Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/6/2009
12:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RSA: Cybergang Hid Money Trail Behind 'Fake' Mules

URLZone Trojan attackers made sure their real money mules remained anonymous

Turns out the bad guys using a sophisticated banking Trojan that covers its tracks also hid the identities of the money mule accounts they used.

Researchers from RSA's FraudAction Research Team discovered that the cybergang recently exposed in a report by Finjan knew its URLZone crimeware was being scrutinized, so the group set up decoy mule accounts in an attempt to dupe researchers and keep them from the real money-mule account information.

"The fraudsters check if the computer used by the researcher is part of the 'legitimate' botnet of URLzone-infected machines. If the computer is deemed to be a 'foreign' one -- in other words, if the criminals do not know the computer -- they deliver a fake mule account to the computer used by the researcher," RSA researchers blogged last night. "This is the way they prevent their real mules from being exposed."

Finjan had exposed how a group of attackers was using the so-called URLZone Trojan, which calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. It also forges the victim's on-screen bank statements so the victim and bank don't see the unauthorized transaction. The bad guys had stolen around 200,000 euro each day from several European bank customers during a period of 22 days in August.

Money mules basically serve as the conduits for the stolen funds. They are typically unsuspecting users who believe they're performing a legitimate funds transfer for a job they were offered online. Shutting down those channels stops the money from moving, so keeping their information hidden keeps the flow of fraud alive.

But RSA says it turns out the money-mule information the cybergang "showed" was phony. The bad guys prevented researchers and investigators from seeing the actual mule accounts, instead displaying 400-plus legitimate accounts that do not actually belong to the gang's money mules. "The 'fake mules' method was conceived in order to ensure that the Trojans' real mule accounts are not exposed and subsequently blocked," RSA blogged.

And adding insult to injury, the fake mule accounts aimed at foiling researchers shows real bank account details from victims of the URLZone attacks. "The details of these payee accounts are screened by the Trojan according to various criteria to determine whether they should be added to the list of fake mule accounts. As long as PCs are infected with the Trojan, and victims continue to initiate online wire transfers, URLZone continues to replace payee details through MITB [man-in-the-browser] attacks and is growing a longer and longer list of fake mules," RSA says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.