Trojan Authors Recruit 'Money Mules' From List Of Stolen IdentitiesTrojan Authors Recruit 'Money Mules' From List Of Stolen Identities

The malware authors behind the Prg Trojan appear to be soliciting their identity theft victims to become 'money mules,' moving stolen money from bank accounts to the hackers' own coffers.

Vikram Thakur, a researcher with Symantec's Security Response team, reported in a blog post that they have discovered templates of e-mails that the Trojan authors are sending out, using their newly acquired collection of stolen identities to target their money mule scam at people looking for jobs.

"The templates all point to the same position," wrote Thakur. "The job is that of a 'Transfer Manager' at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company. The e-mail looks very realistic and may convince many that it has been sent from Monster.com or Careerbuilder.com."

While the e-mail says the job doesn't require any experience and offers a $500 sign-on bonus and the ability to work from home, it also notes that it does require people to have an account with Bank of America for wire transactions.

Gunter Ollmann, director of security strategy at IBM's Internet Security Systems, explained that cybercriminals, like hackers and phishers, have been using mules for several years, setting them up to move money out of a compromised bank account and then to transfer it -- possibly even wire it -- to the hacker's overseas account.

"The average life of a mule appears to be fairly short," added Gunter. "People have no idea what a mule actually is so they don't realize they're participating in a money laundering scam. They're being promised that they can work for an hour or two a day and earn thousands a month. They only have to live in the U.S., use this bank, and work from home a few hours a day."

In this particular case, the authors of the Prg Trojan are using the plethora of identities that they've stolen in the last several months to find of potential mules.

In the last few weeks, researchers from SecureWorks found 12 caches with about 100,000 stolen identities -- all stolen via fraudulent ads on Monster.com. And researchers at Symantec found another massive cache -- this one contained about 1.6 million pieces of stolen data, such as names, addresses, mobile phone numbers, and name of employers. The number correlates to data pieces, not 1.6 million victims.

It's still unclear how many stolen identities -- how many victims of identity theft -- the information in that cache represents, according to Dave Cole, director of Symantec's Security Response team.

On Wednesday, Monster Worldwide, parent company of Monster.com, released an advisory saying that it is investigating the impact the Trojan has had on its database.

"Monster has identified and shut down a rogue server that was accessing seeker contact information through unauthorized use of compromised legitimate employer-client log-in credentials," said the advisory. "The information contained on this server was limited to names, addresses, phone numbers, and e-mail addresses. The company is currently analyzing the number of job seeker contacts impacted by this action and will be communicating with those affected as appropriate."