S E P T E M B E R  2 0 1 2








Your Members as Money Mules?

An ongoing scam is making your members part of a popular money laundering practice. Credit union members from around the country are being recruited as money mules to unknowingly assist fraudsters in laundering stolen funds. The source of the stolen funds is often from account takeovers at other financial institutions through online banking systems.

Money mules are most often recruited through bogus job offers for payment processors, financial managers, or overseas representatives. Fraudsters typically find their potential money mules by searching websites where job seekers post their resumes. A key consideration in accepting the position is the ability to work from home.

Upon accepting the job, the money mules are notified they will receive deposits to their accounts via ACH and/or wire transfer. In some cases, the money mules are instructed to open an account at a financial institution in order to receive the funds. The mules are instructed to not share details of their new job with anyone. Upon receipt of the funds, the mules are instructed to either wire the funds to an account at another financial institution (foreign and domestic) or send the funds to individuals via Western Union. The money mules keep a portion of the funds deposited to their accounts as wages.

To help protect members from falling victim to the money mule scam, credit unions should consider the following:

For more information on money mule scams, visit www.scambusters.org/moneymule.html and www.ic3.gov.


Fraud Alert - Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud

Recent FBI reporting indicates a new trend in which cyber criminal actors are using spam and phishing e-mails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials. The stolen credentials were used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer. In most of the identified wire transfer failures, the actor(s) were only unsuccessful because they entered the intended account information incorrectly.


The actor(s) primarily used spam and phishing e-mails to target their victims. Once compromised, keyloggers and RATs installed on the financial institution employee’s computer provided the actor(s) with complete access to internal networks and logins to third party systems. Variants of ZeuS malware were used to steal the employee’s credentials in a few reported incidents.

In some instances, the actor(s) stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institution(s) to deter fraudulent activity. This allowed the intruders to handle all aspects of a wire transaction, including the approval.

The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours using the stolen financial institution employees’ credentials. These logins allowed the actor(s) to obtain account transaction history, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payments systems.

In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance.


Small-to-medium sized banks or credit unions have been targeted in most of the reported incidents, however, a few large banks have also been affected.

Denial of Service Attacks

In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Web site(s) and/or Internet Banking URL. The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer. One botnet that has been used for this type of distraction is the Dirtjumper botnet. Dirtjumper is a commercial crimeware kit that can be bought and sold on criminal forums for approximately $200.

Recommendations to Financial Institutions:

Incident Reporting

  1. The FBI encourages victims of cyber crime to contact their local FBI field office, http://www.fbi.gov/contact/fo/fo.htm, or file a complaint online at www.IC3.gov.
  2. The FS-ISAC encourages member institutions to report any observed fraudulent activity through the FS-ISAC submission process and login at http://www.fsisac.com/. This can be done with attribution or anonymously and will assist other members and their customers to prevent, detect, and respond to similar attacks
  3. Financial institutions’ compliance or anti-money laundering team(s) should submit a Suspicious Activity Report (SAR) utilizing the Account Takeover guidance issued by the Financial Crimes Enforcement Network (FinCEN).

Back to top

To unsubscribe from this e-newsletter or to send comments or questions, please send an email to newsletter@suncorp.coop.

Contact Us   |  SunCorp Web site   |   Privacy Statement
Technical Problems? Contact webmaster@suncorp.coop
All contents © 2010 System United Corporate Federal Credit Union