Your Security Resource

The college-aged woman entered the bank and asked to withdraw $9,900 from an account opened a mere two weeks ago. Both the age of the woman and the age of the account tipped off the teller that something was odd.

The alertness of the bank teller paid off: The woman was a "money mule," a person unwittingly helping online thieves launder money stolen from hacked bank accounts, says Steve Surdu, vice president of Mandiant, a security firm frequently called in to investigate computer fraud at financial firms.

"The teller thought there was no way that the person had that kind of money," says Surdu, who declined to provide further details of the incident. The bank managed to prevent the woman from withdrawing the money, most of which would have been sent overseas to the criminals who had hired her.

The incident is an uncommon victory for banks in preventing electronic transfers from compromised bank accounts, which topped $120 million in the third quarter of 2009. While financial institutions have reduced losses from other types of cybercrime -- such as credit card fraud -- money stolen from compromised accounts has skyrocketed in the last year, according to the Federal Depository Insurance Corp. (FDIC), which insures the money in Americans’ savings and checking accounts.

One reason for the cybercriminals’ success is that they have found a way to circumvent the protections offered by extra security measures required of all U.S. banks. Rather than attempt to connect to a bank account from a computer located in a foreign country, online thieves now focus on compromising the account holder's computer and commanding the system to transfer the money on their behalf.

While banks typically flag funds that are transferred abroad for extra scrutiny, money mules (the nickname resembles what people who carried drugs across national borders are called) can handle the transfers without, much of the time, setting off digital alarms and help “carry” illicit funds to another country.

“In the current criminal ecosystem, money mules are a rampart between the criminals -- the gang leaders -- and the police,” says Francois Paget, a senior malware researcher in the labs of security software firm McAfee. "They are ... the indispensable local agents needed in this international offense."

Too good to be true
Most money mules are unwitting accomplices. Typically, a gang of cybercriminals will set up a fictional company online and send out millions of emails offering recipients the ability to work at home and make money in “hours per week.”

In his own research, Paget found that work-at-home offers that were almost certainly money mule scams had more than quadrupled between 2005 and 2008. The number of money mules is hard to estimate, but the FBI found that small businesses -- whose money is not protected by the FDIC in the same way as consumers’ savings -- lost more than $100 million in the first nine months of last year.

"The mules are directed to open personal or business bank accounts to receive the fraudulent money transfers," the FBI stated in a report. "Often within a couple days or even hours of opening the accounts, the money is deposited and the mule is directed to immediately forward a portion of the money to subjects overseas, typically to Eastern Europe, via wire transfer services, including Western Union and Moneygram."

With unemployment close to 10 percent, work-at-home scams tend to snare more people. "This has hit during a time of high unemployment, and that has been a bonus for the bad guys," says Kevin Haley, a director of security response at Symantec.

In July 2009, for example, money mules helped cybercriminals digitally rob a West Virginia bank. The online thieves transferred almost $50,000 to five people who agreed to help them transfer the money using Moneygram and Western Union. One of the recipients suspected the job might not be legitimate but did it anyway, pocketing more than $500, according to a report on KrebsOnSecurity.

"I’m a senior citizen on a fixed income, and I hate to say it, but I did make some good money," the woman told the site. "I knew it was too good to be true after making that doggone much money in one day, but it helped me out a lot."

Don't be mulish
The promise of easy money can prove too much in the current bad economy -- making $700 or $800 in a few hours seems like a dream. Many of the people who accept positions from cybercriminals do not look too critically at the job because they desperately need the money, says Symantec's Haley.

"I don't want to read too much into the psychology of these people, but they are probably thinking, 'There is no harm to me, so why should I not do it?'" he says. "Yet, you are involved in the commission of the crime, and the fact is, you are the easiest to catch."

Yet, money mules are the first to be caught in such fraudulent transactions. The individual or company that noticed their money is missing reports the transactions to their bank, which then tracks down the transfers to the money mules' accounts. In most cases, the police do not prosecute, but the unwitting accomplice must still return all the money.

"The general public must know that, even if he has nothing to do with the actual theft of funds from another person's online bank account, by allowing his account to be used to receive and transfer such funds, he will be acting illegally," says McAfee's Paget.

In the security world, there is a saying: "Trust but verify." Job seekers should follow that advice, says Paget. Unsolicited emails that ask the recipient to become a "financial manager" or "money transfer agent" should be treated suspiciously.

"When you start verifying if the companies involved in these offers are who they say they are, you rapidly come up against a brick wall," he says.

While everyone should avoid becoming a money mule, preventing the effectiveness of the accomplices is a task best left up to banks. While security technology -- such as anomaly detection -- exists for banks to detect the current tactics of cybercriminals, many refrain from implementing the techniques because the technology is too expensive or hindering the flow of money could hurt business.

"We are seeing organizations get a better handle around their electronic funds transfers," says Mandiant's Surdu.

Copyright (c) 2010 Studio One Networks. All rights reserved.