RSA said Monday it has identified a novel new way that one online gang has cooked up to put cybersleuths off the track, while they drain users’ bank accounts.
The basic technique uses “money mules” — bots set up to extract money from legitimate online bank accounts that communicate with a server which controls them, once they have been compromised.
The recently discovered scheme has been dubbed URLZone, a Trojan that attacks online banking customers, so far only in Germany.
“URLZone Trojan [is] a new type of online banking attack which can steal money from a user’s account while posting a fake account balance so the user, when logged in, is none the wiser,” an RSA spokesperson said in a statement e-mailed to InternetNews.com.
But now RSA says the bad guys have come up with a sophisticated way to trick cybercops into thinking they’ve found an authentic money mule — a computer that’s been stealing money — when they really haven’t, according to a post on RSA’s Speaking of Security blog.
Knocking fake money mules offline fools authorities and leaves real money mules active and producing ill gotten income for the gang.
“Aware of their crimeware being probed and examined, the gang took proactive measures in an attempt to prevent their mule accounts from being exposed by anti-fraud security researchers and law enforcement agencies,” the blog post, by RSA’s FraudAction Research Lab team, said.
“Since the gang’s mule accounts receive money from stolen online banking accounts, their extraction and subsequent blocking effectively stops the stolen funds from going down the fraud supply chain pipeline and into the gang’s pockets. The ‘fake mules’ method was conceived in order to ensure that the Trojans’ real mule accounts are not exposed and subsequently blocked,” the post continued.
While the general technique has been known for a year or more, new reports of how the URLZone Trojan has been evolving emerged last week on Finjan’s Malicious Code Research blog.
Both RSA and Finjan have a track record of helping to track down banking Trojans.
RSA said it has notified all the affected financial institutions.