The malware uses Man-in-the-Browser (MitB) techniques to inject ads

Jun 14, 2013 06:36 GMT  ·  By

It’s well known that it’s not enough for cybercriminals to get a hold of personal and financial information to make a profit. They somehow have to monetize their proceeds, and the safest way for them to do that is by recruiting money mules.

Money mules are willing or unwitting individuals who withdraw the money, keep a percentage for themselves and wire the rest to the crooks.

Cybercriminals often use legitimate job websites to advertise so-called “financial manager” positions. However, over the past period, employment websites have deployed mechanisms to allow users to easily report suspicious ads.

That’s why cybercriminals have started relying on the notorious ZeuS malware to lure potential money mules to their own recruitment website.

A new ZeuS variant spotted by researchers from Trusteer is designed not only to steal information, but also to utilize Man-in-the-Browser (MitB) techniques to present the owners of infected computers with an ad for a mule recruitment website every time they try to access CareerBuilder.com.

The site that users are lured to, marketandtarget [dot] com, is currently down. When it was online, it presented visitors with various poorly designed ads for “hot jobs,” including a job as a “mystery shopper,” which is often used as bait to recruit money mules.

“By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets. While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering,” Trusteer’s Etay Maor wrote in a blog post.

“Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder [dot] com, the victim is more likely to believe the redirection is to a legitimate job opportunity.”