In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.
The Parcel and the Mule
During our analysis of DYRE malware, Global BlackPoint, a web panel, was uncovered.
Figure 1. Global BlackPoint site
A quick search online led to domain listings, which have been leased over a year ago. The intended audience of this site can choose to shop for select items.
Figure 2. Items for sale
However, research and intelligence about the contents of this web panel pointed to the fact that it’s being used as a site to purchase items in the United States and re-ship them to different locations. The site indicates this within its terms and conditions of use.
Figure 3. Terms and conditions
These goods are delivered to individuals who live within the United States, who then ship them elsewhere in the world. These individuals may have titles such as “Shipping and Receiving Manager” or “Logistics Specialist,” but in reality, they are actually “mules.” Hired from job postings on sites like Craigslist, these individuals were promised around US$50 per parcel or around US$2,000 a month.
This elaborate scheme is sometimes called parcel mule scam, or reshipping scam. Cybercriminals gain profit from these scams as they use money stolen from bank accounts (courtesy of the banking malware) to buy the items, which are then resold. Mules are hired in order to smuggle the goods out of the country. Hiring mules also lessens the possibility of the smuggling activity being traced back to the criminals. These kinds of scams have been around for some time but people fall for this type of scam due to its “get rich quick” nature.
Retracing the Steps
In short, we have a three-step threat story:
Against spam and BANKER malware:
Against parcel mule scams:
Related hashes of files discussed in this series: