create denial-of-service attacks on sites mostly in China, including Google.cn.
- prev
- 1
- next
