The case of the fake money-mules: Inside the URLZone Trojan network

The case of the fake money-mules: Inside the URLZone Trojan network

Summary: Security researchers tracking the URL Zone malware/botnet have stumbled upon a new tactic being used by cyber-criminals to hide information on the money mules being used to transfer stolen funds from compromised online bank accounts.


Security researchers tracking the URL Zone malware/botnet have stumbled upon a new tactic being used by cyber-criminals to hide information on the money mules being used to transfer stolen funds from compromised online bank accounts.

URLZone, which targets computer users in Western Europe, is a botnet of approximately 6,000 hijacked computers that is used primarily to siphon funds from online bank accounts.  It steals between $4,000 and $15,000 from each compromised bank account and uses a nifty trick of modifying the withdrawn amount on the bank's web site to avoid detection by the user.

If that was not clever enough, researchers at the RSA FraudAction Research Lab say the malicious hackers are now generating false data on the money mules to block the good guys from reporting accurate information to financial institutions and law enforcement agencies.

Aviv Raff, who heads up the RSA FraudAction Research Lab, said the URLZone gang realized they were being monitored by white hat researchers and started taking proactive measures to prevent their mule accounts from being exposed.

Raff explains:

One of the ways to extract mule accounts is infecting a computer with a Trojan and initiating a transaction at which point a fraudster can see the mule account retrieved by the Trojan from its command and control server (C&C) server. In order to try to foil anti-fraud security researchers (like us) looking to identify real mule accounts, fraudsters invented the “fake mules” method. The fraudsters check if the computer used by the researcher is part of the “legitimate” botnet of URLzone-infected machines. If the computer is deemed to be a “foreign” one – in other words, if the criminals do not know the computer – they deliver a fake mule account to the computer used by the researcher. This is the way they prevent their real mules from being exposed.

To fulfill this task, the criminals behind URLZone added a special server-side code that prevents the extraction of the gang’s genuine mule accounts. Instead of displaying the details of URLZone’s genuine mule accounts, this piece of code delivers the details of legitimate accounts that do not belong to the gang’s mules. The code is clearly URLZone’s most unique attribute, and speaks to its operators’ caution against having their criminal pipelines compromised.

Raff said the “fake mules” method was conceived in order to ensure that the Trojans’ real mule accounts are not exposed and subsequently blocked.

Raff explained that the new twist on blocking money-mule data extraction adds to a highly-organized theft scheme which combines man-in-the-browser attacks with money mules to deplete online banking accounts.

He said the Trojan used in the attacks now have the ability to determine if the computer that is trying to retrieve the money mule data from the command-and-control server is in fact an infected computer within the botnet.

"If an unknown PC accesses the command and control server, a mule account is retrieved from a list of more than 400 (and counting) non-mule accounts in order to deceive the entity attempting to harvest them," Raff said.

In order to establish whether a machine is part of its “legitimate” botnet of infected machines, URLZone performs a long series of various tests. For example, one of these tests consists of checking the Trojan ID, or unique identification code, assigned by URLZone to each infected computer (see image below). If the ID is not a valid Trojan ID, the command & control server responds by providing the details of a non-mule account through the GenerateFalseDrop function.

(Click image for full size)

"When researchers attempt to initiate a wire transfer from an infected computer in an attempt to trace genuine mule accounts, URLZone can identify that the machine is not really part of its botnet and it then calls upon the GenerateFalseDrop function," Raff explained. Each time the function is called, it retrieves a non-mule account from a large list of accounts."

When generating a non-mule account to dupe the law enforcement researchers,  the Trojan actually displays real bank account details that were previously entered by URLZone victims as the payees of legitimate transactions.

The details of these payee accounts are screened by the Trojan according to various criteria to determine whether they should be added to the list of fake mule accounts. As long as PCs are infected with the Trojan, and victims continue to initiate online wire transfers, URLZone continues to replace payee details through MITB attacks and is growing a longer and longer list of fake mules.

For more on URLZone, see this report (.pdf) from Finjan Security.

Topics: Malware, Banking, CXO, Hardware, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Security Evangelist

    Hi, boy I sure wish people would stop using the word Evangelist in the wrong way. An Evangelist is someone you preaches the Gospel of Jesus Christ, not a secular title at all. Wikipedia recently removed the secular definition and Webster is researching it. Evangelist is from the Greek and has one Christian meaning. Microsoft is doing the same thing. As for the article, make sure you have very good rootkit removing Antimalware protection to prevent your computer becoming a criminal bot system.
    • Re: Evangelist

      Ever hear of a metatphor, buddy?

      Talk about inflexible thinking!
  • Prevention is key.

    Best way to fight stuff like this? Prevent machines from becoming bots in the first place.
  • Agree Prevention, but just an idea

    I agree Prevention is it, but just an idea. If every pc looked like a reseracher machine, then that will protect those pc`s. Of course until they find a new way.
  • Just make money mules more "visible"

    In Canada, if you want to make an international money transfer, you are required to come to a branch and do it in person; you cannot transfer money overseas by online banking.

    It makes money mules much more visible and increases the chance of them to be discovered. Maybe European banks should do the same.
    • funny thing

      the whole online banking thing is supposed to be secured and unsusseptable to trojans, key loggers et al it is this very thing that is told to customers of many high street when they are given online banking access, the problem is not that the criminals are so clever the problem is that the banks who provide the services lie about there services and there effectivness, additionally the poor ususpecting individuals who fall prey to thease attacks are not even allerted to the possibility they might of been untill it is way to late to do anything about it.

      if banks actually told the truth and supplied data in real time (lets face it an electronic transfer of funds should take no linger to appear in the receivers account than it takes for an email to be delivered) then most if not all this kind of attack would be pointless.

      no the only thng this highlights is that as per useuall banks are full of robbing lying money laundering twats who enable this kind of crime by sticking to out of date buisness modles and practiaclly prehistoric practacies given the equipment in use today.

      i applaude the fact that there are pro criminals who attempt to act as police informers in thease matters but lets face it the only reason this has even come to light is because some poor individual got zapped and his bank told him to "buzz off not there problem" meh if the world were only to work the way the politicians and the law makers would have us believe its supposed to this would never be possible.
  • RE: The case of the fake money-mules: Inside the URLZone Trojan network

    Of course there are four main ways to prevent this:

    1. Run a powerful anti-virus / anti-malware tool, for example
    NOD32 (and SmartSecurity) by ESET have never missed a virus for
    years during rigorous testing by the people at Virus Bulletin.
    McAfee, Norton, have missed viruses and Trojans in the past
    where NOD32 has not.
    2. Do not run a standard web browser. For example, IE and
    firefox are most likely compatible with certain attacks, while
    Opera, a more obscure browser is not.
    3. Use two factor authentication for your financial sites. For
    example, RSA SecurID tokens are issued to account holders at
    eTrade upon request. If someone wants to log in to an eTrade
    account, they need to have both the password, which can be
    stolen by a Trojan, and the random, ever changing code from the
    token on your keychain (which cannot, obviously, be stolen by a
    Trojan horse program or virus).
    4. For even more protection, make certain that your computing
    platform is not susceptible to the huge majority of viruses and
    Trojan horses out there. As such, please switch to using Linux or
    Mac OS X.

    The middle two techniques can be applied no matter the platform
    OS you are running on, giving you even more security.

    Keep in mind, security through obscurity is still security. Being
    "the invisible man" gives you many advantages.

    Best Regards,
  • new approach needed


    I have my own thoughts about how we should be addressing security. I'm curious how far along this path you would agree with me...

    1) The "system" must prevent malicious alterations to the code (OS & apps).

    2) The approach currently being employed is purely software based (AV software, patches).

    3) You can 100% prevent code alterations if you employ hardware write protection.

    4) Conclusion: design a computer that utilizes hardware to protect the code.

    So where in this line of thinking do we diverge?

    • 99% secure mean 99% inflexible

      You can't get to 100% security, there is always a human error factor that no machine can correct. And the higher the security level, the more inflexible and unusable the system becomes.

      The banks in the US have a predictable approach to this: provide a minimum of security and put the burden on the user to prove fraud. Most of the online agreement fine print says that it's the user's responsibility to safeguard the account, and that the use of a valid ID and password (by anybody) is proof that it wasn't the bank's fault and you are liable, not them. If your PC is infected, uses your ID and password, and transfers your money to the Russian mob, then it's your problem, not the bank's.

      I have moved most of my money (except for a few hundred dollars to pay unplanned bills) out of accounts that have any online access. Both my banks have branches less than 1/2 mile from my house, and now I have reason to use them.
      terry flores
      • 99% secure mean 99% inflexible

        Just to be clear I didn't say that hardware would make the system 100% secure. I said that it could make code 100% safe from overwrites.

  • RE: The case of the fake money-mules: Inside the URLZone Trojan network

    Seriously... the banks can't see that as suspicious activity? Dozens of $5,000.00 transactions coming into a new account, or a newly routed account.

    Well, if it is using "Previous victims", disguised as the "Bad guys"... Now you know where to look for the prior transactions. They just sent you a list of prior victims accounts. I am sure you can see their logs, and find the common denominator.

    It is funny how we can only catch the dumb ones. Yet there is no such thing as a smart one.

    They don't realize... If you see the data, it knows where you are, or it would not have been able to send you the data. You are still connected, nothing is anonymous. Do they really think the ISP's are going to take the blame for holding out on anonymity. It is only anonymous if you are not participating in illegal activity. Otherwise they sing like a baby, when some law official asks who that was.

    The money still has to be physically picked-up, or delivered, or used to purchase things that are picked-up or delivered... Most of the time it is still an inside job. Someone at one of the banks is in on the take.

    Time to start creating Bill-scanners, and tracking where each serialized bill goes. You now, like a check... Which is what a NOTE was originally intended to be. (A bank note/check that can be cashed at any federal branch.)

    They are not stealing dollar bills, they are stealing volumes of large notes. Simply delay all net transactions, crediting where credit is due. (Large companies with 100K in the bank, would still be able to borrow without interest, up to the 100K in transactions immediately. Others with less, have no choice. They have to wait for the release-date. The funds are there, just not available, and can still be spent... just not extracted. EG, you could purchase a car, but the car is not released until the money clears. Same with bills. You could pay your electricity, but that just lets them keep it on until the funds clear. (In the event of theft-denial, you would loose power and you would owe, as if you never paid. Only for services that must work like that. You wouldn't get that function buying fast-food or groceries. No available funds, is no funds, but unavailable funds are funds that exist, as credit, for services that are willing to take the risk. Usually, they know where you live.)
  • RE: The case of the fake money-mules: Inside the URLZone Trojan network

    Well done! Thank you very much for professional templates and community edition
    <a href="">seslisohbet</a> <a href="">seslichat</a>