The check limit was under $3,000 -- the usual amounts were between $2,700 to $2,900 -- probably due to the fact there are U.S. regulations pertaining to how banks treat checks over the $3,000 amount, Stewart says. But some banks did question the checks anyway, Stewart says, noting it's unknown how successful BigBoss has actually been.
SecureWorks has shared its findings with law enforcement in the United States and notes that one way for a business to keep check fraud of this type at bay is to use a banking service called "Postitive Pay" that puts tighter restrictions on adding new payees to business accounts.
While much of the BigBoss operation involves tricks that can be carried out over the Internet from a foreign country like Russia, there may be some elements in the United States supporting the operation since the check delivery was always dependent on overnight deliveries (using stolen credit card numbers) from U.S. locations.
When Stewart considers the type of technologies favored by BigBoss, he notes that encrypting VPN traffic is a way that can defeat signature-based IPS/IDS devices that might otherwise detect the malicious transfer of data. In the BigBoss example, "it became clear that the primary reason for the VPN tunnel was to allow the controller to proxy traffic back to the bots, bypassing any firewall or network address translations that would ordinarily block arbitrary incoming connections from the Internet," Stewart says. By joining the botnet as just another "infected" PC, SecureWorks says its research arm was able to uncover a lot of information about the overall purpose over three months.
Read more about wide area network in Network World's Wide Area Network section.