The Zeus Trojan is a favorite of muleskinners.

Money muling, until recently, has been used by information highwaymen to prey on unwitting consumers. Muleskinners had modest goals. Their scams ranged from $200 to $2000. Their targets were consumers with more greed than sense. Recent muling patterns, however, indicate that these fraudsters are expanding their ambitions and hatching cons to snatch larger amounts from small businesses.

• In May, a Texas company was clipped of $1.2 million with the help of some 40 “mules.”
• In July, muleskinners in the Ukraine skimmed $415,000 from accounts for Bullit County, Ky. The county realized something was askew when it found unauthorized wire transfers of $10,000 or less from its payroll coffers were being made to accounts of at least 25 people across the country. In the United States, money transfers must exceed $10,000 before they are subject to special reporting requirements under the Bank Secrecy Act of 1970.
• In September, Downeast Energy & Building Supply, a heating and hardware firm in Brunswick, Maine, saw $200,000 disappear from its online bank account, siphoned into the accounts of at least 20 individuals nationwide.
• This month, the Pease Development Authority, the agency that manages ports in the Portsmouth, N.H. area discovered about $100,000 in transfers instigated by muleskinners.
• Also this month, thieves attempted to transfer $87,000 from the accounts of the St. Isadore Catholic Church in Danville, Calif. to about a half dozen mules, but were thwarted when the church’s bank blocked the transfer.

A  key component of these scams are money mules. They are individuals recruited through blind employment ads posted on the Internet or through spam mailings. On some occasions, mules have been initially recruited as copy editors and proofreaders hired at minimum wage to clean up spam letters used to recruit more mules. When pressed for payment for the editing work, a muleskiner will attempt to recruit the editor as a “local agent” for transferring money.

As local agents, the mules are told to set up accounts at their local bank into which the fraudsters can transfer money. When money is deposited into the accounts, the mules are instructed to retain a percentage of it for themselves and to wire the rest to the muleskinners.

Once the scam is discovered, a bank will usually freeze the mule’s account and squeeze him or her for the money transferred to the cybercrooks.

One malware program popular among muleskinners is the Windows-based Zeus Trojan, also known as Zbot. It collects data from a  network of “zombie” computers infected by the dirty software. After taking up residence in a computer, Zeus immediately nicks the credentials of the machine’s user and sends them via instant messaging to the botnet administrator.

It also establishes a direct connection with the target’s computer so malefactors can perform their misdeeds directly through their victim’s Internet connection. That’s an indication that these thieves are savvy hackers and not mere script kiddies. One security precaution by banks is to check the IP addresses of customers performing transactions on their systems. A red flag is raised when an oddball address appears outside the ordinary geographic range of the typical one associated with a particular username and password. By performing their mischief through a user’s IP address, a Net miscreant can bamboozle a bank’s security system into thinking everything is copacetic.

The Trojan also contains another malevolent twist aimed at giving the Black Hats more time to make their getaway. It’s called the KOS, or Kill Operating System, command. It allows a botmaster to crash a system on his or her network. The crash can be used to divert the user’s attention from online activity and embroil it in local troubleshooting.

While crashing a system can gain a cracker some time, it does call immediate attention to itself and hence, immediate action. A more subtle switch included in the KOS tool will trash the Windows directory of a machine during an active session. Windows registry changes don’t take effect until a computer is restarted. When finishing his or her work for the day, the user will turn off his or her computer. That night, the thief performs his dirty work. In the morning, the user turns on his or her computer and when the corrupted registry attempts to load, nothing happens. It could be hours before the problem is identified and solved, and the user gets back online to check account activity.

The signs that muleskinners are seeking bigger game for their shenanigans are not good ones for companies who manage their finances online, nor is it for naive mules who, instead of being a victim of a petty crime, are becoming an accomplice in grand larceny.