Posts Tagged: U.S. Treasury Department


16
Dec 19

Inside ‘Evil Corp,’ a $100M Cybercrime Menace

The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.

Image: FBI

The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.

From 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply of unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer funds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These accomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by email and to people who have submitted their resumes to job search Web sites.

Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes receive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised payday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more on that in a moment).

HITCHED TO A MULE

KrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said they’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule recruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked businesses.

The source also discovered a pattern in the naming convention and appearance of several money mule recruitment Web sites being operated by Aqua. People who responded to recruitment messages were invited to create an account at one of these sites, enter personal and bank account data (mules were told they would be processing payments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new messages.

Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.

One of several sites set up by Aqua and others to recruit and manage money mules.

When it came time to transfer stolen funds, the recruiters would send a message through the mule site saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”

Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.

Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.

So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.

My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”

Messages to and from a money mule working for Aqua’s crew, circa May 2011.

In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.

Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).

Collectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies. Continue reading →


5
Dec 14

Treasury Dept: Tor a Big Source of Bank Fraud

A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online.

The findings come in a non-public report obtained by KrebsOnSecurity that was produced by the Financial Crimes Enforcement Network (FinCEN), a Treasury Department bureau responsible for collecting and analyzing data about financial transactions to combat domestic and international money laundering, terrorist financing and other financial crimes.

In the report, released on Dec. 2, 2014, FinCEN said it examined some 6,048 suspicious activity reports (SARs) filed by banks between August 2001 and July 2014, searching the reports for those involving one of more than 6,000 known Tor network nodes. Investigators found 975 hits corresponding to reports totaling nearly $24 million in likely fraudulent activity.

“Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising,” the report concluded. “Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses.”

Tables from the FinCEN report.

Tables from the FinCEN report.

FinCEN said it was clear from the SAR filings that most financial institutions were unaware that the IP address where the suspected fraudulent activity occurred was in fact a Tor node.

“Our analysis of the type of suspicious activity indicates that a majority of the SARs were filed for account takeover or identity theft,” the report noted. “In addition, analysis of the SARs filed with the designation ‘Other revealed that most were filed for ‘Account Takeover,’ and at least five additional SARs were filed incorrectly and should have been ‘Account Takeover.'”

The government also notes that there has been a fairly recent and rapid rise in the number of SAR filings over the last year involving bank fraud tied to Tor nodes.

“From October 2007 to March 2013, filings increased by 50 percent,” the report observed. “During the most recent period — March 1, 2013 to July 11, 2014 — filings rose 100 percent.” Continue reading →


20
Aug 14

Counterfeit U.S. Cash Floods Crime Forums

One can find almost anything for sale online, particularly in some of the darker corners of the Web and on the myriad cybercrime forums. These sites sell everything from stolen credit cards and identities to hot merchandise, but until very recently one illicit good I had never seen for sale on the forums was counterfeit U.S. currency.

Counterfeit Series 1996 $100 bill.

Counterfeit Series 1996 $100 bill.

That changed in the past month with the appearance on several top crime boards of a new fraudster who goes by the hacker alias “MrMouse.” This individual sells counterfeit $20s, $50s and $100s, and claims that his funny money will pass most of the tests that merchants use to tell bogus bills from the real thing.

MrMouse markets his fake funds as “Disney Dollars,” and in addition to blanketing some of the top crime forums with Flash-based ads for his service he has boldly paid for a Reddit stickied post  in the official Disney Market Place.

Judging from images of his bogus bills, the fake $100 is a copy of the Series 1996 version of the note — not the most recent $100 design released by the U.S. Treasury Department in October 2013. Customers who’ve purchased his goods say the $20 notes feel a bit waxy, but that the $50s and $100s are quite good fakes.

MrMouse says his single-ply bills do not have magnetic ink, and so they won’t pass machines designed to look for the presence of this feature. However, this fraudster claims his $100 bill includes most of the other security features that store clerks and cashiers will look for to detect funny money, including the watermark, the pen test, and the security strip.

MrMouse's ads for counterfeit $20s, $50s and $100s now blanket many crime forums.

MrMouse’s ads for counterfeit $20s, $50s and $100s now blanket many crime forums.

In addition, MrMouse says his notes include “microprinting,” tiny lettering that can only be seen under magnification (“USA 100” is repeated within the number 100 in the lower left corner, and “The United States of America” appears as a line in the left lapel of Franklin’s coat). The sourdough vendor also claims his hundreds sport “color-shifting ink,” an advanced feature that gives the money an appearance of changing color when held at different angles.

I checked with the U.S. Secret Service and with counterfeiting experts, none of whom had previously seen serious counterfeit currency marketed and sold on Internet crime forums.

“That’s a first for me, but I guess they can sell anything online these days,” said Jason Kersten, author of The Art of Making Money: The Story of a Master Counterfeiter, a true crime story about a counterfeiter who made millions before his capture by the Secret Service.

Kersten said that outside of so-called “supernote” counterfeits made by criminals within North Korea, it is rare to find vendors advertising features that MrMouse is claiming on his C-notes, including Intaglio (pronounced “in-tal-ee-oh”) and offset printing. Both features help give U.S. currency a certain tactile feel, and it is rare to find that level of quality in fake bills, he said.

Continue reading →


30
May 13

Underweb Payments, Post-Liberty Reserve

Following the U.S. government’s seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR’s show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry’s crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government’s action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

Fluctuation in BTC values. Source: Bitcoincharts.com

Fluctuation in BTC values. Source: Bitcoincharts.com

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.

For one thing, Bitcoin’s conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney — a digital currency founded in Russia — one LR or WMZ (the “Z” designation is added to all purses kept in US currency) has always equaled $1 USD.

The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin’s price volatility could turn an otherwise simple transaction into an ugly mess for both parties.

“Say I pay you $1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $1k I just sent you in Bitcoins is now worth just $600. It’s not yet stable to be used in such a way.”

Another forum member agreed: “BTC on large scale or saving big amounts is a mess because the price changes. Maybe it’s only good cashing out,” noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.

Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors.  As the U.S. government’s complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.

“Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk,” wrote “Off-Sho.re,” a bulletproof hosting provider I profiled in an interview earlier this month. “In the legit ‘real products’ area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites, since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice.”

What’s more, MtGox — Bitcoin’s biggest exchanger and the primary method that users get money into and out of the P2P currency — today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.

A logo from perfectmoney.com

A logo from perfectmoney.com

Perhaps the closest competitor to Liberty Reserve and WebMoney — a Panamanian e-currency known as Perfect Money (or just “PM” to many) — appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from U.S. citizens or companies.

For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred U.S. citizens from creating new accounts (it did so in March 2013, in apparent response to the U.S. Treasury Department’s new regulations on virtual currencies.) Still, WebMoney has been around for so long — and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts — that most miscreants and n’er-do-wells in the underground already have accounts there.

But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed “Ninja,” the administrator of Carder.pro — a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company’s homepage featured seizure warnings from a trio of U.S. federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the U.S. Justice Department on Tuesday, he offered a standing bet of $1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.

Now, Ninja says, he’s ready to pay up, but he’s not interested in buying into yet another virtual currency. Instead, he says he’s planning to create a new “carding payment system,” one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).

ninjapost

Continue reading →


28
May 13

U.S. Government Seizes LibertyReserve.com

Indictment, arrest of virtual currency founder targets alleged “financial hub of the cybercrime world.”

U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as “a financial hub of the cyber-crime world” and processed more more than $6 billion in criminal proceeds over the past seven years.

After being unreachable for four days, Libertyreserve.com's homepage now includes this seizure notice.

After being unreachable for four days, Libertyreserve.com now includes this seizure notice.

The news comes four days after libertyreserve.com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company’s founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.

According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as “a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.”

The U.S. government alleges that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion. “Overall, from 2006 to May 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and is believed to have laundered more than $6  billion in criminal proceeds,” the government’s indictment reads. Liberty Reserve “deliberately attracted and maintained a customer base of criminals by making financial activity on Liberty Reserve anonymous and untraceable.”

Despite the government’s claims, certainly not everyone using Liberty Reserve was involved in shady or criminal activity. As noted by the BBC, many users — principally those outside the United States — simply viewed the currency as cheaper, more secure and private alternative to PayPal. The company charged a one percent fee for each transaction, plus a 75 cent “privacy fee” according to court documents.

“It had allowed users to open accounts and transfer money, only requiring them to provide a name, date of birth and an email address,”  BBC wrote. “Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then “converted” into one of the firm’s own currencies – mirroring either the Euro or US dollar – at which point it could be transferred to another account holder who could then extract the funds.”

But according to the Justice Department, one of the ways that Liberty Reserve enabled the use of its services for criminal activity was by offering a shopping cart interface that merchant Web sites could use to accept Liberty Reserve as a form of payment (I’ve written numerous stories about many such services).

“The ‘merchants’ who accepted LR currency were overwhelmingly criminal in nature,” the government’s indictment alleges. “They included, for example, traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi and get-rich-quick schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing websites.”

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

It remains unclear how much money is still tied up in Liberty Reserve, and whether existing customers will be afforded access to their funds. At a press conference today on the indictments, representatives from the Justice Department said the Liberty Reserve accounts are frozen. In a press release, the agency didn’t exactly address this question, saying: “If you believe you were a victim of a crime and were defrauded of funds through the use of Liberty Reserve, and you wish to provide information to law enforcement and/or receive notice of future developments in the case or additional information, please contact (888) 238- 0696 or (212) 637-1583.”

Continue reading →


8
May 13

Trade Sanctions Cited in Hundreds of Syrian Domain Seizures

In apparent observation of international trade sanctions against Syria, a U.S. firm that ranks as the world’s fourth-largest domain name registrar has seized hundreds of domains belonging to various Syrian entities, including a prominent Syrian hacker group and sites associated with the regime of Syrian President Bashar al-Assad.

The Syrian Electron Army complains about its domain seizures. Source: HP

The Syrian Electron Army complains about its domain seizures, saying Network Solutions cited trade sanctions against Syria. Source: HP

Network Solutions LLC. and its parent firm — Jacksonville, Fla. based Web.com — have assumed control over more than 700 domains that were being used mostly for sites hosted in Damascus. The seizures all occurred within a three- to four-day period in mid-April.

The apparently coordinated action ended with each of the site’s registration records being changed to include Web.com’s Florida address, as well as the notation “OFAC Holding.”

OFAC is short for the Office of Foreign Assets Control, an office of the U.S. Treasury Department‘s  Under Secretary of the Treasury for Terrorism and Financial Intelligence. OFAC administers and enforces U.S. economic trade sanctions against targeted foreign countries, including Syria.

Web.com declined to say whether it had coordinated the seizures or why it may have done so. “We do not comment publicly about specific accounts so we cannot provide details about the websites or domains mentioned in your inquiry,” the company said in an emailed statement.  “However, you should know that we cooperate with law enforcement and regulators in order to prevent illegal activity online and take the necessary steps to be in compliance with applicable laws and regulations.”

Under a series of executive orders, U.S. businesses are prohibited from selling goods and services into Syria. While there are a number of exceptions — referred to as “general licenses” in OFAC-speak — domain hosting and registration services are not among them. Although the general licenses permit services that are designed for personal communications, the provision of Web hosting and domain name registration is specifically called out in Treasury regulations (PDF) as not authorized under general licenses.

A spokesman for the Treasury Department said OFAC had not contacted either Web.com or Network Solutions regarding these Web sites.

“OFAC has offered a general license authorizing the  export of certain services for the exchange of personal communications over the Internet, such as instant messaging, chat and email, so that these sanctions don’t have the inadvertent effect of cutting the Syrian people off from the rest of the world,” said John Sullivan, spokesman for the Treasury Department’s Terrorism and Financial Intelligence division. “But the [general license] that allows for that does not authorize the exportation of Web hosting or registration services, so those could be subject to enforcement actions under our Syrian sanctions program.”

The domain seizures came to my attention after reading a report produced last month by HP‘s security and research team, which noted that individuals associated with a pro-Assad hacker group known as Syrian Electronic Army were complaining that NetworkSolutions had seized their domains, including syrian-es.comsyrian-es.net and syrian-es.org.

A reverse WHOIS report ordered from domaintools.com produced this list (PDF) of some 708 Syrian domains recently shuttered and assigned an “OFAC” designation by Web.com. According to historic Web hosting records also maintained by domaintools.com, the vast majority of the 700+ domains were hosted at Internet addresses assigned to the Syrian Computer Society (SCS). Interestingly, prior to assuming the presidency, Syria’s Assad was president of the SCS, a group now widely believed to have been a precursor to the Syrian Electronic Army.

Continue reading →