Crooks are using personal details stolen through sophisticated phishing and malware attacks to carry out old-fashioned cheque forgery, says security outfit Trusteer.
The firm claims to have uncovered a scam in an underground forum involving a criminal selling pre-printed, counterfeit cheques linked to corporate bank accounts in the USA, UK and China.
To obtain all the required data - name, address, bank account, routing code and cheque number - fraudsters typically need to get their hands on a physical or scanned version of a real cheque in circulation.
To do this, they take advantage of the fact that many banking Web sites provide access to scanned versions of paid and received cheques, meaning that once they have obtained login credentials through malware and phishing attacks, they can find all the required information.
In addition, before using the cheques, fraudsters can potentially ensure that the victims' account balances are sufficient to approve the transactions.
In the criminal forum, the counterfeiter is offering to supply cheques that use stolen credentials provided by the buyer for just $5 a piece. The price goes up to $50 when credentials are provided as well.
Amit Klein, CTO, Trusteer, says: "This is the latest example of the how criminals can use malware and phishing techniques to make traditional physical fraud schemes more effective. This "cross-channel" approach is helping fraudsters stay one step ahead of even the most sophisticated fraud detection systems deployed online and in the brick and mortar world."