Zeus Malware Configured To Recruit Money Mules In Credit Card Theft


Security researchers analyzing the Zeus Trojan have detected a configuration that offers clues into how attackers recruit people to funnel stolen funds from the United States to overseas locations where it is laundered.

The malware is designed to display phony website advertisements on legitimate employment websites, according to Etay Maor of security firm Trusteer. In a blog entry outlining the security researcher findings, Maor said the configuration uses HTML injection to advertise a mule recruitment site when a victim visits CareerBuilder.com, a popular employment website.

"Employment websites have long been a target for cybercriminals," wrote Maor, a product manager at Trusteer. "These websites are targeted by malware for credential theft and are also used for mule recruitment and malware distribution."

[Related: The 8 Steps Behind The Massive $45M Cyber Bank Heist]

Money mules play a key role in cybercrime operations, draining bank accounts using prepaid debit cards encoded with a victim's stolen account information. Federal authorities charged four men this week for their role in directing money mule operations in several U.S. cities. Seven men were arrested for using prepaid debit cards in a $45 million cyberbank heist in May. Once the cards are used at various ATMs, the mules take a small cut and then wire the money to overseas locations.

Most of the activity conducted by financially motivated cybercriminals has become automated, security experts say, enabling just about anyone to take part in credit card fraud. The Zeus malware family is incorporated into automated attack toolkits. In larger attack campaigns, international crime rings based abroad do most of the heavy lifting, stealing the account data from victims. Money mules are typically poor and unemployed, seeking ways to earn fast cash, Trusteer said.

CareerBuilder did not respond to a request for comment. In addition to proactively monitoring for suspicious ads, employment websites offer ways for users to report suspicious ads, Maor said. The code analysis shows advancements made by malware authors to dupe the proactive monitoring, according to Maor.

The Zeus malware was designed to use a man-in-the-browser MitB technique to present the advertisement to a website where the mule is recruited.

"While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering," Maor wrote. "Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder.com, the victim is more likely to believe the redirection is to a legitimate job opportunity."

PUBLISHED ON JUNE 13, 2013