印度UPI（统一支付接口）成为黑客洗钱的新工具

Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme.

网络犯罪分子正在利用在印度的一套雇佣的网络雇佣军，使用基于Android的应用程序来策划一场大规模的洗钱计划。

The malicious application, called XHelper, is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report.

恶意应用程序称为XHelper，在一份报告中，CloudSEK的研究人员Sparsh Kulshrestha、Abhishek Mathew和Santripti Bhujel说，它是"招募和管理这些雇佣军的关键工具。

Details about the scam first emerged in late October 2023, when cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface (UPI) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan.

有关这一骗局的详情最早于2023年10月底首次披露，当时发现网络犯罪分子利用印度统一支付接口（UPI）服务提供商在预防洗钱法案（PMLA）不涵盖下操作的事实，利用提供即时贷款的幌子发起非法交易。

The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts.

这一操作的非法所得被转移到其他雇佣军的账户中，他们从Telegram招募，以1-2%的佣金回报。

"Central to this operation are payment gateways exploiting the QR code feature of UPI with precision," the cybersecurity company noted at the time.

"这次操作的核心是支付网关，精准地利用UPI的二维码功能，"这家网络安全公司当时指出。

"The scheme leveraged a network exceeding hundreds of thousands of compromised 'money mule' accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to other country."

"该计划利用了数十万个被妥协的‘雇佣军’账户组成的网络，通过欺诈性支付渠道将不法资金流入，最终将其转回他国。

These mules are efficiently managed using XHelper, which also facilitates the technology behind fake payment gateways used in pig butchering and other scams. The app is distributed via websites masquerading as legitimate businesses under the guise of "Money Transfer Business."

这些雇佣军使用XHelper高效地进行管理，该应用程序还提供了用于猪肉加工和其他诈骗中使用的假支付网关背后的技术。该应用程序通过冒充“货币转移业务”名义的网站进行分发。

The app further offers the capability for mules to track their earnings and streamline the whole process of payouts and collection. This involves an initial setup process where they are asked to register their unique UPI IDs in a particular format and configure online banking credentials.

该应用程序进一步提供了能力，让雇佣军跟踪他们的收入，并简化支付和收款的整个过程。这包括一个初始设置过程，在该过程中，他们被要求以特定格式注册他们独特的UPI ID，并配置在线银行凭据。

While payouts mandate the swift transfer of funds to pre-designated accounts within 10 minutes, collection orders are more passive in nature, with the registered accounts receiving incoming funds from other scammers utilizing the platform.

虽然支付要求在10分钟内将资金迅速转入预先指定的账户，但收款订单的性质更为被动，注册账户会接收来自利用该平台的其他骗子的传入资金。

"Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks," the researchers said. "The system automatically assigns orders, potentially based on predetermined criteria or mule profiles."

"雇佣军在XHelper应用程序中激活订单接收，使他们能够接收和完成洗钱任务，"研究人员说。"系统会自动分配订单，可能基于预定标准或雇佣军配置。

Once an illicit fund transfer is executed using the linked bank account, mules are also expected to upload proof of the transaction in the form of screenshots, which are then validated in exchange for financial rewards, thereby incentivizing continued participation.

一旦使用链接的银行账户执行非法资金转移，雇佣军还应上传交易截图的证明形式，这些截图然后会被验证以换取财务奖励，从而激励他们继续参与。

XHelper's features also extend to inviting others to join as agents, who are in charge of recruiting the mules. It manifests as a referral system that allows them to get bonuses for each new recruit, thus driving an ever-expanding network of agents and mules.

XHelper的功能还包括邀请其他人作为代理加入，他们负责招募雇佣军。它体现为一个推荐系统，允许他们为每位新招募者获得奖金，从而推动代理和雇佣军的不断扩大的网络。

"This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities," the researchers said. "Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network."

"这种推荐系统遵循类似金字塔的结构，推动代理和雇佣军的大规模招聘，扩大了非法活动的影响范围，"研究人员说。"代理反过来会招募更多的雇佣军并邀请更多的代理，延续着这个相互连接的网络的增长。

Another of XHelper's notable functions is to help train mules to efficiently launder stolen funds using a Learning Management System (LMS) that offers tutorials on opening fake corporate bank accounts (which have higher transaction limits), the different workflows, and ways to earn more commission.

XHelper的另一个显著功能是帮助训练雇佣军如何高效地洗劫被盗的资金，使用一个学习管理系统（LMS），提供有关如何开设假公司银行账户（具有更高交易限额）、不同的工作流程和如何赚取更多佣金的教程。

Besides favoring the UPI feature built into legitimate banking apps for conducting the transfers, the platform acts as a hub for finding ways to get around account freezes to enable mules to continue their illegal activities. They are also given training to handle customer support calls made by banks for verifying suspicious transactions.

除了倾向于利用合法银行应用程序内置的UPI功能进行转账，该平台还作为一个寻找绕过账户冻结方式的中心，以使雇佣军能够继续他们的非法活动。他们还接受培训处理银行打来的用于验证可疑交易的客服电话。

"While XHelper serves as a concerning example, it's crucial to recognize this isn't an isolated incident," CloudSEK said, adding it discovered a "growing ecosystem of similar applications facilitating money laundering across various scams."

"尽管XHelper是一个令人担忧的例子，但至关重要的是要认识到这并不是一次孤立事件，"CloudSEK表示，它发现了"一个日益增长的类似应用程序的生态系统，促进各种骗局的洗钱。

In December 2023, Europol announced that 1,013 individuals were arrested in the second half of 2023 as part of a global effort to tackle money laundering. The international law enforcement operation also led to the identification of 10,759 money mules and 474 recruiters (aka herders).

2023年12月，欧洲刑警组织宣布，在2023年下半年，作为全球打击洗钱行动的一部分，有1,013人被逮捕。这次国际执法行动还导致10,759名雇佣军和474名招募者（又称牧羊人）的身份被确认。

The disclosure comes as Kaspersky revealed that malware, adware, and riskware attacks on mobile devices rose steadily from February 2023 until the end of the year.

这一披露发生在卡巴斯基揭示，自2023年2月起，移动设备上的恶意软件、广告软件和风险软件攻击持续上升，直到年底。

"Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year," the Russian security vendor noted. "Adware accounted for the majority of threats detected in 2023."

"2023年，Android恶意软件和风险软件活动激增，经过两年的相对平静，回归到年底初2021年的水平，"俄罗斯安全供应商指出。"广告软件占2023年检测到的威胁的大多数。

---

参考资料

[1]https://thehackernews.com/2024/03/how-cybercriminals-are-exploiting.html

---

原文始发于微信公众号（知机安全）：印度UPI（统一支付接口）成为黑客洗钱的新工具