Cybercriminals have attempted to steal $100 million from small- and medium-sized businesses in so-called money mule scams, according to an intelligence note issued Wednesday by the FBI's Internet Crime Complaint Center (IC3).
Every week, the FBI receives new victim complaints and opens new cases about these crimes, which often involve sophisticated banking trojans being placed on victim PCs. This enables the perpetrators to siphon corporate online banking credentials and then transfer or wire money out of the account, IC3 said in its intelligence note.
The scams most often begin when a targeted email containing a malicious attachment or a link to an infected site is sent to an individual that handles financial transitions on behalf of the business, the FBI said. The emails appear legitimate and might appear to be sent from someone the individual knows.
In one instance, the messages looked like they were coming from Microsoft, falsely informing the user of a critical update that needed to be installed.
The goal is to infect the user's PC with malware containing keyloggers that harvest corporate online banking credentials. Cybercriminals then use the stolen credentials to transfer or wire funds from the company's account.
Generally, the transfers are less than $10,000 to avoid tipping off banks' fraud detection systems, the FBI said. The transfers are directed to the accounts of "money mules,' individuals who are recruited online through “work-at-home” ads. The mules are directed to keep a portion of the money for themselves, then wire the rest to individuals overseas.The majority of victims have been small- to mid-size businesses, municipal governments and school systems around the country, with the majority of victim organizations holding bank accounts at local community banks and credit unions, the FBI said. Often victims have posted organizational charts on their websites, which enables criminals to easily figure out who in the company handles financial transactions.
More than two dozen pieces of malware have been used to perpetrate these scams, the FBI said. One trojan, called URLZone, enabled cybercriminals to steal roughly $439,000 from German bank accounts during a recent 22-day crime spree, according to researchers at web security firm Finjan.
The FBI also discovered that schemes were furthered because financial institutions or their third-party providers did not have proper information security defenses in place.
“In several cases, banks did not have proper firewalls installed, nor anti-virus software on their servers or their desktop computers," the IC3 intelligence note said.
In one case, attackers launched a distributed denial of service (DDoS) attack against a bank's third-party transaction processor, which prevented the bank from recalling the fraudulent transfers before the stolen funds were withdrawn, the note stated.