Fake Job Postings Displayed on Infected Computers

For cyber criminals, Zeus is the complete package: not only will it steal your money, it now helps the gangs recruit the money mules to get stolen money out of the country and into their own accounts.

Money mules are generally unwitting dupes employed by the criminals to do the risky bit of the theft – the actual money transfer out of the country. Since electronic transfers can be traced, it is the money mule rather than the criminal that tends to get arrested. The criminals thus have a constant requirement for new mules.

Employment agencies are a prime target for mule recruitment. If somebody is already looking for, or in need of, employment then he or she can more easily be duped. Typically, the criminals would place attractive looking adverts offering easy money for little work as a local payments processing agent, or shipping agent. Such offers are still found in spam campaigns. But as spam filters improve, and employment agencies get more efficient at finding and rejecting suspicious adverts, more efficient recruitment has become necessary.

What better route than Zeus?

Zeus is a man-in-the-browser trojan. Its most common use is to fool the user into thinking the page on the screen is the official bank page as part of a financial fraud. But the same methodology can be used to fool the user into thinking an advert for a shipping agent is genuine. This is now happening. “A recent Zeus malware configuration analyzed by Trusteer’s security team,” reports Etay Maor, Trusteer’s fraud prevention solutions manager, “is using Man-in-the-Browser (MitB) techniques to present the user with an advertisement for a mule recruitment site every time the victim accesses CareerBuilder [dot] com. The mule recruitment website in this case is marketandtarget [dot] com.”

Since this all happens on the local infected PC, there is nothing the genuine CareerBuilder site can do. The code is injected into the browser by Zeus – and if the user is tempted and visits the marketandtarget website (currently down, according to Trusteer) then he or she will be invited to apply for an attractive looking position that is just a disguised money mule. One example found by Trusteer is seeking ‘mystery shoppers’ – people who ‘love to shop’. Typically, dirty money would go into the mule’s account, who would then use it to buy expensive and salable goods. Those goods would be sold by the criminals, and ‘clean’ money would go into their accounts.

“By using CareerBuilder as a platform,” explains Maor, “the Zeus operators maximize their outreach to potential mule targets. While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering.  Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder [dot] com, the victim is more likely to believe the redirection is to a legitimate job opportunity.”

People looking for a job should always remember that while money for little effort is always attractive, it is rarely legal – and it is the money mule rather than the criminal that tends to get caught.