Between March 2010 and April 2011, the FBI identified 20 incidents in which banking credential of US-based SMEs were compromised and used to transfer money to Chinese economic and trade companies located in port cities near the Russian border. The criminals attempted to transfer $20 million, but only succeeded in getting $11 million.
“In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing e-mail or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials”, the FBI explained. The malware used involves ZeuS, Backdoor.bot, and Spybot.
“When the authorized user attempts to log in to the user’s bank web site, the user is typically redirected to another web page stating the bank web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account”, the agency added.
The companies used for the fraud had a Chinese port city in their name. These cities include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official name of the companies also include the words “economic and trade,” “trade,” and “LTD.”
The fraudulent wire transfers ranged from $50,000 to $985,000. In most cases, they tended to be above $900,000, but the criminals were more successful in receiving the funds when the wire transfers were under $500,000, the FBI observed.
In addition to the large wire transfers, the cybercriminals also sent domestic ACH and wire transfers to US money mules within minutes of conducting the overseas transfers. The domestic wire transfers ranged from $200 to $200,000.
The FBI recommended that banks notify business customers of any suspicious wire activity going to the following Chinese cities: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. Wire activity destined for these Chinese cities should be carefully scrutinized, especially for clients that have no prior transaction history with companies in the Heilongjiang province of China.