Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money.

They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments.

In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

METABANK only accepts cash money from their customers, the real customers

However, apparently thieves have figured out how to work the METABANK system to their advantage while real customers can’t get the cards to work. It is clear to me that the PREPAID CARDS are a scam in themselves.

If all honest consumers stopped using METABANK’s prepaid card, then it would just be the criminals using them and they may be easier catch…

Some of the mule gangs I’ve identified.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule.

In other words, for every $100,000 that the thieves want to steal, they need to have  at least 10 money mules at the ready.

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

WHO IS HIRING THE MONEY MULES? Cybercrooks and their names are???

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores.

A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder.

After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. However, METABANK can’t figure out and identify their own real customers so their product is useless… That is the true story.

Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts.

The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money.  They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

Some of the mule gangs I’ve identified.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have  at least 10 money mules at the ready.

[ Consumers think that METABANK itself is a thief because of how we have been treated. METABANK cares nothing about abusing their customer base, the real customer base that is, and serves money laundering mules from the underworld.]

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.[ Customers are complaining that METABANK has so screwed up their accounts that it is impossible for them to be able to access their own money… so it appears that these “not the sharpest crayons in the box mules” need work that they apply for the entry level positions at METABANK. They won’t even know if they are lying to customers or not…. METABANK is so screwed up.]

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules.

[Money mules??? Wow! Only criminals could think of such a thing. Ordinary and honest people still are being scammed by METABANK. It is like METABANK played a mean joke on themselves.]

For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division.

“We do checks against different public resources like Experian andLexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

[Yes, consumers you were right that METABANK does check your credit, so that NO CREDIT CHECK NECESSARY is just bogus for us honest folks!!! Actually, consumers want real protections. METABANK created this monster and this monster is now biting them back. Honest consumers though have still been left out in the cold with no solution nor any resolve for the crap that METABANK has dished out at us!!!]

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked.

[ >>>BUT METABANK HAS STILL FAILED TO FIND A WAY TO PROPERLY SERVE THEIR GENUINE CUSTOMER BASE.

>>> METABANK LIES TO CUSTOMERS AND KEEPS CUSTOMERS AND THEIR OWN CASH MONEY APART WHEN THEY NEED THE MONEY THE MOST

>>>> METABANK ADVERTISES THAT A CUSTOMER’s MONEY IS SAFER AND MORE SECURE WHEN PLACED ON ONE OF THE METABANK CARDS….. THIS IS A LIE FROM WHAT I AM READING HERE!!!]

Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

THE ATTACK

Sometime on March 13, four different employees of Alta East received emails that appeared to have been sent from a current client. The messages inquired about a recent transaction, and cited an invoice number. According to Weeden, all four Alta East employees opened the attached Adobe PDF file, which contained a hidden Javascript element that infected their Windows XP systems with a variant of the ZeuS Trojan.

[THINK OF ALL THE MONEY THESE CROOKS COULD MAKE IF THEY PUT THEIR MINDS TO SOMETHING NOBLE AND WORTHY…. NO EXCITEMENT THERE, EH? SO HAVE METABANK STOP THE AWFUL PREPAID CARDS ENTIRELY> METABANK IS A SCAM OPERATION IN AND OF ITSELF!!!]

Six days later, the thieves set up a batch of fraudulent payroll payments, sending instructions to Alta East’s bank to fund 15 Metabank prepaid cards; the remainder of the funds apparently were sent to traditional money mules at locations around the country.

“The emails came from a legitimate customer, and we thought he was questioning an invoice,” Weeden said. “There were four of us who hit that attachment. Afterwards, we asked the customer about the email, but he said he hadn’t sent it.”

[It is too soon for ordinary people to be forced into using prepaid cards… Only criminals and thieves have found any success in getting a METABANK PREPAID CARD TO actually work.]

Weeden said Alta East’s internal IT guys scanned her machine with six different antivirus tools, but the scans turned up no evidence of infection. It wasn’t until the company hired an outside forensics expert who removed the hard drive and examined it in an isolated environment that the expert found the ZeuS infection.

The thieves didn’t route their fraudulent logins to Alta East’s bank account through the company’s systems; rather they proxied the traffic through  the networks of the Center for Discovery, a rehabilitation facility for disabled individuals that is located in nearby Harris, N.Y. The center did not return calls seeking comment.

Rick Jones, executive vice president business services at Alta East’s financial institution –Provident Bank — said the bank followed its agreement with Alta East, and sent the company an email about the fraudulent payroll batch the very day it was initiated. But Jones said that Alta East admitted to overlooking the notification until the following morning. By that time, most of the unauthorized transfers had already gone through.

Weeden said Provident was able to retrieve roughly $20,000 worth of illicit transfers from mule accounts, and that it expected to recover another $21,000 in the coming weeks. She added that her firm is in the process of setting up a system whereby online banking is done only from an isolated computer that will not be used for email or regular Internet browsing. Still, the company is facing an $80,000 loss from the incident.

It remains to be seen whether cyber thieves continue shifting more of their operations from traditional mules to prepaid debit accounts.

I’ve talked to a number of victims who lost more than $100,000 but noted that the thieves left several hundred thousand dollars untouched in the company’s accounts. “Why would they leave so much money on the table like that? Why not just take it all?” the victims usually ask. The answer? Just as real life bank robbers are limited in the amounts they can steal by the volume of cash they can physically haul from the scene of the crime, so are cyber thieves.

Usually, the thieves simply did not have access to enough mules to help them haul all of the available loot. That limitation is eased if they start depending more on prepaid cards, an entire stack of which can fit easily into a single miscreant’s wallet.

[ You would be surprised at what banks will hand over to the wrong person without paying close attention. As consumers, we believe that the design of the METABANK created prepaid gift card was primarily a gimmick that would abuse honest people who would be their customers. The fact remains that METABANK has repeatedly lied to us as their real customers; this is by design. The money mules may or may not be a real story. As customers of METABANK, we know that we have been taken advantage of by METABANK and we don’t know why METABANK is still allowed to continue this scam… This has not been completely nor adequately addressed.]

ANALYSIS

There are a few things worth calling out from the above story, and every business owner would do well to consider them closely:

-eBanking losses are likely to increase if thieves continue to find success with the prepaid card approach.

-Today’s cyber thieves are patient and willing to jump through multiple hoops to steal your money.

-Clicking on links and email attachments continues to be a risky activity, even when the links and attachments appear to come from someone you know or trust.

-Traditional antivirus tools have an atrocious record in detecting ZeuS and its ilk. If you suspect a machine is compromised, you cannot trust a report from a security program that is running on top of the potentially infected operating system.

-A majority of these ebanking heists start with a social engineering scam sent via email. Companies should be actively phishing their own employees and grading them on their performance, and perhaps even tying performance to year-end bonuses or other (dis)incentives.

-Unlike consumers, businesses have basically no legal protection from their bank due to losses from cyber fraud. Yes, organizations should push their banks to do more on security. But for better or worse, small to mid-sized businesses who are counting on their banks to prevent this type of fraud are setting themselves up for disappointment and major financial losses.

-Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.