Money Mules: The Hidden Side of Phishing

Online fraud depends on an offline component-people who launder money.

The dramatic rise in phishing and identity theft attacks includes a well-organized offline component—the not-so-innocent "money mule" recruited by fraudsters to launder stolen money across the globe.

The ads appear innocently on all the major employment listing sites, offering stay-at-home positions titled "shipping manager," "private financial receiver" or "sales representative."

These, however, are active attempts at enlisting people—mostly in the United States, the United Kingdom and Australia—to transfer illegal funds from credit card thieves operating out of the former Soviet Union, according to an investigation by VeriSigns iDefense security research outfit.

"This is the other side of phishing that most people never see or hear about. But, its probably the most important part of the attack," said Ken Dunham, director of the Rapid Response Team at iDefense, in Dulles, Va. "Without the money mule, they really cant do anything with stolen credit card credentials," Dunham added.

Using hijacked PCs in well-stocked botnets, crime rings have hit pay dirt via adware installations, spam runs and phishing e-mails that attempt to trick users into entering log-in credentials on fake sites.

Once the phish is successful and the malicious attacker has access to credit card and bank log-in details, there is a desperate need for a money mule in the same country as the victim to handle money transfers or to reship items to the fraudster.

The recruitment drive also includes well-designed Web sites that serve as fronts for the companies recruiting the money mules, Dunham said. iDefense found that all such Web sites it investigated were registered in Panama, the home of WebMoney, one of the most popular electronic money services among credit card thieves, also called carders.

eWEEK responded to a Craigslist advertisement for a "regional assistant" and got an immediate response from the hiring manager for Terenfc, an outfit that describes itself as a wholesale product distribution service. Terenfc offered a commission of $50 per received package/operated transfer plus a base salary of $2,000 per month.

/zimages/1/28571.gifeBay and PayPal remain the top phishing targets, a study says. Read more here.

A week later, a follow-up e-mail arrived with two Microsoft Word attachments—a personal information form and an employment agreement. The first form requested complete data on the job seeker, including name, address, phone number, bank account number and PayPal account information.

The employment agreement sets out in plain terms the requirements of the money mule. It reads, in part:

• To accept merchandise orders at his/her residential address;

• To handle the received merchandise in accordance with the reasonable conditions of handling of items;

• To fill in all the necessary postal documents of the postal service company in complete accordance with the instructions;

• To ship the item or merchandise to the address listed in the instructions;

• To scan and send via e-mail or fax all postal documents attached to the shipped correspondence (such as invoices, package slips, custom declarations, receipts or couriers tracking numbers) to the representative of the company within one business day.

The recruitment of money mules has been aggressive in the United Kingdom, prompting the formation of Bank Safe Online, a phishing awareness campaign launched by a consortium of British banks. The initiative, which is managed by the Association for Payment Clearing Services, or APACS, has zeroed in on the money mule scam, issuing stern warnings about the fake jobs and the risks involved with reshipping and laundering money.

Jemma Smith, a spokesperson for Bank Safe Online, in London, said the attempts to enlist mules have moved beyond misspelled spam ads and are now "very slick-looking sites offering what [appear] to be bona fide jobs."

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Once recruited, Smith said money mules will receive stolen funds into their accounts. The mules then are asked to take these funds out of their account and forward them overseas (minus a commission payment), typically using a wire transfer service.

"Acting as a mule is an illegal activity. When caught, money mules often have their bank accounts suspended. Weve had a few arrests and some ongoing investigations here in the U.K.," Smith said.

In some cases, Smith said money mules are encouraged to open multiple accounts with the same bank as the identity theft victim. "If the mule is collusive, they can have multiple accounts in multiple banks, do small transfers just to stay under the radar. This is a big, big part of the problem because, without the mule, the phisher has no way to get the stolen money," Smith added.

Money Mules explained

  • Fraudsters contact prospective victims with job vacancy ads via spam e-mail, Internet chat rooms or job search Web sites. Jobs usually are advertised as financial management work, and ads suggest that no special knowledge is required.
  • The crime rings persuade the victim to come and work for their fake company. Some fraudsters even ask mules to sign official-looking contracts of employment.
  • Once recruited, money mules receive funds into their accounts. These funds are stolen from other accounts that have been compromised.
  • Mules then are asked to take these funds out of their accounts and forward them overseas (minus a commission payment), typically using a wire transfer service.

Source: Bank Safe Online

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.