Cybercriminals are using ‘intelligent' Trojan downloaders to steal from bank accounts and use money mules to pass it on.

Finjan's Malicious Code Research Centre (MCRC) claimed that the tactics are part of a new trend where functionality is aimed to minimise detection by traditional anti-fraud technologies in use by banks.

It found that cybercriminals used compromised legitimate websites as well as fake websites, utilising the crimeware toolkit LuckySpoilt to infect visitors. After infection, a banking Trojan was installed on the victims' machines and started communication with its command & control (C&C) server for instructions.

These instructions included the amount to be stolen from specific bank accounts and to which money mule accounts the stolen money should be transferred. Furthermore, the Trojan forged onscreen bank statements concealing the true transaction amount to dupe the account holders and their banks.

Bank accounts in Germany were specifically targeted, with the C&C server hosted in Ukraine.

Yuval Ben-Itzhak, CTO of Finjan, claimed that what was distinctive about this is that it works within the browser and waits until you login to your banking site before checking the balance. As an ‘intelligent' Trojan, it is able to make its own decision and decide how much money to steal and makes all efforts to avoid detection.

A report also claimed that cybercriminals are hiring ‘mules' by falsely telling them they are working for a legitimate business.  These bank account owners, or mules, are normally unaware that they are muling stolen money, but think that they are being paid for working from home and other moneymaking schemes.

Once a mule is hired by the cybergang, the stolen money is transferred to his/her bank account. Later on, the mule is asked to transfer the stolen amount - after deduction of his or her commission - to a bank account provided by the cybergang.

To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used for a limited number of times within a certain timeframe. Since banks monitor large bank transfers, the amount of money deposited in a money mule account is predefined in order to stay under the radar.

Finjan's research found that in a 15-day period in August, the cybergang stole a total of €193,606, or about €12,000 a day, and after a four-day break a further €42,527 was stolen. Finjan estimated that a total of around €300,000 was stolen in just 22 days, and on an annual basis, this cybergang could make close to €5 million.

Ben-Itzhak said: “With the combination of using sophisticated Trojans for the theft and money mules to transfer stolen money to their accounts, they minimise their chances of being detected. In this case, the specific criteria that the Trojan received from its command and control centre marks a whole new level of cybercrime sophistication in the techniques used by cybercriminals. Using these methods they successfully evade anti-fraud systems that banks deploy – we dubbed it the anti anti-fraud.

“We encourage people to use technologies and try logging in from different computers. We have seen that once it transfers money out it usually does not hit the same account more than twice. About ten years ago we saw Zeus appear and we believe that it will become very popular in a relatively short time.”