Zeus Malware Tactic Turns Job Seekers into Money-Moving Mules

An adaptation of the Zeus malware kit is targeting job seekers and turning them into mules.

The Trojan horse sits dormant on an infected computer until it's triggered by a person visiting CareerBuilder.com, says George Tubin, a senior security strategist at Trusteer. Using HTML injection, this Zeus adaptation redirects a job seeker to a phony recruitment website that looks legitimate.

"Criminals would create a job opening from a company looking for 'financial managers,'" Etay Maor, senior product marketing manager at Trusteer, explains in a blog. "The ads would include enticing descriptions of easy money from simple 'work-at-home' jobs, luring job seekers to contact the 'employer' to unknowingly serve as the money laundering component of a cybercrime gang."

Applicants are then duped into funneling cash from a victim's bank account to the cybercriminals behind the devious tactic.

"Malware authors ... recognize that job seekers who actively access employment websites have a high potential to be successfully recruited and serve as money mules," Maor wrote in his blog.

The scheme is a natural extension of what Zeus was already good for — collecting sensitive personal information and one-time-password data, says Robert E. Lee, an Intuit business analyst.

"If you control what the user sees on their screen, it makes social engineering so much simpler," he said. "They use it to trick users into running malware on their phone, why not help them get a job in the exciting world of forex trading, too?"

In the past, crews of criminals that use Zeus to ply their craft hired handlers to recruit mules for money movement, Ken Baylor, a research vice president at the information security research and advisory company NSS Labs, said by email. For instance, stolen money would be cashed out by mules who would then send the funds to handlers, who would pass the money along to the original criminal crews — minus a 45-55% handling fee, of course.

"Mule handlers are being squeezed out of the market," Baylor said in the email. "To lower costs, [hackers] are researching new ways to attract and retain mules."

Trusteer has stumbled upon one such method: going after job seekers, he said.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER