China Source Of Illegal Wire Transfers, FBI Warns
In its advisory, the FBI highlighted significant spikes in wire transfers between March 2010 and April 2011, identifying at least 20 incidents in which hackers compromised the online banking credentials of U.S.-based SMBs and used them to initiate wire transfers to numerous Chinese economic and trade companies in Heilongjiang province in port towns located near the Russian border. The economic and trade companies appeared to be registered as legitimate businesses holding accounts with several established Chinese banks, which included the Agricultural Bank of China, the Industrial and Commercial Bank of China and the Bank of China.
Thus far, it is unclear exactly who was behind the illegal wire transfers, or if the Chinese accounts were the final destination or if they were transferred elsewhere, or why legitimate companies appeared to receive and accept the unauthorized funds.
However, many of the attacks involved the Zeus botnet, Backdoor.bot or Spybot, three botnets often used in cyber and banking fraud. Known worldwide as the banking botnet, Zeus contains malware with the capability of stealing security authentication tokens, enabling hackers to access the victim's bank account with seemingly legitimate login credentials.
By April, the dollar amount of attempted fraud totaled around $20 million, with actual victim losses nearing about $11 million. The individual unauthorized wire transfers ranged from $50,000 to $985,000, but were generally more than $90,000 at a time.
In addition to the exorbitant wire transfers, hackers sent domestic ACH and wire transfers to U.S.-based money mules within minutes of conducting overseas transfers, which often ranged from $200 to $200.000.
The victims tended to be SMBs and public institutions, likely without adequate security infrastructure or staff, and with accounts at local banks and credit unions. In a typical attack scenario, cyber attackers compromised a computer within the targeted company, usually by some kind of phishing scam employing social engineering techniques or by leading victims to a malicious Web site. The victim would then unknowingly install malware that harvested their corporate online banking credentials when they entered credentials.
When authorized users attempted to log into their bank accounts, they were redirected to fake Web pages falsely informing them that the site was experiencing maintenance issues and unable to access their accounts. Meanwhile, the attacker would simultaneously be initiating unauthorized bank transfers to commercial accounts at intermediary banks, typically located in New York. From there, the funds were transferred to the Chinese trade company accounts.