Using Trojans and mules crooks snatch almost 300,000 EUR in 22-days

by Steve Ragan - Sep 30 2009, 00:02

In a report due on Wednesday, Finjan has tracked one group of cybercriminals and the methods they used to steal almost €300,000 EUR in just 22-days. Using tested methods and technology, along with human gullibility, the crooks were able to bypass anti-fraud detections and network security with ease to pull off the heist.

Starting with the Trojan aspect of the crime, the criminal group targeted German banks and their customers. Hijacking legitimate websites with the LuckySpoilt toolkit, as well as creating fake ones, the victim’s browsers were taken over by the URLZone bank Trojan. Once installed, the Trojan would connect to Command and Control (C&C) servers run by the criminals, where orders were issued to transfer funds to other accounts.

The amount transferred was always less than the amount needed to raise red flags in the German banks, and the funds were sent to people who were caught up in a completely different scam on their own. These money mules would take the stolen money and forward it off to a bank account owned by the criminals, minus a percentage kept for themselves, as payment for services rendered.

“It appears that this cybergang knows how anti-fraud systems used by banks these days work,” the report notes, adding that in order to minimize detection, the gang, “used various parameters to define the amount of money it will steal on each transaction.”

Some of the parameters used by the criminals included ensuring that the victim’s account had a positive balance, and setting random amounts to be transferred to the mules. The parameters are linked to the information the URLZone Trojan harvested.

URLZone harvested credentials and activities of the victim’s bank accounts, and captures screenshots served by various banking sites. In addition, the stolen funds are hidden by the Trojan in the report screen of the various banks. Just for rounded criminal mischief, in addition to the banking related information, URLZone harvested PayPal, Facebook, and GMail account information.

The mules are the added bonus for the criminals, and in most cases are victims on their own. These bank account owners, or mules, are normally unaware that they are laundering stolen money, the report said. More often than not they think that they are being paid for ‘working from home’ and other moneymaking opportunities.

“To conduct their crime, cybercriminals hire mules by falsely telling them they are working for a legitimate business. Due to the current economic slowdown, more and more innocent people find themselves becoming part of these criminal activities without their knowledge,” Finjan reported.

One example of how an ad for these types of crime might look was sent by Finjan to members of the press. We’ve included it below.

CANDIDATE REQUIREMENTS.

    * not less than 18 years old
    * internet access to reply emails promptly
    * availability by phone (1-2 hours a day)
    * a bank account to process payments
    * good credit history with your bank (new bank account is an option)
    * no criminal offense or convictions
    * experience in the field of finance is preferred

DUTIES

We are searching for people to process payments coming from our clients. Prime Group Inc will provide an agent with detailed instructions as regards payment processing operations including sender full name and amount total for each separate case.

When funds enter employee's bank account, Financial Agent's duty is to withdraw cash and transfer the funds via International Wire Transfer or Western Union/Money Gram money transfer systems. The main advantage of our services is the shortest possible time within which the seller can receive money for the services/goods sold. If this operation is delayed, our clients are entitled to cancel their contract with us and we suffer financial loss. Therefore, successful applicant must be very responsible and careful!

According to Finjan, from August 11 until August 26, the criminals stole €193,606 EUR from German banks. From August 30 until September 1, they struck again, snatching another €42,527 EUR. In just 22-days, they stole €236,133 ERU.

The report notes that per internal policy, German law enforcement was fully briefed on the criminals and their methods, including all related research and data collected for the report.

Finjan’s Cybercrime Intelligence report is available here.

Around the Web