Hackers Pull A Tasty Variation on the ACH Cyberheist Technique



On January 19, PC World reported an interesting twist on an old but still favorite phishing scam called the ACH, or Automated Clearing House, scam in a story entitled "Hackers Steal $150,000 with Malicious Job Application." But where the ACH scam works by getting individual end-users to click links in messages that lead to drive-by downloads with keyloggers and Trojans, which in turn lead to identity disclosure and outright theft, this variation embeds malicious code in documents designed to look like job applications or resumes that, when downloaded for inspection and perusal, work the same way (download malicious software, grab sensitive account information, logins, passwords, and so forth, then upload that data to another Internet host for exploitation or misuse).



The FBI issued an Intelligence Note dated 1/19/2011 entitled "E-mails containing malware sent to businesses concerning their online job postings." The same note also reports that "...over $150,000 was stolen from a U.S. business via unauthorized wire transfer as a result of an e-mail the business received that contained malware." This malware was secreted within an e-mail response to a job posting that this company placed on its Website. It ultimately enabled the attacker to obtain the company's designated staff memeber's online banking credentials. These were then altered to permit wire transfers, after which money was siphoned off to accounts in the Ukraine and inside the U.S. The malware in question was identified as a Bredolab version which presents itself as a file named svrwsc.exe (a well-known Trojan/backdoor program) , a variant of the ZeuS/Zbot Trojan popular with cyber criminals who seek to defraud U.S. businesses.



How can companies avoid such attacks. They must be extremely careful anytime they open e-mail attachments, or files uploaded to Web sites in response to requests for information (resumes, cover letters, and so forth). For such materials of unknown origin, a virus scan is an absolute must (and perhaps even a screening pass through a third party spam- or message-filtering service, where e-mail is involved). The FBI also strongly recommends — and we concur — that banking activity be restricted only to specific, tightly controlled and monitored machines (and certainly not on the same machines where files or email might be downloaded, and where malware might conceivably take up residence).



Please check the FBI intelligence note for this incident, where you will also find links to previous Public Service Announcements from that agency that explain how to avoid corporate account take-overs, how to work safely at home, and about avoiding bogus work-at-home scams.



Stu Sjouwerman



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews