Cisco: Cybercriminals Will Focus on Money Laundering in 2011

Cybercrime organizations are likely to invest most of their resources into expanding their cash-out money laundering operations in the coming year, according to Cisco Systems’ 2010 Annual Security Report.

“When it comes to the success of [banking Trojans] like Zeus, the bottleneck is not getting a Trojan on people’s machines. There’s a surplus on that side quite frankly,” explained Scott Olechowski, manager of Cisco’s Threat Research Group. “The challenge that criminals are facing now is getting that money. That’s why [money] muling has really become one of the biggest bottlenecks in that type of crime.”

Cisco’s (NASDAQ:CSCO) Security Report, released today, details the company’s take on global security threats and trends. The beating heart of the report is the Cisco Cybercrime Return on Investment (CROI) Matrix, which seeks to view criminal organizations that perpetrate cybercrimes as businesses attempting to maximize their profits and productivity. By doing so, Cisco hopes to predict how they will focus their resources in the coming year.

The matrix uses success/growth as one axis and scalability/revenue as the other, dividing various criminal schemes into four quadrants: dogs, potentials, cash cows and rising stars. Based on the matrix, Cisco predicts that cybercriminal organizations are going to put the most resources into expanding their network of money mules.

The report also predicts that spam will continue to be a workhorse revenue generator, and criminal organizations will continue exploring the potential of the mobile frontier.

Money mules are central to laundering the money stolen via botnets like Zeus and other cybercrime schemes. Cisco defines them as individuals recruited by handlers or “wranglers” to set up bank accounts, or even use their own bank accounts, to assist in the transfer of money from a fraud victim’s account to another location—usually overseas—via a wire transfer or automated clearing house (ACH) transaction.

In general, mules work for a single day before they are abandoned by their wranglers or caught by law enforcement. Because of this, Olechowski explained that cybercriminals’ ability to steal money far outstrips their ability to launder it. He noted that the ratio of stolen account credentials to available mule capacity could be as high as 10,000:1.

“Money muling is an area that we’re confident will be a really big area of investment for criminals this year,” he said.

While some mules know exactly what they’re doing and simply think they’re smarter than the average mule, criminals often target students and the unemployed to serve as their unwitting dupes, Olechowski said. These organizations use job offers with tags like “Earn Thousands Working from Home!” to lure in victims.

“The more sophisticated cash-out organizations act as legitimate financial services firms,” the report explained. “Individuals who come in contact with these operations usually have no idea they are being recruited as money mules, and believe they are dealing with a recruiter for a legitimate company. Quite often, they have responded to an ad on an online employment site for a position with a title such as “regional assistant,” “company representative,” or “payment processor.” The contact the applicant interacts with online or by phone plays the role of human resources specialist, and when the victim inquires about vacation time, the availability of a 401(k) plan, or whether or not the “company” honors the Family and Medical Leave Act, they are provided a satisfying answer. As part of the “hiring process,” mules are asked to provide sensitive information to the handlers, such as images of their government-issued identification.”

Cisco explained that mules often work for just a single day before authorities apprehend them. The wranglers are adept at covering their tracks, so the mule often winds up on the hook for the stolen money and even faces jail time.

While Cisco does not expect to see massive growth in the “cash cow” quadrant of the matrix—pharma spam, click/redirect fraud, spyware/scareware and advanced fee fraud—the company said they will remain the workhorse revenue generators for cybercriminals in 2011.

However, Olechowski noted that spam took a big hit in 2010—Cisco’s data showed a decline in global spam in the past year for the first time since the inception of the commercial Internet—and law enforcement agencies have begun to take action to take down some of the worst offenders.

The report cited the work of Thorsten Holz, an assistant professor at Ruhr-University Bochum in Germany and a senior threat analyst for security firm LastLine, who together with his associates identified the 30 Internet servers that controlled the Pushdo/Cutwail botnet. After Internet service providers shut down 20 of the 30 servers, spam dropped from an average weekday volume of 350 billion spam messages a day to 300 billion a day.

In the “potentials” quadrant of the matrix, Cisco noted that mobile devices and VoIP abuse are likely to be areas cybercriminals will invest in exploring. Mobile devices, in particular, are likely to be attractive to criminals, according to Cisco, which cited research from IDC that mobile devices (including smartphones and tablet PCs) will surpass the 1 billion mark by 2013.

In the report, Cisco noted that Microsoft has invested a great deal of energy in securing its Windows platform, and Adobe has also focused its efforts on securing Flash and PDF. The three platforms have extensive market penetration and their security vulnerabilities have been considered easy targets by cybercriminals in the past. According to Cisco, the efforts of Microsoft and Adobe have made it more difficult for criminals to exploit those platforms, and so they are beginning to turn to potentially easier targets that also boast extensive penetration: Java, Apple products and devices running the Android operating system.

For example, the company noted that in January 2010, PDF exploits made up slightly more than six percent of the Web malware blocked by its Cisco ScanSafe product, but that number had dropped to just 2 percent by November 2010. Conversely, Java exploits made up 1.5 percent of the Web malware blocked in January 2010 and skyrocketed to seven percent by November 2010.

Thor Olavsrud is a contributor to and a former senior editor at He covers operating systems, standards and security, among other technologies.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.

Thor Olavsrud
Thor Olavsrud
Thor Olavsrund is a journalist covering data analytics, security, infrastructure, and networking for He's especially interested in companies that use data to transform their business to tackle problems in innovative ways. As senior writer, his articles focus on practical insights, analysis, and business use cases that can help CIOs and other IT leaders navigate the shifting IT landscape.

Top Products

Related articles