Posts Tagged: QR code

Sep 16

‘Money Mule’ Gangs Turn to Bitcoin ATMs

Fraudsters who hack corporate bank accounts typically launder stolen funds by making deposits from the hacked company into accounts owned by “money mules,” willing or unwitting dupes recruited through work-at-home job scams. The mules usually are then asked to withdraw the funds in cash and wire the money to the scammers. Increasingly, however, the mules are being instructed to remit the stolen money via Bitcoin ATMs.

I recently heard from a reader in Canada who said she’d recently accepted a job as a customer service officer for a company called LunarBay. This company claims to be a software development firm, and told this reader they needed to hire people to help process payments for LunarBay’s clients.

LunarBay’s Web site — Lunarbay[dot]biz — claims the company has been in business for several years, and even references a legitimate business by the same name in the United Kingdom. But the domain name was registered only in late August 2016, and appears to have lifted all of its content from a legitimate Australian digital marketing firm called Bonfire.

The Canadian reader who contacted KrebsOnSecurity about this scam was offered $870 per week and a five percent commission on every transaction she handled. After providing her bank account information to get paid, she became suspicious when she received instructions on how to forward funds on the LunarBay.

The scammers told her to withdraw the money from her account by going into the bank itself — not from the ATM (mainly due to daily withdrawal limits at the ATM). They also sent her a QR code (pictured below) that she was instructed to save as an image on her smartphone. The crooks then proceeded to tell her the location of the nearest Bitcoin ATM:

a) The nearest Bitcoin ATM is located at: 6364 Rue Pascal, Montréal-Nord, QC H1G 1T6, Canada (Bitcoin ATM is located at Dépanneur Pascal 2003 convenience shop in Montreal).

b) You can find the instructions of how to make payment using Bitcoin ATM in this video

c) Please find the image attached to this message. This is a QR code – an unique identification number for a transaction. I ask you to save this image to your smartphone beforehand.

4. The payment must be processed within 3 hours. The Bitcoin rate is constantly changing in relation to CAD, USD and other currencies. That’s why the payment must be made during this time interval.

As the above Youtube video demonstrates, sending funds merely requires the user to scan a QR code shared by the intended recipient, and then insert cash into the Bitcoin ATM. Because Bitcoin is a non-refundable form of payment, once the money is sent the transaction cannot be reversed. Continue reading →

Aug 13

A Closer Look: Perkele Android Malware Kit

In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks. In this post, we’ll take a closer look at this threat, examining the malware as it is presented to the would-be victim as well as several back-end networks set up by cybercrooks who have been using mobile bots to fleece banks and their customers.

Perkele disguises itself as an various Android security applications and certiifcates.

Perkele disguises itself as various Android security applications and certificates.

Perkele is sold for $1,000, and it’s made to interact with a wide variety of malware already resident on a victim’s PC. When a victim visits his bank’s Web site, the Trojan (be it Zeus or Citadel or whatever) injects malicious code into the victim’s browser, prompting the user to enter his mobile information, including phone number and OS type.

That information is relayed back to the attacker’s control server, which injects more code into the victim’s browser prompting him to scan a QR code with his mobile device to install an additional security mechanism.

Once the victim scans the QR code, the Perkele malware is downloaded and installed, allowing the attackers to intercept incoming SMS messages sent to that phone. At that point, the malware on the victim’s PC automatically initiates a financial transaction from the victim’s account.

When the bank sends an SMS with a one-time code, Perkele intercepts that code and sends it to the attacker’s control server. Then the malicious script on the victim’s PC receives the code and completes the unauthorized transaction.

Web site security firm Versafe located a server that was being used to host malicious scripts tied to at least one Perkele operation. The company produced this report (PDF), which delves a bit deeper into the behavior and network activity generated by the crimeware kit.

Versafe’s report includes several screenshots of the Perkele application as offered to would-be victims. The malware is presented as a security certificate; it’s named “zertificate” because the victim in this case banked at a German financial institution.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

A few weeks ago, I encountered the back end system for what appears to be a Perkele distribution, or perhaps some other mobile malware bot; I should note that disguising an Android banking Trojan as a security certificate is not a ruse that’s limited to Perkele: The Pincert SMS malware also employs this trick, according to F-Secure.

Anyhow, I scarcely had time to examine this particular mobile bot control panel before it was either taken down by German authorities or was moved elsewhere by the fraudsters. But it, too, was intercepting one-time codes from German banking victims using an Android malware component similarly disguised as a “zertificate.”

This Android SMS bot control panel targeted German bank customers.

This Android SMS bot control panel targeted German bank customers.

Apparently, it was fairly successful, stealing one-time codes from online banking customers of several German financial institutions, including Postbank and Comdirect.

Dozens of German banking customers were victimized by this Android bot control panel.

Dozens of German banking customers were victimized by this Android bot control panel.

In the screen grab below, we can see the main administrative page of this panel, which controls which banks should be targeted and from where the fraudulent text messages should be sent.

Continue reading →