Russian hackers target job-seekers with counterfeit scam

A rogue Russian counterfeiting operation cranked out $9 million worth of fake checks and cashed them using two familiar ruses for duping consumers: posting fake "help wanted" ads to job-search sites, and convincing applicants to act as "money-mules" to bulk-cash bogus checks.

Atlanta-based SecureWorks Inc. discovered the scam and released a report on it this week at the Black Hat conference in Las Vegas, a favorite event for hackers of all persuasions. The investigation by the company's counter-threat unit took 12 months. SecureWorks is collaborating with law enforcement agencies including the FBI, said Elizabeth Clarke, a company spokeswoman. The hacker gang has not been caught.

The creative combination of high-tech and low-tech make this scam unique. Check processing, cashing and archiving have been largely left alone by hackers. "They were using such advanced technologies -- botnets, [virtual private networks], SQL injection, and they were very expert in hacking, all of the modern techniques," Joe Stewart, director of malware research at SecureWorks, told Consumer Ally. "But they were applying this to a very old-school kind of crime."

The scam worked like this: The hackers gained access to check archiving and verification services, and began counterfeiting checks using information from real accounts. They created checks in a company's name for usually less than $3,000 each, to skirt scrutiny and bank holding times. The thieves steered clear of personal accounts, targeting primarily small businesses, "using the same types of check-printing supplies a small business would use," Stewart said.

Concurrently, they would obtain credentials for job-search sites and advertise for help wanted, using the company names Succes Payment Ltd [sic], Global Busines Payments Inc. [sic], InterWeb Exchange, and Proteus Solutions. The gang usually claims to be a Finnish financial services firm looking to hire account executives.

Scam letters sent to those who replied to the ads look like this:

To: [job seeker's name]
From: Human Resource Department
Subject: Vacancy for [job seeker's name]

Dear [job seeker's name]

Our organization – "Global Business Payments Inc." is processing with bastard banking services throughout the world for more than 10 years.
Now it is widen its presence and a pack of services in the United States. One of our new accommodations is transferring of money with the US check for non U.S. citizens. Therefore we need new executives for the position of "Check Processing Manager".

Responsibilities include:

Getting a check from an overnight delivery service
Check cashing
Money transferring to the client the mean they choose Accounting in the peculiar form for each check

Requirements, Demands, Claims:

Active US address
1-2 hours of free time per day
Positive credit history

Benefits:

High payment. From 100 $ up to 500 $ per day Guaranteed payment of min. 3 000 $ Few working hours Our organization takes care of all the taxes on executives' done transactions.

In order to take this motion, please, register at our webpage and make the instructions.

Best wishes.
TOP MANAGER
Global Busines Payments Inc.

SecureWorks spoke to several would-be job seekers who took the bait after seeing the gang's ads. All of them thought the business was legitimate, Clarke said.

Once hooked, the job seeker receives the following letter, along with a counterfeit check via overnight mail:

Subject: First Task for [money mule's name] from Global Business. Please follow the instruction attentively
From: Success Payment <info@success-payment-mail.com>
To: [redacted]

Dear [money mule's name]
Attention: Please reply to this letter not later then in 12 hours after receiving.

Our customer have sent you a check in amount - $2740 You will receive the check by overnight delivery from 07/10 until 07/12.

The overnight package delivery service tracking number is (xxx)
You can check your mail status on the overnight delivery website: Track and Confirm.

You can cash check at:
1) Bank that issued the check.
2) One of the check cashing places.
3) Deposit the check onto your bank account in any bank and wait until the check clears.

IN CASE YOU SEND MONEY SAME OR NEXT DAY FROM THE MOMENT YOU GET THE CHECK YOUR COMMISSION WILL BE HIGHER. YOUR SHARE WILL BE 15% (PERCENT) OF THE CHECK AMOUNT.

IF CHECK CASHING TIME EXCEEDS THIS TIME PERIOD YOU WILL GET STANDARD 8%
(PERCENT) COMMISSION OF THE CHECK AMOUNT.

Same or next day:
Amount to be send is 2204
Your money is 411
Wiring fees is 125

After two days:
Amount to be send is 2395
Your money is 220
Wiring fees is 125

If there are additional fee for check's cashing please deduct it from sending amount.

You will need only the following information to wire the payment ---
1) First Name ** [Russian mule's first name]
2) Last Name ** [Russian mule's last name]
3) City ** Saint-Petersburg
4) Country ** Russia

After you have transferred money you will be given the Money Transfer Control Number.....
(MTCN) number.

After you make the Transfer please email us the same day the following
data:
PLEASE, SPECIFY THE FOLLOWING DATA COMPLETELY
1) Your address (as you filled in the wire receipt):
2) Your full name (as you filled in the wire receipt):
3) Amount of the transfer:...............
4) MTCN

Please send scan copy or fax documents from the wire service (if possible).
After we our client receive transfer and are certain of your efficiency, the number of checks for cashing will be increased and you may be getting them on a daily basis. We appreciate the quality of our partnership and hope for mutual cooperation for a long time. Please you are kindly requested to email us back in regard of this message that you have read it and understood.

Thank you

Stewart said he found the scam more or less by accident. "I was analyzing something unrelated to the check counterfeit and wound up looking at a server where criminals had set up a botnet and were using it to route a lot of traffic, automated, that was hitting check repositories and downloading checks," he said.

"I didn't realize these databases had public front ends, but they had figured it out, obviously, and were using them to get in."