community
Intruder Alert:
By Burt Tschache
The following alert was issued
by the FBI on April 26, 2011. This not
only affects the business community,
but consumers as well, as these malware
intrusions are becoming more flagrant
by the day. I recently read another
article that China has a very weak cyber
defense, and that is why they go on the
offensive so often. The fact remains that
there is a war going on in cyberspace,
and the only way to stop it is by having
strong security in the MAC & PC world
or by switching over to Linux, a highly
secure operating system that seems
bulletproof so far.
The Alert
The FBI has observed a trend
in which cyber criminals — using the
compromised online banking credentials
of U.S. businesses — sent unauthorized
wire transfers to Chinese economic
and trade companies located near the
Russian border.
Between March 2010 and April
2011, the FBI identified twenty incidents
in which the online banking credentials
of small-to-medium sized U.S. businesses
were compromised and used to initiate
wire transfers to Chinese economic
and trade companies. As of April 2011,
the total attempted fraud amounts to
approximately $20 million; the actual
victim losses are $11 million.
In a typical scenario, the
computer of a person within a company
who can initiate funds transfers
on behalf of the U.S. business is
compromised by either a phishing e-mail
or by visiting a malicious Web site. The
malware harvests the user’s corporate
online banking credentials. When the
authorized user attempts to log in to the
user’s bank Web site, the user is typically
redirected to another Web page stating
the bank Web site is under maintenance
or is unable to access the accounts.
While the user is experiencing logon
may10
2011
9
Fraud Alert Involving Unauthorized Wire Transfers to China
issues, malicious actors initiate the
unauthorized transfers to commercial
accounts held at intermediary banks
typically located in New York. Account
funds are then transferred to the Chinese
economic and trade company bank
account.
Victims
Like most account takeover
fraud, the victims tend to be small-to-
medium sized businesses and public
institutions that have accounts at local
community banks and credit unions,
some of which use third-party service
providers for online banking services.
Recipients
The
intended
recipients
of the international wire transfers
are economic and trade companies
located in the Heilongjiang province
in the People’s Republic of China. The
companies are registered in port cities
that are located near the Russia-China
border. The FBI has identified multiple
companies that were used for more
than one unauthorized wire transfer.
However, in these cases the transfers
were a few days apart and never used
again. Generally, the malicious actors
use different companies to receive the
transfers. The companies used for this
fraud include the name of a Chinese
port city in their official name. These
cities include: Raohe, Fuyuan, Jixi
City, Xunke, Tongjiang, and Dongning.
The official name of the companies
also include the words “economic and
trade,” “trade,” and “LTD.”
The economic and trade
companies appear to be registered as
legitimate businesses and typically hold
bank accounts with the Agricultural Bank
of China, the Industrial and Commercial
Bank of China, and the Bank of China.
At this time, it is unknown who
is behind these unauthorized transfers,
if the Chinese accounts were the final
transfer destination or if the funds
were transferred elsewhere, or why
the legitimate companies received the
unauthorized funds. Money transfers to
companies that contain these described
characteristics should be closely
scrutinized.
Unauthorized Wire Transfers
The unauthorized wire transfers
range from $50,000 to $985,000. In
most cases, they tend to be above
$900,000, but the malicious actors
have been more successful in receiving
the funds when the unauthorized wire
transfers were under $500,000. When
the transfers went through successfully,
the money was immediately withdrawn
from or transferred out of the recipients’
accounts.
In addition to the large wire transfers,
the malicious actors also sent domestic
ACH and wire transfers to money mules
in the United States within minutes of
conducting the overseas transfers. The
domestic wire transfers range from $200
to $200,000. The intended recipients
are money mules, individuals who the
victim company has done business with
in the past, and in one instance, a utility
company located in another U.S. state.
The additional ACH transfers initiated
using compromised accounts range from
$222,500 to $1,275,000.
Malware
The type of malware has not been
determined in every case but some of the
cases involve ZeuS, Backdoor.bot, and
Spybot. In addition, one victim reported
that the hard drive of the compromised
computer that was infected was erased
remotely before the IT department could
investigate.
• ZeuS — malware that has the capability
to steal multifactor authentication
tokens, allowing the criminal(s) to log in
to victims’ bank accounts with the user
name, password, and token ID. This can
occur during a legitimate user log-in
session.
• Backdoor.bot — malware that has
worm, downloader, keylogger, and
spy ability. The malware allows for
the criminal(s) to access the infected
computer remotely and further infect
computers by downloading additional
threats from a remote server.
• Spybot — an IRC backdoor Trojan
which runs in the background as a
service process and allows unauthorized
remote access to the victim computer.
Recommendation
to
Financial
Institutions
• Banks should notify their business
customers of any suspicious wire
activity going to the following Chinese
cities: Raohe, Fuyuan, Jixi City, Xunke,
Tongjiang, and Dongning.
• Wire activity destined for the Chinese
cities of Raohe, Fuyuan, Jixi City, Xunke,
Tongjiang, and Dongning should be
heavily scrutinized, especially for clients
that have no prior transaction history
with companies in the Heilongjiang
province.
For recommendations on how
businesses can protect, detect, and
respond to corporate account takeovers
such as this, please refer to the “Fraud
Advisory for Businesses: Corporate
Account Take Over” available at http://
www.fsisac.com/files/public/db/p265.
pdf.
Incident Reporting
The FBI encourages victims of
cyber crime to contact their local FBI
field office, http://www.fbi.gov/contact/
fo/fo.htm, or file a complaint online at
www.IC3.gov.
Be Safe Out There . . .
Burt Tschache is the owner of B&B
Computing in Vernonia. He can be
reached at bnb998@msn.com or 503-
429-0817.
“Joy for Jaden” Talent Show Raises $587
The Talent Show on April 23,
hosted by the VHS Leadership Class
raised $587 for their “Joy for Jaden”
campaign. Over all the campaign has
raised close to $3,000 and the class is
well over their goal of raising $1500
to send Jaden Kreiger and his whole
family to Great Wolf Lodge with all
expenses paid.
Jaden is a nine year old boy
from Banks who is battling brain
cancer. The campaign has included the
sale of bracelets, a Spaghetti Feed and
the Talent Show.
Left: Quin Johansen, Dylan Taylor, Jesse Edgar and Mackenzie Brown performed
as “Mac and Cheese
Right: Jaden Kreiger with VHS Leadership student Crystal Ann Carreon.
We saddle shoe. Do you?
Muffy’s
950 Bridge Street
Vernonia, O8 97064
503.429.5050 or 866.524.5050
www.muffys.com
World Headquarters Vernonia, Oregon
Treat other people how
you want to be treated.
Easier said than done.
Lee Anne Krause
www.funfancyfood.com
503-816-9810
WELLER & SON’S
STEVE
HM: 503-429-3400
CELL: 503-313-9006
SELF LOADER
LONG LOGGER
CUSTOM LOGGING
DENNIS
HM: 503-429-2810
CELL: 503-313-9044
1264 G ST.
VERNONIA, OR 97064
O.P.L. CERTIFIED
O.P.L.H. CERTIFIED
ROAD BUILDNIG
LAND CLEARING
EXCAVATION
Grey Dawn Gallery
879 Bridge St. (503) 429-2787
Photography - Bronze
Jewelry - Glasswork
Pottery - Custom Framing
www.greydawngallery.com
Featuring the finest in northwest art