Over two dozen people scammed into being money mules

Jul 4, 2009 10:39 GMT  ·  By

Kentucky's Bullitt County fell victim to an elaborate scam that involved an online banking trojan and timed money transfers to Ukraine. As a result of the attack, which involved 25 innocent U.S. residents who were tricked, the county's bank account was left short of around $415,000.

Washington Post's Security Fix blog reports that the incident started on June 22, when attackers succeeded to install a Zbot variant on the computer used by Bullitt County's treasurer. Zbot, also known as Zeus, is a banking information stealing trojan that has been particularly active at the end of June.

The method used to infect the treasurer's machine has not been revealed, but a computer forensics investigator who is familiar with the incident confirmed that it was used to steal the authentication credentials used by the official to access his e-mail and the county's bank account.

However, the bank's online system employs additional security mechanisms to verify the identity of its customers. One of these involves using the computer and browser specs in order to generate a unique signature. According to the investigator, because of this, attackers had to jump through hoops in order to get their hands on the actual cash.

It is also worth noting that the Zbot variant used in this case is an enhanced one, with two additional vital features. One gives it the ability to send stolen credentials immediately to attackers via instant messages, while the other establishes and opens the door for them to use the compromised system's Internet connection.

The fraudsters logged into the bank account through the hijacked Internet connection and changed the password and e-mail address associated with it. They then proceeded to add 25 people from across U.S., who they scammed into working for them as fake county employees and set up payroll payments of around $10,000 for all of them.

They were now required to approve the transfers by using a real browser and computer, which they knew would fail the system's security check. However, they had it all covered, because once they authenticated, the online banking system detected a new fingerprint and set a verification code to the e-mail address on record to validate it.

Since the attackers previously changed the e-mail address associated with the account with one under their control, they had no trouble getting the code, validating the new computer fingerprint and approving the transfers. The operation was repeated several times and some of the fake employees received multiple transfers.

The other side of this story is how the receivers of the bogus payroll payments were tricked into participating. Apparently, the fraudsters recruited them several weeks in advance from job hunting websites to proofread and edit documents for a promised fee of 8$ per kb of data. Then they offered them positions as local agents for their fictitious company, called Fairlove Delivery Service, under the claim that they had trouble sending money to customers abroad.

People who accepted the local agent positions received money into their bank accounts, which, according to the arrangement, they withdrew and sent via Western Union to Ukraine, keeping 5% for themselves as commission. The surprise came when their banks later called and informed them that their accounts were frozen and that they were in debt, as those substantial bank transfers had been reversed due to fraud.