Russian crims evade transaction profiling

Transaction profiling, one of the most effective ways for banks and ecommerce firms to detect online fraud, is under threat, as criminals assemble ever more complex transnational operations.
Written by Stilgherrian , Contributor

Transaction profiling, one of the most effective ways for banks and ecommerce firms to detect online fraud, is under threat, as criminals assemble ever more complex transnational operations.

Mikko Hypponen
(Credit: Munir Kotadia/ZDNet Australia)

In his keynote presentation to the AusCERT information security conference, F-Secure chief research officer Mikko Hypponen outlined a recently uncovered operation that used proxies running on infected computers in Denmark to purchase smartphones and laptops in seemingly local transactions.

A chain of unwitting human "packet mules" recruited through employment website monster.dk transferred the goods through agents in at least four countries for eventual sale at markets in Moscow weeks later.

Until now, profiling has made it easy to differentiate legitimate transactions from fraud, and the user doesn't even have to know that they're being protected.

"For example, if your user logs in to an online bank and half a second later he pays a bill, that's not a human being. A human being will not be able to type in a form with account numbers and money figures in half a second. But a program can," Hypponen said.

Online stores profile transactions using data, such as the user's internet protocol (IP) address, the billing address of the card they're paying with and the shipping address.

"If they suddenly get a customer to a Danish-language website visiting from Brazil with a Brazilian IP address using a credit card from Spain and shipping the goods to South Korea, well, that's abnormal, right? That would be stopped," Hypponen said.

The criminal operation in Hypponen's case study began in late 2011, by recruiting Danish citizens to work from home for one of four different fake companies, including one called DRA Sending. Each company had a legitimate-looking website, and their only contact with their bosses was via email.

Initially, their work was simple.

"They would start receiving letters in the mail with long shipping lists of numbers and names and addresses, and they would cross-reference those shipping lists, double-check the numbers, stamp the papers, sign them and ship them away, and they'd get paid," Hypponen said.

After a few weeks of this legitimate work, they'd be promoted to a higher-paid role, where they'd receive packages containing actual consumer goods. Now they were packet mules, reshipping stolen merchandise to hide the trail.

Meanwhile, the criminals used the Blackhole malware toolkit, written and sold by another Russian criminal group, to attack Danish local news websites and infect the visitors' computers — almost all of which would belong to local Danish citizens.

"Now they had people working for them physically inside Denmark. Now they had infected computers physically inside Denmark," Hypponen said.

The infected computers were equipped with the Carperb trojan, which included a keylogger to capture credit card numbers, and a proxy so that criminals could browse websites from remote locations, but appear to be using the Danish computers.

"Now they were ready to start shopping."

Shopping at a Danish retail website from a Danish IP address using a Danish credit card, and shipping the goods to a Danish address — all of this defeated transaction profiling.

Danish police launched an investigation following complaints by retailers. The packet mules were contacted and interviewed. They had no idea they were working for criminals.

Police added a GPS transponder to one of the shipments — an HTC Android smartphone — to map the criminal operation.

This package was shipped via DHL from the Danish capital Copenhagen, and driven across Germany and the Netherlands to the DHL depot in Rotterdam. From there, it travelled by another DHL truck across Germany to Poland, and eventually to its delivery address.

That address was a house in eastern Poland, where a woman in her 80s had been receiving these packages for some time from several European countries.

"The attackers were doing the very same attacks at the same time in other countries, as well, but limiting those attacks inside those countries to bypass profiling ... so this was actually much larger than what it looked like. It had nothing to do with Denmark," Hypponen said.

Twice a week, a Volkswagen Transporter van collected the packages from this woman's house, as well as several other houses in the village, and delivered them across the border to a warehouse in Ukraine. The driver did not know what was in the packages.

The GPS transponder revealed that the packages sat in the warehouse for two weeks before they were moved to the Ukraine capital Kiev, where they sat for another month, before moving north to Russia, ending up at a market square in Moscow.

"And that's where the tracks end. That's where the phone was sold. Somebody bought it and disconnected the transponder, and that's the end of the story," Hypponen said.

"Well, of course the lesson here is that if you need a cheap iPhone, you can go to Moscow."

Hypponen said that authorities eventually discovered who wrote the Carperb trojan. In March, investigations by Russia's Federal Security Service (FSB) and Ministry of the Interior (MVD) led to the arrest of eight people alleged to have run this operation. The profits of their criminal activity is estimated at several million dollars.

Russian authorities subsequently released a video of the arrest of Igor, the man who they believe to have been the gang leader, in a downtown Moscow flat.

Editorial standards