Banking Trojan Steals Funds, Then Attempts to Hire Victims as 'Mules'

The latest variant of the Zeus Trojan attempts to hire people to move stolen money to offshore accounts.

A group of criminals using the popular Zeus banking Trojan have started advertising for accomplices, displaying ads for job scams whenever the victim visits a popular job site, financial security firm Trusteer said on June 13.

Typically, victims whose computers are infected with Zeus have to worry about their bank accounts being drained. Yet if a victim visits the popular job site, some variants of Zeus will also display an ad for a job with a fraudulent company, Trusteer stated in a blog post. In reality, the job is to help criminals transfer stolen cash to another country or cash out goods bought with stolen funds—in other words, a "money mule."

Finding people to help—usually unwittingly—is an ongoing challenge for criminals, but a critical need. Without money mules, cyber-criminals would have a very hard time moving stolen money, Etay Maor, fraud prevention solution manager with Trusteer, told eWEEK.

"Money mules are always a scarce resource and whenever criminals do recruit them, they keep a pretty good eye on them," he said. "At the end of the day, you really can't cash out unless you have a mule."

When cyber-criminals compromise a consumer's computer and access his or her bank account, they need somewhere to transfer the money. Most often, they transfer it to the accounts of one or more money mules, who then transfer it to an offshore account. When law enforcement track down the money mules, the criminals have typically already broken contact with them and so cannot be tracked.

While some people become money mules knowingly, most are people looking for work or hoping for easy money. Advertisements for "mystery shoppers," "work-at-home accountants" or "financial managers" are typical ways that criminals lure people looking for an easy paycheck. While consumers are wary of email advertisements for such positions, an advertisement on a job site will generally appear much more reliable.

Without money mules, the transfer of the funds stolen through the takeover of bank accounts and other types of fraud would not be possible. U.S. citizens reported nearly 290,000 cases of fraud in 2012, costing them more than $525 million, according to the Internet Crime Complaint Center (IC3), which processes fraud claims for the U.S. Department of Justice. The Citadel botnets—recently taken down in a worldwide seizure led by Microsoft—are responsible for more than $500 million in bank fraud in the past two years, according to financial firms.

Yet, as more consumers hear of the fraudulent scams, criminals are having a harder time finding money mules. To recruit more mules, novel techniques will be required, Maor said.

"By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets," Trusteer stated in its blog post. "Because this redirection occurs when the victim is actively pursuing a job, in this case with, the victim is more likely to believe the redirection is to a legitimate job opportunity."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...