The FBI is asking U.S. banks to be on the lookout for large wire transfers being sent to accounts registered to companies located in Chinese port cities near the Russian border.
In a fraud alert posted Thursday, federal authorities said they are investigating 20 cases in which the bank accounts of small and midsize businesses in the United States were hijacked to initiate transfers to the bank accounts belonging to Chinese economic and trade companies based in the Heilongjiang province.
Losses between March 2010 and April of this year have totaled about $11 million, with attempted losses reaching roughly $20 million, according to the joint alert issued by the FBI, Internet Crime Complaint Center and Financial Services Information Sharing and Analysis Center (FS-ISAC).
"The unauthorized wire transfers range from $50,000 to $985,000," the alert said. "In most cases, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the...transfers were under $500,000."
Typically, a targeted business receives a phishing email that attempts to trick the recipient into clicking on a link or visiting a malicious website, which installs malware that is designed to steal bank account credentials.
The malware, typically Zeus, SpyBot or Backdoor.bot, is written so that when the victim logs into their business bank account, they are redirected to another site falsely informing them that the bank site is currently offline. At that point, the individuals behind the scam log into the vitim's account and initiate large wire transfers to money mule accounts, typically hosted at banks in New York.
The holders of those accounts then transfer the money to the Chinese bank accounts, the alert said. Those accounts belong to seemingly legitimate businesses using the name of a Chinese port city and words such as "economic and trade," "trade," and "LTD."
“It's a continuous arms race.”
– Steve Santorelli, Team Cymru
Authorities recommend that U.S. banks notify their corporate customers when they detect transfers going to the accounts of companies with partial names such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning.
The alert seems to illustrate the latest twist in the trend of cybercriminals targeting small and midsize businesses, in which hundreds of millions have been lost over the past few years.
Steve Santorelli, a former London police detective who now heads global outreach at nonprofit IT security research organization Team Cymru, said he is unsure if the latest tactic of wiring unauthorized transfers to Chinese accounts is a strategic shift or the work of one large group.
"It certainly seems like another standard, run-of-the-mill evolution in the way the underground economy is forced to operate," he told SCMagazineUS.com on Wednesday. "It's a continuous arms race."
He said the location of the companies – just outside of Russia, where many cyber fraudsters are based – may indicate that operatives have found it increasingly difficult to withdraw stolen money from financial institutions in their home country.
"I would imagine that the banking system in the U.S. is now very wise to suspicious transactions going to Russia," Santorelli said. "Maybe those trigger mechanisms don't apply when you send money to China."