Monday, September 14, 2009

Following The Money (Mule)

This year has seen an interesting cross section of what seem on the surface to be distinct and separate spam campaigns, but are in fact connected, and part of a very coordinated cybercriminal enterprise.

In the past two years, we have seen numerous spam messages arrive which claim to offer "personal shopper" or "work from home" schemes. These are actually money mule messages used to recruit individuals to receive money, purchase products, and then ship the products to (at the moment) unknown addresses.

There have also been a variety of fake "corporate" websites put together for the purpose of recruiting these money mules, nearly always hosted in Russia. Renowned security researcher Bob Harrison has reported several of these websites, and documented their criminality in great detail. [source]

In the past six months we have now also started to see a variety of stories which describe the mass withdrawal of large sums of money from a variety of companies and other organizations. The most recent comes from Brian Krebs of the Washington Post, who has been covering this in some detail. [source]

In this story he uncovers that several businesses, and most recently a school district, have noticed very large withdrawals occuring from their bank accounts, and has made the connection that this is where the money for the "Secret shopper" purchases is coming from.

This was made possible by a specific computer exploit known as "clampi" that these same criminals, or possibly someone they hired specifically, were able to create to specifically record any banking details used by anyone who used any computer within the company or organization's network. [source] You can read some great research on Clampi (and its other varient names) written by the well-known security researcher Joe Stewart here. The companies affected are extremely varied (construction companies, electronics testing companies, demolition, at least one other US-based school district), but I guess it really doesn't matter where they get the banking information from. If the money is there, who cares what they happen to do?

The problem with this latest fraudulent banking activity is that it was from a fairly meagre school district - the Sanford School District, located in Sanford Colorado - which services just 340 students. I recognize that the scumbag criminals behind this activity could care less who they affect with their criminal acts, but this is reprehensible on many levels. But this is also only one of what appears to be a very large number of these events, and there doesn't seem to be any sign that this activity will slow down in the slightest.

This particular crime exposes a serious shortfall in general staffing and infrastructure of most small businesses and governmental or civic organizations. The key piece of information that these criminals were counting on was that each of these companies were small, and most likely had negligible IT or network security staff, if they had any at all. This is a huge, gaping hole which many colleagues and I have felt was inevitable given the costs and considerations of staffing and maintaining an organization such as a school district, or any other governmental office.

IT Security staff, if it is an item of any consideration at all for any governmental or civic budgetary office, must be near the absolute bottom of the list of things which are considered important to fund and maintain. Since most qualified IT security staff are often outside of the salary budgets of most governmental or civic comptrollers, it is hardly surprising that we now find ourselves in this predicament. Having a decent staff to support and protect the networks used by these companies could have identified any rogue traffic resulting from the clampi infection. It might have also stopped the ability of the clampi exploit to replicate itself across the entire network. It might also have assisted in the data and evidence gathering which will now be required to pursue this in a court of law.

Mr. Krebs noted that the US Senate Homeland Security and Governmental Affairs Committee was holding a hearing regarding this specific issue and its ongoing effect on small businesses and organizations. [source] I should like to think that each of the following items would be addressed by this hearing:

1) Increased funding and infrastructure for IT security staff, especially for governmental or civic organizations.
2) Following the trail to the inevitable Russian or Eastern European criminals who executed this crime.
3) Greater stringency on the part of banks or other financial institutions regarding processing of funds on behalf of any company, but especially smaller businesses or civic organizations.

If you run a small business and are profitable, it is very strongly recommended that you get an expert to take a look at your current computer setup for any PC running windows, which may have been used at any time to login to any financial institution used to process any funds on behalf of your company.

I expect to see several more of this type of story, and I expect the criminals to get away with this for the foreseeable future, and that is extremely disappointing.

I wish this would lead to any kind of sanctions against Russia or the Eastern European countries involved in these crimes, but that is another story on its own. This makes several years now that individuals from Russia especially have been involved in widespread online criminal activity. No US-based initiative has gone after them, no law enforcement has been brought to bear, no governmental sanctions have ever been imposed, nor does it appear that they will be in the near future. Given Russia's intent to join the World Trade Organization, and its preparations to meet their guidelines (such as the mock-shutdown of, specifically related to this WTO acceptance,) it is frankly baffling that no such action has been taken against Russia as a country, or the Russian government generally. There are hundreds if not thousands of research reports all pointing directly to Russian individuals as being involved in extremely indepth and varied cybercriminal activity including distribution and sale of child pornography, illegal sale and distribution pharmaceuticals, illegal sale of patented software and trademarked products, and of course widespread infection of computers around the world. One of these days - probably not soon, unfortunately - this will result in some extremely bad news for Russia as a country, and especially Russia as a potential member of the WTO. That it hasn't happened already is simply unacceptable.

Unsurprisingly, Mr. Krebs has also written about this topic as recently as March 2009. [source] That's worth a read, as is the Slashdot posting which resulted. The same discussion should apply to any country which continues to allow this rampant criminal activity to continue to occur. (Russia is obviously a key contributor to this, possibly the key contributor.)

SiL / IKS / concerned citizen

No comments: