Mules & Jewels: “Gameover” in 9 Steps

The new “Gameover” malware driving online banking fraud has gotten much attention in the press lately, but I realized that most of it has focused on the distributed denial of service (DDoS) attacks launched by this malware variant to bypass common controls.  Another important element of the total scheme that I think is worth highlighting is a new twist on how criminals are using money mules to “pick up” and move stolen funds.
Fraudsters are getting creative and employing a new, retail-based approach. Why? To decrease the risk of their mules getting caught. They are using high-end jewelry stores to essentially launder their loot.
Here’s how it works:

  1. The fraud victim – typically a business banking customer – gets a phishing email that appears to originate from reputable organizations like the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). When this attack was first launched, all emails appeared to originate from NACHA. The email may claim that there is problem with a recent transaction that requires the user’s attention.
  2. When the link in the email is clicked, the victim is sent to a bogus website and inadvertently downloads a new variant of the notorious ZeuS malware called “Gameover”.
  3. Once infecting the victim’s PC, “Gameover” keylogs all online banking activity and sends stolen account credentials to the criminal.
  4. In a new wrinkle, the criminal employs a DDoS attack to cover their tracks. When the attack begins, the victim’s business may be hit with DDoS to prevent Internet access so they don’t notice the attack and can’t reverse the transaction.
  5. In a more sophisticated version of the scheme, the financial institution is included in the DDoS attack, further decreasing the likelihood of the fraudulent transfers being noticed.
  6. The criminal wires money to a high-end jewelry store and then places an order for precious stones or expensive watches.
  7. A mule physically visits the store to pick up the order.  The jeweler checks their account, sees that the funds are there, and delivers the merchandise to the mule.
  8. The mule may then turn the jewelry over to the fraudster or sell it for cash.
  9. When the fraud is discovered, it can be the account holder or the jewelry store itself that’s hit with the loss.

It’s definitely “game over” for the victims of this fraud scheme.
This use of the Gameover Trojan was recently written up by the FBI .
Our fraud and threat research teams stay up to date on the latest cybercrime tools and techniques and I hope you will use this blog as a resource for combating fraud at your financial institution.