Just Say No To Work-At-Home Money Mule Scams
washingtonpost.com today ran a story I wrote that examines the ever-evolving scams that organized cyber thieves are coming up with to con people into laundering stolen funds on their behalf. The piece features interviews with a couple of unfortunate victims who lost money from so-called "money mule" scams. The following blog entry looks deeper into the essential role that mules play in many cyber crime operations, as well as the growing number of people who become mules knowing full well they are aiding criminals.
Money mules typically are recruited via spam or targeted e-mail. The recipient is often told the potential employer found her resume on Monster.com and would he or she be interested in working a small number of hours per week to make anywhere from hundreds to thousands of dollars a week. The company usually represents itself as some kind of international finance operation or shipping company. In reality, most are fronts for cyber crime operations that are desperately seeking a constant stream of new recruits to help launder the proceeds of phishing scams and password-stealing computer viruses.
For example, money mules have helped to generate profits for the individual(s) behind some 15 separate, targeted malicious software attacks last year that came disguised as e-mails from the Better Business Bureau, according to iDefense, a security firm owned by Verisign. In those scams, the fraudsters sent virus-laden e-mails to tens of thousands of individuals whose resume and contact information were stolen in a previous compromise of a Monster.com job-seekers database, said Matt Richard, director of iDefense Rapid Response.
Targets of the BBB scams received e-mails that addressed them by name, and were told that a complaint was lodged against their company. Recipients who clicked on the link to view the "complaint" were taken to a Web site that tried to silently install software designed to steal passwords and financial data.
Richard said the BBB scammers used the same list of Monster.com job searchers to help monetize the credit card and bank account information stolen by the malicious software. Indeed, Richard said, the e-mail templates that the scammers used in both campaigns to customize messages with the names of recipients were found on the same Web server.
"There were several components of this attack, which included installing malicious code and stealing credentials, and the money mule component really helped the criminals pull the two together," Richard said. "The problem that all these scammers face is they have two options for monetizing stolen credit cards and bank account credentials: They can either sell it in bulk, or recruit people to help them pull money out of the accounts."
Sure, there are plenty of foolish or overly-trusting people who get pulled into these scams. The following excerpt - which further illustrates the connection between mules and cyber-crime operations - gives an idea of the number of mules who understand that what they're doing is illegal, and play along because they think they can pull one over on the scammers. And as you'll see, the scammers have picked up on this, and in some cases have dropped all pretense of being a legitimate employer.
From the story:
Several factors suggest a strong link between money mule recruiters and phishing and computer virus writing gangs.....Money mule recruiters also found an ally in the author(s) of one of the more prolific families of malicious software, an e-mail based Trojan-horse program known as the "Storm worm." For the first nine months since its inception in January 2007, the millions of Storm-infected PCs were used mainly to blast out spam used for stock market scams.
Then, roughly once a month starting in September, the network of Storm-infected machines was spotted being used to pump out mule recruitment e-mails, said Joe Stewart, a senior security researcher at Atlanta-based SecureWorks.
All of the messages directed interested recipients to sign up at various online forums. Some were traditional money mule come-ons that tried to maintain a veneer of legitimacy, while other campaigns sought to play on another class of money mule recruits: The greedy who understand full well that they are aiding criminals but nonetheless believe they can reap a share of the profits.
One of the messages sent over the Storm network targeted this group specifically, was straight and to-the-point, with a subject line that read, "Work as a middle man for $8000/month." The rest of the message suggested the criminals' ability to enjoy the benefits of their bounty was limited only by the size of the money mule pool.:
"We have large amount of funds on numerous bank accounts which needs to be laundered. We need your help to do that. You'll get 10% of each transaction coming into your bank account."
The number of people who received those solicitations and signed up to become money launderers was staggering. There were dozens of pages of people who offered their name, phone number, physical and e-mail address. I signed up and was asked to add an ICQ# to my instant message chat program, and within a few minutes was contacted by a mule recruiter who said they were particularly interested in recruiting people with access to certain banks in Canada. As evidenced by the screenshot below, it appears they had no trouble finding willing mules there.
When I played along and said I was in Canada, the guy told me that his outfit was temporarily unable to do direct money transfers to my bank account, and could he instead send me a certified check to deposit? If these guys recruiting mules from Storm spam aren't just renting the Storm botnet to blast out mule spam, then perhaps the checks are real, and represent the take from some of these stock spam runs. But usually, the only thing that's certified about a check from a crook is that it will eventually bounce, or be rejected by the bank for being a fake.
The message: Stay away from work-at-home offers, and remember the old adage "If it sounds too good to be true, it probably is." The knowing, crime-enabling type mules remind me of the people who think they can game the system by buying into penny stocks advertised in fraudulent "pump-and-dump scams." If you believe you can pull one over on these cyber criminal operations, you are probably too clever by half: Almost all money mules wind up being taken one way or other.
Posted by: David Bradley | January 25, 2008 11:13 AM | Report abuse
Posted by: BelchSpeak | January 25, 2008 12:24 PM | Report abuse
Posted by: TJ | January 25, 2008 1:11 PM | Report abuse
Posted by: Anonymous | January 25, 2008 4:58 PM | Report abuse
Posted by: GTexas | January 25, 2008 5:51 PM | Report abuse
Posted by: Steve | January 26, 2008 1:31 AM | Report abuse
Posted by: Jab | January 26, 2008 1:09 PM | Report abuse
Posted by: Steve R. | January 27, 2008 9:40 AM | Report abuse
Posted by: Bk | January 27, 2008 1:29 PM | Report abuse
Posted by: GTexas | January 27, 2008 4:17 PM | Report abuse
Posted by: dianmari | January 27, 2008 6:48 PM | Report abuse
Posted by: louis chan | January 28, 2008 2:45 AM | Report abuse
Posted by: blasher | January 28, 2008 11:20 AM | Report abuse
Posted by: gregh | January 28, 2008 12:09 PM | Report abuse
Posted by: puzzled | January 28, 2008 12:23 PM | Report abuse
Posted by: Marilyn | January 29, 2008 2:05 AM | Report abuse
Posted by: Marilyn | January 29, 2008 2:14 AM | Report abuse
Posted by: Marge | January 29, 2008 6:32 PM | Report abuse
Posted by: barcodedmaggot | January 30, 2008 2:27 PM | Report abuse
Posted by: TJ | January 31, 2008 1:40 PM | Report abuse
Posted by: Leslie Truex | January 31, 2008 2:47 PM | Report abuse
Posted by: Gabrielle | February 1, 2008 4:05 PM | Report abuse
Posted by: VanHousen | February 2, 2008 10:11 AM | Report abuse
Posted by: michael webster | February 3, 2008 3:21 PM | Report abuse
Posted by: visit | February 5, 2008 10:37 AM | Report abuse
Posted by: Christine | February 6, 2008 9:26 AM | Report abuse
Posted by: Rick | February 7, 2008 11:30 AM | Report abuse
Posted by: autosec.de | February 22, 2008 4:18 PM | Report abuse
Posted by: Mike | March 1, 2008 10:39 AM | Report abuse
Posted by: Tony | March 20, 2008 7:08 PM | Report abuse
The comments to this entry are closed.