The case of the fake money-mules: Inside the URLZone Trojan network

Security researchers tracking the URL Zone malware/botnet have stumbled upon a new tactic being used by cyber-criminals to hide information on the money mules being used to transfer stolen funds from compromised online bank accounts.
Written by Ryan Naraine, Contributor

Security researchers tracking the URL Zone malware/botnet have stumbled upon a new tactic being used by cyber-criminals to hide information on the money mules being used to transfer stolen funds from compromised online bank accounts.

URLZone, which targets computer users in Western Europe, is a botnet of approximately 6,000 hijacked computers that is used primarily to siphon funds from online bank accounts.  It steals between $4,000 and $15,000 from each compromised bank account and uses a nifty trick of modifying the withdrawn amount on the bank's web site to avoid detection by the user.

If that was not clever enough, researchers at the RSA FraudAction Research Lab say the malicious hackers are now generating false data on the money mules to block the good guys from reporting accurate information to financial institutions and law enforcement agencies.

Aviv Raff, who heads up the RSA FraudAction Research Lab, said the URLZone gang realized they were being monitored by white hat researchers and started taking proactive measures to prevent their mule accounts from being exposed.

Raff explains:

One of the ways to extract mule accounts is infecting a computer with a Trojan and initiating a transaction at which point a fraudster can see the mule account retrieved by the Trojan from its command and control server (C&C) server. In order to try to foil anti-fraud security researchers (like us) looking to identify real mule accounts, fraudsters invented the “fake mules” method. The fraudsters check if the computer used by the researcher is part of the “legitimate” botnet of URLzone-infected machines. If the computer is deemed to be a “foreign” one – in other words, if the criminals do not know the computer – they deliver a fake mule account to the computer used by the researcher. This is the way they prevent their real mules from being exposed.

To fulfill this task, the criminals behind URLZone added a special server-side code that prevents the extraction of the gang’s genuine mule accounts. Instead of displaying the details of URLZone’s genuine mule accounts, this piece of code delivers the details of legitimate accounts that do not belong to the gang’s mules. The code is clearly URLZone’s most unique attribute, and speaks to its operators’ caution against having their criminal pipelines compromised.

Raff said the “fake mules” method was conceived in order to ensure that the Trojans’ real mule accounts are not exposed and subsequently blocked.

Raff explained that the new twist on blocking money-mule data extraction adds to a highly-organized theft scheme which combines man-in-the-browser attacks with money mules to deplete online banking accounts.

He said the Trojan used in the attacks now have the ability to determine if the computer that is trying to retrieve the money mule data from the command-and-control server is in fact an infected computer within the botnet.

"If an unknown PC accesses the command and control server, a mule account is retrieved from a list of more than 400 (and counting) non-mule accounts in order to deceive the entity attempting to harvest them," Raff said.

In order to establish whether a machine is part of its “legitimate” botnet of infected machines, URLZone performs a long series of various tests. For example, one of these tests consists of checking the Trojan ID, or unique identification code, assigned by URLZone to each infected computer (see image below). If the ID is not a valid Trojan ID, the command & control server responds by providing the details of a non-mule account through the GenerateFalseDrop function.

(Click image for full size)

"When researchers attempt to initiate a wire transfer from an infected computer in an attempt to trace genuine mule accounts, URLZone can identify that the machine is not really part of its botnet and it then calls upon the GenerateFalseDrop function," Raff explained. Each time the function is called, it retrieves a non-mule account from a large list of accounts."

When generating a non-mule account to dupe the law enforcement researchers,  the Trojan actually displays real bank account details that were previously entered by URLZone victims as the payees of legitimate transactions.

The details of these payee accounts are screened by the Trojan according to various criteria to determine whether they should be added to the list of fake mule accounts. As long as PCs are infected with the Trojan, and victims continue to initiate online wire transfers, URLZone continues to replace payee details through MITB attacks and is growing a longer and longer list of fake mules.

For more on URLZone, see this report (.pdf) from Finjan Security.

Editorial standards