Researchers at Trusteer say they have found a version of Zeus using man-in-the-browser techniques to present visitors to job-hunting site CareerBuilder.com with an ad they’d probably best ignore – a listing for a mule recruitment site.
Trusteer offered no information about how the victims were initially getting infected with Zeus. However, a common infection vector for Zeus is a drive-by infection on a compromised site.
“While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering,” blogged Etay Maor, fraud prevention solutions provider at Trusteer. “Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder [dot] com, the victim is more likely to believe the redirection is to a legitimate job opportunity.”
It is hardly unheard of for cybercriminals to use legitimate employment websites to recruit mules. Typically, Maor explained, this would take the form of criminals creating a job opening looking for financial managers.
“The ads would include enticing descriptions of easy money from simple “work-at-home” jobs, luring job seekers to contact the “employer” to unknowingly serve as the money laundering component of a cybercrime gang,” the researcher blogged.
Just this week, federal authorities in the U.S. charged eight people for being part of a money laundering operation that was involved in the attempted theft of $15 million from banking customers in the U.S.
Recognizing their sites can be abused for recruiting mules for these kinds of operations, employment websites have taken to offering easy ways for users to report suspicious ads, Maor continued. In addition, affected sites have created security teams that use a combination of manual and automatic search techniques to detect and remove such ads.
“Malware authors, on the other hand, recognize that job seekers who actively access employment websites have a high potential to be successfully recruited and serve as money mules,” Maor observed.
“By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets,” he added.
Related: Inside the Mule Network
Related: How Banks Can Identify Mule Accounts as They are Opened