Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.
Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money. They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.
But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have at least 10 money mules at the ready.
In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.
Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.
But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.
In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.
Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.
“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”
The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.
Six days later, the thieves set up a batch of fraudulent payroll payments, sending instructions to Alta East’s bank to fund 15 Metabank prepaid cards; the remainder of the funds apparently were sent to traditional money mules at locations around the country.
“The emails came from a legitimate customer, and we thought he was questioning an invoice,” Weeden said. “There were four of us who hit that attachment. Afterwards, we asked the customer about the email, but he said he hadn’t sent it.”
Weeden said Alta East’s internal IT guys scanned her machine with six different antivirus tools, but the scans turned up no evidence of infection. It wasn’t until the company hired an outside forensics expert who removed the hard drive and examined it in an isolated environment that the expert found the ZeuS infection.
The thieves didn’t route their fraudulent logins to Alta East’s bank account through the company’s systems; rather they proxied the traffic through the networks of the Center for Discovery, a rehabilitation facility for disabled individuals that is located in nearby Harris, N.Y. The center did not return calls seeking comment.
Rick Jones, executive vice president business services at Alta East’s financial institution – Provident Bank — said the bank followed its agreement with Alta East, and sent the company an email about the fraudulent payroll batch the very day it was initiated. But Jones said that Alta East admitted to overlooking the notification until the following morning. By that time, most of the unauthorized transfers had already gone through.
Weeden said Provident was able to retrieve roughly $20,000 worth of illicit transfers from mule accounts, and that it expected to recover another $21,000 in the coming weeks. She added that her firm is in the process of setting up a system whereby online banking is done only from an isolated computer that will not be used for email or regular Internet browsing. Still, the company is facing an $80,000 loss from the incident.
It remains to be seen whether cyber thieves continue shifting more of their operations from traditional mules to prepaid debit accounts. I’ve talked to a number of victims who lost more than $100,000 but noted that the thieves left several hundred thousand dollars untouched in the company’s accounts. “Why would they leave so much money on the table like that? Why not just take it all?” the victims usually ask. The answer? Just as real life bank robbers are limited in the amounts they can steal by the volume of cash they can physically haul from the scene of the crime, so are cyber thieves. Usually, the thieves simply did not have access to enough mules to help them haul all of the available loot. That limitation is eased if they start depending more on prepaid cards, an entire stack of which can fit easily into a single miscreant’s wallet.
There are a few things worth calling out from the above story, and every business owner would do well to consider them closely:
-eBanking losses are likely to increase if thieves continue to find success with the prepaid card approach.
-Today’s cyber thieves are patient and willing to jump through multiple hoops to steal your money.
-Clicking on links and email attachments continues to be a risky activity, even when the links and attachments appear to come from someone you know or trust.
-Traditional antivirus tools have an atrocious record in detecting ZeuS and its ilk. If you suspect a machine is compromised, you cannot trust a report from a security program that is running on top of the potentially infected operating system.
-A majority of these ebanking heists start with a social engineering scam sent via email. Companies should be actively phishing their own employees and grading them on their performance, and perhaps even tying performance to year-end bonuses or other (dis)incentives.
-Unlike consumers, businesses have basically no legal protection from their bank due to losses from cyber fraud. Yes, organizations should push their banks to do more on security. But for better or worse, small to mid-sized businesses who are counting on their banks to prevent this type of fraud are setting themselves up for disappointment and major financial losses.
-Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.