A £1.7 million bank fraud scam involving a fake British insurance company has been uncovered by Slovenian police. In raids on 21 March, Slovenian police arrested five people suspected of using remote administration tools (RATs) and keyloggers to make illegal bank transfers from small companies.

Reports of the scam first surfaced in April 2012. Accounting staff at small and medium-sized companies were targeted with emails pretending to be from local Slovenian banks and, in one case, the state tax authority. The receipient would be directed to download the attached malware, which was disguised as a harmless PDF.

The malware installed a RAT on their computer, allowing the scammers to spy on and control the infected computers and gather sensitive banking information.


All of the 48 companies successfully scammed were clients of an as-yet unnamed Slovenian bank. The bank uses a card authentication system that is directly connected to the computer -- meaning that if a user left the card in the reader, the scammers could have full access to their online banking using a key-logged password.

Bank transfers were then scheduled to occur over weekends or during national holidays to minimise the risk of detection. Almost £1.7 million was stolen and around half remains unaccounted for.

Read next Back at work? So are burglars. Here's how to keep your home safe Back at work? So are burglars. Here's how to keep your home safe

A fake British insurance company was used to attract 25 'money mules' who were used to launder the money. The money mules were told that the fake company was starting up operations in Slovenia, and were even issued contracts to convince them they were work-from-home employees of a legitimate company. The money mules would receive money from the affected companies, and then forward it on to an account controlled by the scammers, with the belief that they were performing legitimate money transfers. It is not believed that any UK nationals were involved. "There were 14 versions of the Trojan. [The scammers] adapted and improved it with time, adding in techniques to detect the presence of anti-malware software as they became aware that their scam was being investigated," Gorazd Bozic, Head of Slovenia's national Computer Emergency Response Team (SI-CERT), told Wired.co.uk. "SI-CERT was sending samples to anti-virus companies and no doubt they were noticing that their malware was being detected and therefore they became more advanced over time."

Richard Clayton, a security researcher at Cambridge University, said that this type of attack was fairly common and that "most of the major league, major volume criminals" are using malware like RATs and keyloggers to gain access to bank accounts.

In 2010, a similar scam was uncovered in the UK. Around £20 million was alleged to have been stolen by a gang using the "Zeus" family of malware. In the Slovenian case, the malware was home-grown but used similar tactics to malware such as Zeus and Citadel.


In February 2013, a survey by Financial Fraud Action showed that 19 percent of UK students who had received email offers to receive and transfer money had accepted. If convicted money mules face up to 10 years in prison for money laundering. In 2010, 37 alleged money mules were charged in the US in connection with a series of bank frauds.

A spokesperson for Financial Fraud Action warned the public to avoid being involved in money mule activity: "Members of the public need to reject any approach for their bank account to be used in this way, lest they risk a range of consequences, including a potential prison sentence of up to ten years. Any profits they have made from this 'money muling' will be recovered from their accounts to reimburse the genuine victims of online banking fraud, their bank account will be closed down, and details of the criminality shared with other banks (meaning participants may no longer be able to open a bank account in the UK, obtain a loan or get a mortgage)".

Image: Shutterstock