Cyber Spin on Check Fraud?Hackers Use Malware to Gain Access to Stored Images
Check fraud may seem like an antiquated scheme, but banking institutions continue to struggle with how best to prevent it.
In fact, according to BankInfoSecurity's recent Faces of Fraud Survey, check fraud is the second most common scheme institutions face, placing just behind payment card fraud and ahead of phishing. And now, it seems, hackers are taking check fraud to a new cyber level.
Security firm Trusteer has just revealed a new wave of check fraud that's striking corporate checking accounts in the United States, United Kingdom and China. Amit Klein, chief technology officer at Trusteer, in a new blog, describes how a hacker, through the use of phishing attacks and malware, accessed online accounts and then retrieved check details from stored check images.
According to Klein, who uncovered this scheme in an underground forum, the fraudster is gaining access to online bank accounts, getting hold of check images, then using those details to create counterfeit checks with custom printing equipment, paper and ink.
"For $5 each, he/she will supply checks that use stolen credentials (e.g. bank account) provided by the buyer," Klein says. "However, to purchase checks that use stolen credentials supplied by the counterfeiter the cost is $50 - a tenfold increase. This is a clear indicator that stolen credentials are a key enabler of check fraud."
The credentials - which include personal information and account/institution data - typically would have to be obtained from a physical or scanned version of a real check. But by gaining access to online check images, the fraudster is getting instant access to all the information necessary to enable check fraud - including account balances.
"The criminal recommends using the checks to buy products in retail stores rather than trying to redeem them for cash," Klein says. "Buyers are also encouraged to carry fake identification cards that match the stolen credentials on the check. The check counterfeiter offers to provide these as well."
New Twist on Old Scheme
Hackers' ability to access stored check images is nothing new. In August 2010, federal investigators discovered hackers out of Russia breached an online check image database after breaking into the front end of websites that housed the images.
As a result, investigators estimated more than 3,000 counterfeit checks totaling about $9 million had been cashed against more than 1,200 legitimate U.S. bank accounts. The crime ring sent fake checks to money mules recruited from online job sites, and then had those mules deposit funds and wire money to members of the ring in Russia.
But Mike Urban, a financial fraud expert with Fiserv, a core processor that provides security services to financial institutions, says this new counterfeit check scheme highlights how fraudsters are increasingly broadening the scope of their attacks. "This truly demonstrates the cross-channel nature of financial crime originating from the online channel," Urban says.
Shirley Inscoe, a fraud analyst at Aite who previously worked for Wachovia, now part of Wells Fargo, has seen previous signs of these schemes.
"We saw this happening back in 2008 at Wachovia," Inscoe says. "We would see accounts that were accessed by unauthorized parties, but the fraudsters appeared to look around and exit without doing anything."
But then counterfeit checks started to roll in, and the bank soon realized what the hackers had been after. Wachovia responded by flagging the accounts that were exposed.
The good news: Schemes like the one that Trusteer uncovered, which are committed on an account-by-account basis, are labor intensive. Thus, they aren't likely to pose threats of massive data breaches for financial institutions.
"But, as we all know, phishing is still an effective tool in the fraudster's toolbox, so they will continue to take advantage of it in new and creative ways," Inscoe says.
Klein is quick to point out the scheme Trusteer uncovered is much bigger than mere phishing attacks.
"It's also about how malware, e.g. man-in-the-browser malware like Zeus, SpyEye, Bugat, Gozi, Shylock, steals user credentials when customers enter them in the genuine bank website," he says. "What we discovered is a generic attack. Therefore, any bank which provides a check image service on its website is potentially at risk. Access to a victim's online banking account provides fraudsters with additional information, on top of the check image."
With checks and account details, fraudsters are able to present more convincing identities when they cash the checks, "thereby improving the check fraud and making it harder to detect," Klein says.
"This highlights how hard it is for banks to provide adequate protection," Inscoe says. "Many of them have eliminated full account numbers on ATM receipts, online banking screens, statements, etc. But for image exchange and products that rely on check images, such as remote deposit capture, they can't really obscure the data on the image, and when account access is compromised, the check images reveal all the data needed to commit fraud."
In fact, the scanners, mobile phones and other imaging equipment used to capture check images also pose risks. If the device retains the check image, then it, too, is at risk of being hacked and exposing check or other account information.
"This is why fraud is always interesting," Inscoe says. "People are creative and always coming up with new schemes."