April 13, 2012

Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money.  They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

Some of the mule gangs I’ve identified.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have  at least 10 money mules at the ready.

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

THE ATTACK

Sometime on March 13, four different employees of Alta East received emails that appeared to have been sent from a current client. The messages inquired about a recent transaction, and cited an invoice number. According to Weeden, all four Alta East employees opened the attached Adobe PDF file, which contained a hidden Javascript element that infected their Windows XP systems with a variant of the ZeuS Trojan.

Six days later, the thieves set up a batch of fraudulent payroll payments, sending instructions to Alta East’s bank to fund 15 Metabank prepaid cards; the remainder of the funds apparently were sent to traditional money mules at locations around the country.

“The emails came from a legitimate customer, and we thought he was questioning an invoice,” Weeden said. “There were four of us who hit that attachment. Afterwards, we asked the customer about the email, but he said he hadn’t sent it.”

Weeden said Alta East’s internal IT guys scanned her machine with six different antivirus tools, but the scans turned up no evidence of infection. It wasn’t until the company hired an outside forensics expert who removed the hard drive and examined it in an isolated environment that the expert found the ZeuS infection.

The thieves didn’t route their fraudulent logins to Alta East’s bank account through the company’s systems; rather they proxied the traffic through  the networks of the Center for Discovery, a rehabilitation facility for disabled individuals that is located in nearby Harris, N.Y. The center did not return calls seeking comment.

Rick Jones, executive vice president business services at Alta East’s financial institution – Provident Bank — said the bank followed its agreement with Alta East, and sent the company an email about the fraudulent payroll batch the very day it was initiated. But Jones said that Alta East admitted to overlooking the notification until the following morning. By that time, most of the unauthorized transfers had already gone through.

Weeden said Provident was able to retrieve roughly $20,000 worth of illicit transfers from mule accounts, and that it expected to recover another $21,000 in the coming weeks. She added that her firm is in the process of setting up a system whereby online banking is done only from an isolated computer that will not be used for email or regular Internet browsing. Still, the company is facing an $80,000 loss from the incident.

It remains to be seen whether cyber thieves continue shifting more of their operations from traditional mules to prepaid debit accounts. I’ve talked to a number of victims who lost more than $100,000 but noted that the thieves left several hundred thousand dollars untouched in the company’s accounts. “Why would they leave so much money on the table like that? Why not just take it all?” the victims usually ask. The answer? Just as real life bank robbers are limited in the amounts they can steal by the volume of cash they can physically haul from the scene of the crime, so are cyber thieves. Usually, the thieves simply did not have access to enough mules to help them haul all of the available loot. That limitation is eased if they start depending more on prepaid cards, an entire stack of which can fit easily into a single miscreant’s wallet.

ANALYSIS

There are a few things worth calling out from the above story, and every business owner would do well to consider them closely:

-eBanking losses are likely to increase if thieves continue to find success with the prepaid card approach.

-Today’s cyber thieves are patient and willing to jump through multiple hoops to steal your money.

-Clicking on links and email attachments continues to be a risky activity, even when the links and attachments appear to come from someone you know or trust.

-Traditional antivirus tools have an atrocious record in detecting ZeuS and its ilk. If you suspect a machine is compromised, you cannot trust a report from a security program that is running on top of the potentially infected operating system.

-A majority of these ebanking heists start with a social engineering scam sent via email. Companies should be actively phishing their own employees and grading them on their performance, and perhaps even tying performance to year-end bonuses or other (dis)incentives.

-Unlike consumers, businesses have basically no legal protection from their bank due to losses from cyber fraud. Yes, organizations should push their banks to do more on security. But for better or worse, small to mid-sized businesses who are counting on their banks to prevent this type of fraud are setting themselves up for disappointment and major financial losses.

-Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.


46 thoughts on “Thieves Replacing Money Mules With Prepaid Cards?

  1. uzzi

    Great job, nice read. Thx Brian! – Didn’t know “public resources” are a “reasonable” evidence of authenticity. And banks transfering debit card money overseas without appropriate time-limits from my point of view act grossly negligent…

    1. george

      @uzzi

      I thought the whole point of using money mules and/or prepaid cards was to avoid overseas bank transfers (and to make the local transfers irreversible). This development (of using prepaid cards) is worrying as Brian pointed out since it seems so much easier, cheaper and safer for the thieves to cash out cutting the middle-man. It seems also hard to fight since prepaid cards have so many legitimate uses and are in itself a good thing (except maybe blocking the possibility to reload them) . Even if the issuers will require the owner to legitimate once to a notarial office or bank before enabling reload, I can imagine the miscreants using some shills to do so.

      1. uzzi

        “[…] Western Union even allow senders […] sending money overseas directly from the card.”

        Basic security principle for virtual money was full control of transfers – think we’ve given that up for ‘convenience’. 🙁

    2. extra

      One of the issues is that some of the ACH fraud is that the money is being transfered directly to the gift cards, and some of the banks will not reverse them, even when told that it is fraud.

  2. Moike

    >Companies should be actively phishing their own employees and grading them on their performance

    There is no way employees can tell the difference between a real email, and the email in this story where a current customer appears to have sent an inquiry. If the bad guys have this much information, they might even reference a current actual order or project along with the PDF.

    People are running with PDF Javascript enabled these days????

    1. Mike

      It is necessary to have PDF Javascript enabled to use some sites like the US Postal Service.

      But the number of computers so configured should be limited.

      It pays to be suspicious. Emails from customers, if they are common, should follow a pattern. Any deviation should cause a phone call the the customer.

      1. Mark

        At the bank where I work we have seen a number of cases in which fraudlent emails to the bank actually did originate from the customer’s email account because the account had been compromised by the fraudsters. We mitigate that kind of fraud by having a policy that prohibits us from performing financial transactions requested in emails until we call the customer first.

        Bryan, your blog is great. I notice that the information you reference on using LiveCDs (including the related links to the SANS document) are dated 2009. Three years later do you still think that this is the best way for businesses to protect themselves? -Thanks

        1. JCitizen

          The year of that publication is not relevant. Live CDs are still the simplest – cheapest way I can think of to secure web sessions with a bank. Puppy Linux has continued to evolve since 2009, and so have other Linux distros. The less code in the distribution, the better assurance that it won’t be compromised.

          I like to buy my CDs from On-Disk; I’m sure there are many other sites that are equally handy for this kind of software.

          A dedicated machine with Windows Steady State implemented is a big help, but not as good; because even Steady State can be defeated.

      2. Nic

        “It is necessary to have PDF Javascript enabled to use some sites like the US Postal Service.”

        Can you clarify this please? I use the USPS website regularly to tracking numbers and my browser doesn’t even have any pdf plugins, and I normally surf without javascript anyway.

    2. David

      quote:

      There is no way employees can tell the difference between a real email, and the email in this story where a current customer appears to have sent an inquiry.

      Wrong. You have to know how to read email headers, but there are ways to determine the actual source of an email from the data in those headers, with at least reasonable accuracy. In some cases, when a strict SPF record is published for the domain that the email is supposed to be coming from, as is the case for almost all Canadian banks, it is even very easy to tell a fake.

      Agreed it is not easy for the average user, but there is certainly a way. 🙂

      I have always maintained, since I started using email in the 70’s on the arpanet, that anybody that cannot speak SMTP and send an email through telnet should not be allowed to use email. 🙂

      1. JCitizen

        Telenet is vulnerable, and should probably be stricken from the factory default of Windows operating systems.

      2. Mark

        The headers do provide that information, but sometimes the fraudster has compromised the bank customer’s email account. In our experience, the best way a bank can know if an email really is from their customer is to call them.

    3. Alan

      I think that’s true. If they do the work to craft a good spear phishing e-mail then the chances the employee will open the attachment is close to 100%. This is why the computer used to do online banking has to be isolated and dedicated to that purpose. It can’t be used for e-mail, can’t be used for web browsing, doesn’t accept USB sticks, etc. It connects to the bank and nothing else.

      1. Alan

        My comment above was in response to Moike’s comment about the utility or lack of utility in spear phishing your own employees.

  3. Yaya

    I think the biggest cost-benefit behavior is that all online banking should be locked down to a single-purpose computer or via a Live CD boot. Even cash-strapped small businesses could afford a netbook devoted to online banking and the small number of people authorized to use it could be impressed with the severity of possible repercussions of using anything else.

    I’d still like to see better security schemes from the banks though. Even something as simple as cellphone generated tokens would do a lot to thwart miscreants.

    1. JCitizen

      It would also be nice if that netbook had no way of writing to the hard drive. Otherwise it is probably only third best, as far as security. There is one software out there that can lock the drive down, even better than Faronics DeepFreeze; but the name escapes me at the moment.

  4. Yaya

    PS., Greatly amused at your impression and description of money mules. Fortunately for miscreants, there seems to be no shortage of people like that.

  5. Jonathon

    Excellent piece, Brian. Especially like the recommendation that companies should be phishing their own employees.

  6. George

    Aren’t US eBanking website using two-factor authentication and payment authorization? Or am I missing something?

    George.

    1. Mark

      Many banks are using two-factor authentication, but there are ways around it. With a man-in-the-browser attack, the fraudster let’s the company sign-on and perform their transactions, but then prevent the sign-off from ocurring. Having control of the computer and already being signed on, they can them perpetrate fraudulent transactions.

      1. George

        If you only use 2fa to sign in initially, but that is a flawed concept to begin with. Every transaction should be signed.

        By reporting the transaction ammount when signing (on the 2f device) you can effectively also mitigate mitb adding transactions to batches.

        George.

    2. JCitizen

      To add to Mark’s response;

      I don’t know about “eBanking”; but the typical banks that have online access, don’t seem to have a clue. I’m sure that will rapidly change, or else, in the near future!

  7. Don

    Quick typo fix…

    “…the mule provides her banking details to the recruiter”

    was likely meant to be:

    “…the mule provides their banking details to the recruiter”

    1. Bufford

      Don, it would be, “mules” and “their” to keep your singular/plural straight. Swapping HE/SHE randomly is the new PC grammar for the historically-generic HE/HIM.

      1. AlphaCentauri

        I’m looking forward to the day when “they” joins “you” as both a singular and plural pronoun. I’m increasingly seeing people who really believe it already is correct.

        1. Jane

          Supposedly “their” was already in use as a generic possessive well before the women’s suffrage movement, let alone “political correctness.”

  8. Ryan C. Moon

    >> “Traditional antivirus tools have an atrocious record in detecting ZeuS and its ilk. If you suspect a machine is compromised, you cannot trust a report from a security program that is running on top of the potentially infected operating system.”

    These people are victims of advertising scams from AV companies, Oracle, and Apple. For years AV companies have said that their products are the one-stop shop for all you need to prevent malicious attacks on your infrastructure, that they can protect you from malware in your email, and that they can recognize malicious egress and spot it. None of these things are true. As someone who sees ZeuS every single day in the wild, I can count the number of times I have seen a better than 2/42 match on VirusTotal on one hand (and most of those are “iffy”).

    Financial institutions need to spend more capital in their intrusion detection/internet services departments. Finding customers, especially business customers, with ZeuS takes more than a lost IT employee with a copy of Norton. It takes hiring knowledgeable, trustworthy staff and giving them free-er reign than the average corporate drone to put systems in place to manage/mitigate these events.

    1. JCitizen

      The smart banks I know of, are pushing Rapport from Trusteer; and a good password protection like RoboForm or LastPass, to the client side. These can run and be effective in an infected environment.

      The only problem is they don’t seem to realize that many things either can’t install correctly when the PC is already infected, or won’t operate correctly. One of my clents couldn’t understand why the Rapport arrow wasn’t showing up on her address bar on IE8, and AdWatch wouldn’t activate. I had her run a fast scan with Super Anti-Spyware, and it found a Fraud Tool Trojan; removing this magically made the Rapport arrow appear, and AdWatch to activate. I imagine Rapport was working, the fraud tool, was just trying to obfuscate the process, to confuse the client into making a mistake on the start of this security maintenance process. It almost worked, until she called me.

      Needless to say, I had her update all scanners, and go into safe-mode with restore turned off, and all files un-hidden, for a thorough deep scanning; wiping and re-installing wasn’t an option unfortunately. I’m sure Trusteer is fighting to keep the bugs from completely taking over the installation process; but that will be a long road to hoe!!!

      1. TJ

        “… wiping and re-installing wasn’t an option unfortunately .”

        Why wasn’t it an option? Or is that just another way of saying the client wasn’t willing to pay the freight for what really needed to be done?

        The best antivirus program I have is actually Acronis True Image. In a fraction of the time it takes to run a single thorough scan of my system with an AV program, I can restore a pristine image of the OS, restore backed up data from an external drive, and re-install needed apps that aren’t included in the disk image. The only time consuming activity is downloading and installing several months of Windows updates.

        1. JCitizen

          Very true TJ;

          However, this was remote session only, not hands on. I typically live 800 miles from my clients. She is also indigent, and totally computer clueless, so trying to explain things like Macrium reflect, is like talking to a brick wall. Besides she can’t afford another hard drive either.

          Sometimes you just have to look at how much the client has to lose; and make judgement s from there. Sometimes it doesn’t pay to have a perfect situation.

          1. TJ

            Makes complete sense, JCitizen.

            Speaking of the clueless, I once made the horrible mistake of trying to help my father (the King of ’90s e-mail joke spamming) through a system recovery from 3,000 miles away. The whole experience went so badly I could have flown there and back in the time it took to get him back up and running.

            1. JCitizen

              So true! But in my case, my true ID is not really known to most of my clients, and I like it that way, because of reasons I prefer not to disclose in public. No – it is not because I’m a criminal or terrorist! 😉

              I won’t even travel for local clients, they bring the units to me. I’m financially independent, so I don’t charge anything for indigent clients. I just like IT so well, I do it for the pure enjoyment!

  9. С. Яакоб

    “Now, thieves are starting to transition to prepaid debit cards”

    Now? I’m monitoring the German fraud scene for years and they started to use prepaid debit cards at least 7 years ago.

    If you’re interested in further informations about this issue drop me an e-mail.

  10. uzzi

    Maybe banks and mafia have too much in common:
    “Trust me. That’s all I can tell you about my business.” 😎

    How about splitting accounts into two accounts / subaccounts, enabling one (sub-)account for incoming payments and storage and the other just for outgoing transactions? – In such cases one could balance accounts on daily transaction volumes like big companies do and reduce risks? (At least some kind of whitelisted recipients and iTAN / mTAN / ChipTAN could help or some kind of combination…?!)

  11. Joshua

    I used to work for the fraud department at a billpay provider. The practice of prepaid debit cards used in fraud has been going on for several years. I noticed that transition around late 2009 into 2010. Metabank was always a red flag to us. They were quite easy to spot most of the time; payroll or personal. Before I left I began to see all different kinds of prepaid cards being used in attempted fraudulent transfers. They were usually small to medium payments $500 – $2000.

  12. Ron Doe

    How would a live CD stop Zeus from stealing info, or at least running compromised until reset? There are many types of information stealing malware that can operate in memory without any clear signs of infection, even on a live CD system. How often are these machines getting rebooted anyway, a lot of the payment systems I have worked with may go 2-3 weeks between reboots.

    1. JCitizen

      That would assume Zeus were cross platform, which I’m not sure it has reached that state yet. Also attempts by the Trojan to inject into the startup folder, would not work, because Linux doesn’t fly that way. Besides, the minute you reboot, all session operations disappear.

      I’m not saying it is impossible for a cross platform bug like that to capture screen shots, or key-log, I’m just saying that the experts I’ve talked to, who develop for open source, say it would be exceedingly difficult. Most agree, having a vulnerable application on board would make this easier for the attacker; but it is too easy to keep everything updated now.

  13. George K.

    Running of a LiveCD sort of implies some form of Linux or maybe Windows PE and how often will you be patching your LiveCD’s for network borne threats?

    I think this is a bad solution as it shifts responsibility for secure(d) transactions from the Bank to the end-users that will most definately not “standardize” on some wel thought out solution.

    Such a “cop out” is inexpensive for the Bans, implementation wise, but really not what I would expect from a eBanking services.

    It is like webshops not using any (data)protection and (transaction)security and then blaming any fraud on the users. That was never acceptable for webshops and banking sites should be held to a far higher standard than any regular webshop.

    George/

    1. BrianKrebs Post author

      George,

      There are 101 Live CD distributions that have nothing to do with WinPE, and are just live distributions of various Linux installations.

      Also, your comment is misinformed I’m afraid. Using a Live CD doesn’t shift the liability from businesses to banks. Nothing short of a shift in regulation or law is going to do that. Until that happens, it’s not bad advice to urge people to use a Live CD.

      Every single one of the attacks I’ve heard, written or reported about vs. small businesses relied on the victim using Windows. Certainly there are threats and miscreants who attack vulnerabilities in Linux and other OSes that form the basis of Live CDs, but we’re talking about a very small window of vulnerability here, both in terms of time exposure (booting into the live cd and doing your banking and shutting off the computer) and comparatively huge exposure if the user simply uses Windows.

      1. JCitizen

        Totally agree;

        You beat me to it, Brian! 🙂

    2. JCitizen

      I disagree;

      Puppy Linux is very easy to implement, and with the RAM computers come with now, the entire OS can run in RAM alone, and immediately updates all applications upon joining the web. Earlier versions would update, and allow a disk write if you were using RW disks. This is before you even get to a web site where the chance of a drive by could happen.

      I still feel this is the cheapest solution for SMBs, or private individuals who want the best solution for the money, that doesn’t require a lot of sophistication. It is even better to subscribe to regular releases from a reputable online open source, like On-Disk.com.

  14. George K.

    You (/we) may want to see regulatory action to force a change with banks, but really this is a contract issue between the (business) customer and its bank. Businesses should not accept services with inferior security solutions.

    My view on the systems used in the US is limited as I’m in Europe, where secure transaction systems appear to be more the norm than state-side.

    For single, personal, transactions that are input in the browser a LiveCD may be an uncomplicated and securisch way to limit common abuse, but a business will typically use batches for payrolling and invoice payments. You typically won’t be able to run the systems that generate the batches from a LiveCD and the exploits just move “up the chain”, modifying batches on USB media or shared resources now required to transport the batch to the LiveCD station.

    Any system/service that relies on a simple (one-time) authentication mechanism and doesn’t sign transactions is simply 10 years behind the curve.

    Urging people to use LiveCD’s is not a bad thing; I don’t consider it bad advice, but I can’t call it a solution either.

    George/

    1. JCitizen

      I suppose that would depend on the setup. If the interface between the bank and the business is strictly browser driven, and the payroll is bank server side based. Then their would be no difference.

      Of course if the business has payroll on client side software, then their are still alternatives for locking the hard drive for the business, that once installed can give a very safe environment. Steady state is one that is free for XP users. Newer operating systems could go to Faronics or even better solutions from there.

      The only requirement would be to instruct the payroll clerk to limit contact to the bank site only, and shutdown, or reboot between sessions. This without Live CD at all. I’ve seen clients who used this that haven’t had one, malware infection, compromise, or successful network attack in twelve years! One of them, which was a community college used solutions that watch the session between reboots, so that malware cannot go unobserved in session. I shall not reveal the brand name, because their are several good solutions out there and I’m not going to shill for them in this instance. I do not derive any advantage from any company I recommend, as I’m totally independent, and am only interested in the greater good of secure computing. This is why I like Brian’s site!

  15. rb

    Brian – You mentioned that the IT guy was unable to detect the ZeuS infection with several AV scanners (no surprise there). However, an outside forensics expert did find it. What tools / methods did the expert use? I would like to know more about ways to detect this and other similar malware.

    1. George K.

      The disk is scanned “outside” the running (Windows) installation by either booting from a LiveCD or removing the harddrive and attaching it to a secure station to be scanned.

      This is only possible if the disk isn’t encrypted.

      Dr. Web, for example, has a LiveCD (and LiveUSB) available for this purpose. They’re the ones that discovered the “Flashback” Mac OS botnet.

      George/

    2. JCitizen

      Dear rb;

      Please allow me to make a suggestion also. I thank George K. for his input.

      It is my opinion, that Zues and its variants can be detected upon injection to the startup folder. This can be detected in several ways.

      1. WinPatrol
      2. Enisoft anti-malware
      3. Defense+ from Comodo free firewall

      I’m not sure how safe WinPatrol is from manipulation by the malware, but I have confidence in Emisoft’s and Comodo’s solution, because they run at, or near the kernel layer. Manipulation by malware would result in very obvious side effects and alert you none-the-less.

      These solutions need little updating, although whitelists are employed to reduce alerts. I feel Emisoft’s is the best, but then it is not free. Emisoft recently refused to whitelist the German government spyware that was being used for anti-terrorism, so this pretty much shows how well the behavior heuristic module works, and the solid reputation, of the company!

      I derive no advantage in naming these solutions – I am totally independent from any company or person.

Comments are closed.