In addition to the factors above, some of the more sophisticated Trojan-Downloaders used to deliver financial malware to its eventual destination are designed to self-destruct (or 'melt') once they have successfully or unsuccessfully downloaded the financial malware. This naturally hinders analysis conducted by antivirus and forensic specialists.

Money mules

The increase in financial malware is the result of the increasing criminalization of cyberspace, with malware being used to make money. In addition to stealing funds, cyber criminals need a method for accessing these funds. Obviously, the criminals can't transfer stolen money to their own accounts as this would make them easily identifiable and significantly increase the risk of arrest and prosecution. Banks have responded to the increased number of attacks by investing more time, money and effort into developing mechanisms for detecting fraud and illegal activity. One safeguard is for an alert to be triggered if a large amount of money is transferred to a 'suspicious' region of the world.


In order to sidestep this, cyber criminals have taken to using 'money mules'. Mules are often recruited via seemingly legitimate job offers – for instance, the cyber criminals might advertise for a 'financial manager'. If the would-be mule accepts the offer s/he is likely to receive official looking documents to sign to make it all seem legitimate. The mule makes his/ her bank account available to receive transactions, and then transfers 85% - 90% of the money onwards via a service such as MoneyGram or E-Gold. Such services are used because they guarantee anonymity, reducing the likelihood that the cyber criminal will be caught. The remaining funds are the mule's 'commission' – naturally money which has been earned illegally via phishing or financial malware.



Fig. 4 - Money mule recruitment