Cyber criminals hide behind false mules
The masterminds of online banking trojans have recently started to lay false trails to trick prosecutors. Aviv Raff of RSA FraudAction Research Labs found out that the control server of the URLZone bot net deliberately returns false data when it suspects that it is being investigated.
Online banking criminals have used "money mules" for quite some time. The term refers to people who act as money launderers for forged bank transfers. They agree to wire the incoming money – minus their commission – to an address abroad via services like Western Union. The banking trojan on the victim's PC retrieves the account numbers of the respective forwarding agents from its master's control server.
Security specialists like RSA FraudAction Research Labs work for banks and attempt to find the servers for known bot nets by disguising themselves as infected victims. Finding the active forwarding agents of a gang allows the banks to expose and block forged bank transfers early. While engaged in this process, security expert Aviv Raff found the bot net server that tried to present him with the account details of innocent users. Apparently, the server detected that the alleged zombie wasn't really a victim and responded by deliberately laying false tracks.
Interestingly, the money mules' account details weren't selected randomly. According to Raff, the details all belonged to people who had legitimately received money from a trojan victim beforehand. By monitoring their victims' activities, over time the criminals build up long lists of valid bank transfer details they can use for laying false tracks and other diversionary tactics. The unsuspecting account owners could potentially even be accused of illegal money laundering, because of stolen funds appearing to pass through their accounts.
Security firm Finjan recently pointed out that URLZone has a few more tricks up its sleeve. It has been known for a while that banking trojans act as a "man in the browser", manipulating a bank's web pages to show adjusted transaction lists and account balances in order to camouflage their activities for as long as possible. URLZone, however, goes one step further and apparently checks a prospective victim's account balance and overdraft limit prior to an attack to avoid triggering an unauthorised overdraft alert.
All of this shows that the criminals very obviously are responding to the increasing pressure by private investigators and public prosecution authorities. Particularly worrying is that URLZone appears to specialise in European, and especially in German, banks. Finjan's examples refer to the German Postbank. Postbank customers can protect themselves through using mTANs (mobile Transaction Authentication Numbers) which use SMS messages to notify and authorise transactions. By checking the amount and recipient in the TAN's mobile phone text message, the attempted fraud should be detected.