Cyber Theft Ring Broken

The cybercrime plague continues to rob victims of their identities and hard-earned resources and frustrate security experts and law enforcement officials worldwide. However, occasionally, the good guys gain the upper hand and win a major battle. The FBI announced on Oct. 1, 2010, that it disrupted a large-scale, international, organized cyber-crime operation, served numerous search warrants and made scores of arrests.

“Operation Trident Beach” began in 2009 in Omaha, Neb., but continued in the United Kingdom, the Netherlands and the Ukraine. According to the FBI, its agents in Omaha “were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts throughout the United States.” This prompted them to join forces with their international partners to investigate and dismantle the fraudulent operation.

“There are over 390 pending and closed victim cases attributed to this criminal network in field offices throughout the U.S.,” said Gordon Snow, assistant director of the FBI’s Cyber Division.

The FBI’s partners included its New York Money Mule Working Group, the Newark Cyber Crime Task Force, the Omaha Cyber Crime Task Force, the Netherlands Police Agency, the Security Service of the Ukraine and the United Kingdom’s Metropolitan Police Service.

According to the FBI, the cyber thieves targeted small- to medium-sized businesses, municipalities, churches and individuals to infect their computers with a version of the ZeuS Botnet via phishing e-mails to ultimately steal US$70 million from victims’ bank accounts throughout the world.

The fraudsters singled out small- to medium-sized organizations because their personnel are relatively unsophisticated in detecting and preventing this type of scheme. When selected employees of these targeted organizations open phishing e-mails and then click on contaminated links or download attachments, the malware becomes embedded in their computers. The fraudsters can now record keystrokes and capture passwords, account numbers and other data as the victims log into bank accounts online.

The fraudsters then transfer money from the victims’ bank accounts into their surreptitious accounts. Banks generally have to repay individuals for their losses and organizations if they can prove the banks were at fault. Sometimes businesses sue banks to try to affix blame and recover their losses.

According to the article “Millions Netted in Global Bank Hack,” by Chad Bray and Cassell Bryan-Low, in the Oct. 1, 2010, issue of The Wall Street Journal, 19 people were arrested in London as part of the Operation Trident Beach operation for allegedly stealing at least $9.5 million from U.K. bank accounts via cyber-crime schemes. Those arrested included men and women from Ukraine, Latvia, Estonia, Belarus and Georgia.

The U.S. Department of Justice (DOJ) reported on Sept. 30, 2010, that the Manhattan U.S. attorney charged 37 defendants in 21 separate cases for their roles in the global cyber-banking fraud scheme. Twenty of the defendants have been arrested so far and the others are on the run in the United States and abroad. Those charged included “managers of and recruiters for the mule organization, an individual who obtained the false foreign passports for the mules, and the mules,” according to the DOJ. The authorities anticipate that additional mules and gang leaders will be charged and arrested in this ongoing investigation.

Each of the defendants, on average, face three separate charges that include conspiracy to commit bank fraud, bank fraud, conspiracy to possess false identification documents, transfer of false identification documents, production of false identification documents, false use of a passport, conspiracy to commit money laundering, money laundering, conspiracy to commit wire fraud and possession of false immigration documents. The maximum penalties for each of these charges range from 10 to 30 years in prison and fines from $250,000 to $1 million or twice the gross gain or loss and restitution.

Mechanics of the Scam 

In the July/August 2010 column, I explained how the spear-phishing e-mail scam works and provided prevention recommendations. A new FBI graphic (see below) explains how the ZeuS phishing scam worked in the cyber-theft ring busted during Operation Trident Beach.

Step one: Malware coder [in the Ukraine] writes malicious software to exploit a computer vulnerability and installs a Trojan. Reporter Evan Perez in his Oct. 2, 2010, article, “Hackers Siphoned $70 Million,” in The Wall Street Journal wrote that cyber-crime experts told him that since emerging in 2007, the ZeuS software or “malware,” has become “the weapon of choice for most cyber bank robbers.”

Perez wrote that the software, which has been updated multiple times, is sold on the black market to criminals. According to information provided by Don Jackson of SecureWorks, Perez reported that “the ZeuS malware’s staying power could largely be attributed to its business model. Its Russian author, known in the underground by his online handle A-Z, has developed a corporate operation complete with licensing agreements and tech support that have made it easy to use for aspiring cyber bank robbers.” This reinforces the point made by others that these criminals have created organizations that are as sophisticated as many Fortune 500 corporations.

According to an Oct. 30, 2010, Reuters article, “ZeuS to Rest in Peace; Experts Still Wary,” the programmer “who wrote ZeuS – malicious software used to steal an estimated $100 million so far this year from U.S. towns, companies and individuals – says he is retiring. But security experts believe there is a good chance he will soon emerge with even more powerful ways to steal, a pattern of behavior seen after previous retirements in 2007 and 2008.”

According to the article, the programmer of ZeuS who lives in Russia “rather than doing the stealing himself, used a middleman to sell the spyware software to criminal gangs,” said Dmitri Alperovitch, a vice president at security software company McAfee Inc. “A basic version would run as low as $1,000 but could be customized for an extra fee. He would also offer 24/7 support. ... We have seen banks in almost every major country targeted by these [ZeuS] tool kits,” said Alperovitch.

Step two: Victim infected with credential stealing malware. In this spear-phishing scheme, the fraudster narrowly directs a genuine-looking e-mail to an individual within a targeted company to convince the recipient that it’s coming from someone of authority within the company who’s asking for personal information such as usernames and passwords.

According to a Nov. 9, 2009, Intelligence Note on the Internet Crime Complaint Center (IC3) website, businesses often post staff contact information and/or organization charts on their websites, which “provides the perpetrators with information on who handles the financial transactions for that business or agency.”

If the victim is persuaded and provides the requested confidential information, clicks on an infected attachment, or visits a contaminated website, malware is installed on his computer.

Step three: Banking credentials siphoned. The fraudster uses a key logger contained within the ZeuS banking Trojan to steal the company’s bank account login information, which is then sent to a compromised collection server.

Step four: Hacker retrieves banking credentials [from the compromised collection server]. At this point, the fraudster is ready to begin the process of withdrawing funds from the victim’s bank account.

Step five: Hacker has remote access to compromised computer. The fraudster is thousands of miles away from the victim company and enjoys the facelessness of the situation. He has been successful in invading the victim company’s computer and can now plot to complete the transfer of funds out of its bank account.

Step six: Hacker logs into victim’s online bank account. The fraudster is probably drooling because he knows he’s about to become even wealthier.

Step seven: Money transferred to mule. What’s a mule? It depends on the context. For example, in the narcotics business a mule is an individual paid to physically transport drugs. In the cyber-banking business, this individual normally is a money mule who wires it from bank to bank.

Fraudsters recruit money mules in various ways, including work-at-home schemes. In The Wall Street Journal article by Bray and Bryan-Low, they write that this cyber gang recruited many of their money mules via ads in a Russian-language newspaper or a Russian social-networking site. The money mules who were charged, including those arrested, were from Russia, Moldova, Ukraine, Kazakhstan and Belarus.

The money mule organization was an integral part of the cyber gang. According to the DOJ, it “recruited individuals who had entered the United States on student visas, providing them with fake foreign passports.”

After the money mule is hired, he’s instructed to set up a bank account in his name – sometimes at the victim’s bank. The fraudster then uses the victim’s personal information to transfer money out of his bank account into the bank account of the money mule.

Money mules are the middlemen between the victims’ and fraudsters’ bank accounts and might or might not understand they’re involved in the scam. Nevertheless, they take most of the risk and are subject to criminal penalties if caught. Until caught, the real criminals typically walk away with all the loot.

Step eight: Money transferred from mule to organizers. According to the DOJ, after the mule received the victim’s money in his account, he was “instructed to transfer the proceeds [after withholding a ‘commission’] to other [fraudster’s] accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.”  

Typically the fraudster instructs the money mule to wire the money to the fraudster’s bank account after withholding a portion as a commission. According to Bray and Bryan-Low, the indictment alleged that money was typically withdrawn in amounts of about $10,000, and the mules often kept 8 percent to 10 percent. The money mules’ good income motivated them to help the fraudsters continue the scam.

More Help for the Community 

We have to give a lot of credit to the FBI and its international partners for disrupting this cyber-bank activity. Hopefully, this is just a start to dismantle those who are also criminally involved in this scam. It’s important to nab not just the money mules but the instigators. I’ll keep a close watch on this one, and I’ll keep you informed if something significant transpires.

As usual, share this information with your clients, friends and families. Don’t let your guard down because this scam is far from dead. Many other gangs are working it. Refer to my July/August 2010 column to learn how to prevent yourself from becoming a victim.

As I have said so many times before, the main key to curtail this type of fraud is prevention through education. ACFE members can get involved in outreach programs to educate individuals and especially personnel in small- to medium-sized businesses and nonprofits.

Please contact me if you have any identity theft issues you would like me to research and possibly include in future columns. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, is a distinguished professor of accounting and research. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.