Network News

X My Profile
View More Activity

Just Say No To Work-At-Home Money Mule Scams

washingtonpost.com today ran a story I wrote that examines the ever-evolving scams that organized cyber thieves are coming up with to con people into laundering stolen funds on their behalf. The piece features interviews with a couple of unfortunate victims who lost money from so-called "money mule" scams. The following blog entry looks deeper into the essential role that mules play in many cyber crime operations, as well as the growing number of people who become mules knowing full well they are aiding criminals.

Money mules typically are recruited via spam or targeted e-mail. The recipient is often told the potential employer found her resume on Monster.com and would he or she be interested in working a small number of hours per week to make anywhere from hundreds to thousands of dollars a week. The company usually represents itself as some kind of international finance operation or shipping company. In reality, most are fronts for cyber crime operations that are desperately seeking a constant stream of new recruits to help launder the proceeds of phishing scams and password-stealing computer viruses.

For example, money mules have helped to generate profits for the individual(s) behind some 15 separate, targeted malicious software attacks last year that came disguised as e-mails from the Better Business Bureau, according to iDefense, a security firm owned by Verisign. In those scams, the fraudsters sent virus-laden e-mails to tens of thousands of individuals whose resume and contact information were stolen in a previous compromise of a Monster.com job-seekers database, said Matt Richard, director of iDefense Rapid Response.

Targets of the BBB scams received e-mails that addressed them by name, and were told that a complaint was lodged against their company. Recipients who clicked on the link to view the "complaint" were taken to a Web site that tried to silently install software designed to steal passwords and financial data.

Richard said the BBB scammers used the same list of Monster.com job searchers to help monetize the credit card and bank account information stolen by the malicious software. Indeed, Richard said, the e-mail templates that the scammers used in both campaigns to customize messages with the names of recipients were found on the same Web server.

The still-live Web site used to recruit mules to launder funds stolen from victims of the Better Business Bureau malware attacks.

"There were several components of this attack, which included installing malicious code and stealing credentials, and the money mule component really helped the criminals pull the two together," Richard said. "The problem that all these scammers face is they have two options for monetizing stolen credit cards and bank account credentials: They can either sell it in bulk, or recruit people to help them pull money out of the accounts."

Sure, there are plenty of foolish or overly-trusting people who get pulled into these scams. The following excerpt - which further illustrates the connection between mules and cyber-crime operations - gives an idea of the number of mules who understand that what they're doing is illegal, and play along because they think they can pull one over on the scammers. And as you'll see, the scammers have picked up on this, and in some cases have dropped all pretense of being a legitimate employer.

From the story:


Several factors suggest a strong link between money mule recruiters and phishing and computer virus writing gangs.....Money mule recruiters also found an ally in the author(s) of one of the more prolific families of malicious software, an e-mail based Trojan-horse program known as the "Storm worm." For the first nine months since its inception in January 2007, the millions of Storm-infected PCs were used mainly to blast out spam used for stock market scams.

Then, roughly once a month starting in September, the network of Storm-infected machines was spotted being used to pump out mule recruitment e-mails, said Joe Stewart, a senior security researcher at Atlanta-based SecureWorks.

All of the messages directed interested recipients to sign up at various online forums. Some were traditional money mule come-ons that tried to maintain a veneer of legitimacy, while other campaigns sought to play on another class of money mule recruits: The greedy who understand full well that they are aiding criminals but nonetheless believe they can reap a share of the profits.

One of the messages sent over the Storm network targeted this group specifically, was straight and to-the-point, with a subject line that read, "Work as a middle man for $8000/month." The rest of the message suggested the criminals' ability to enjoy the benefits of their bounty was limited only by the size of the money mule pool.:

"We have large amount of funds on numerous bank accounts which needs to be laundered. We need your help to do that. You'll get 10% of each transaction coming into your bank account."


The number of people who received those solicitations and signed up to become money launderers was staggering. There were dozens of pages of people who offered their name, phone number, physical and e-mail address. I signed up and was asked to add an ICQ# to my instant message chat program, and within a few minutes was contacted by a mule recruiter who said they were particularly interested in recruiting people with access to certain banks in Canada. As evidenced by the screenshot below, it appears they had no trouble finding willing mules there.

When I played along and said I was in Canada, the guy told me that his outfit was temporarily unable to do direct money transfers to my bank account, and could he instead send me a certified check to deposit? If these guys recruiting mules from Storm spam aren't just renting the Storm botnet to blast out mule spam, then perhaps the checks are real, and represent the take from some of these stock spam runs. But usually, the only thing that's certified about a check from a crook is that it will eventually bounce, or be rejected by the bank for being a fake.

The message: Stay away from work-at-home offers, and remember the old adage "If it sounds too good to be true, it probably is." The knowing, crime-enabling type mules remind me of the people who think they can game the system by buying into penny stocks advertised in fraudulent "pump-and-dump scams." If you believe you can pull one over on these cyber criminal operations, you are probably too clever by half: Almost all money mules wind up being taken one way or other.

By Brian Krebs  |  January 25, 2008; 11:00 AM ET
Categories:  Fraud , From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Massive Java Update Includes Security Fixes
Next: Untraceable or Uncatchable?

Comments

Why do people get drawn in by such scams, is it pure greed? Stupidity? Or, does everyone have a trigger point and it just a case of a scammer finding it and squeezing?

db

Posted by: David Bradley | January 25, 2008 11:13 AM | Report abuse

Remember when it was just all of the annoying "Make Money Fast" posts in online newsgroups?

Brian, you watch- next will be money mule pyramid scheme operators. Each mule will have to recruit 10 more, probably from a social networking site, in exchange for a promised larger slice of the pie.

Posted by: BelchSpeak | January 25, 2008 12:24 PM | Report abuse

The old adage "If it sounds too good to be true, it probably is." needs repeating!

Along with "There's a sucker born every minute."

and "Play with fire, you're gonna get burned."

Or as Forrest Gump so aptly put it, "Stupid is as stupid does."

Posted by: TJ | January 25, 2008 1:11 PM | Report abuse

People want easy money which is why there will always be scams out there.

Posted by: Anonymous | January 25, 2008 4:58 PM | Report abuse

I'm shocked, bk, SHOCKED that there are internet scams. How many Nigerian Finance Ministers have to die in tragic plane crashes before people get it?

Posted by: GTexas | January 25, 2008 5:51 PM | Report abuse

Easy money, greed, or ignorance; maybe. However, let is not overlook the social element; some people are just simply put into poor and desperate circumstances.

Posted by: Steve | January 26, 2008 1:31 AM | Report abuse

A fool and his money are easily parted.

Posted by: Jab | January 26, 2008 1:09 PM | Report abuse

We have a highly flawed legal system. It appears to me that there is little legislative and/or law enforcement motivation to go after this type of criminal.

However, when we get into so-called "intellectual property" the content producers go to the congressional supermarket to buy legislation and enforcement power to protect their self interest. In fact there are reports that content producers want ISPs to "filter" internet traffic to prevent illegal file-sharing. Here we have private companies forcing other private companies to act as internet traffic cops!

I do not believe it is appropriate for private companies to take on "law enforcement" obligations. Within the context of Brian's post, "real" internet crimes appear to be overlooked by our legal establishment while the "fake" internet crimes receive law enforcement support because an industry group "pays" for it. (By "fake", I don't mean to imply that violating copyright is acceptable, the problem is that content producers are abusing copyright and using it as a red-herring to get self-serving legislation.)

Posted by: Steve R. | January 27, 2008 9:40 AM | Report abuse

@Steve -- You've hit on one of my big pet issues. If we as a nation took cyber crime as seriously as we do intellectual property violations then the current cyber crime situation would probably be less severe. Our nation's leaders build IP protections into trade treaties with other countries, yet we can't be bothered to reach for a legal edge on cyber crime law enforcement in other countries via the same methods.

We have notice and takedown laws that require ISPs hosting infringing content to take down infringing sites within a short window of time after being notified, yet we have no such requirement for malicious sites that are infecting millions with malware.

Posted by: Bk | January 27, 2008 1:29 PM | Report abuse

"I do not believe it is appropriate for private companies to take on "law enforcement" obligations."
Posted by: Steve R. | January 27, 2008 09:40 AM


I do not believe so either, but it depends on local mores ... Some years ago after a spat with an Apartment Complex they had my car towed (from the complex) because the State Inspection sticker was out of date. We went to Court and I lost - had to pay the tow charges. The Police were never involved. According to the Judge this is how things are done in Texas. A business can enforce the law if they want to.

Posted by: GTexas | January 27, 2008 4:17 PM | Report abuse

Steve R. said: "We have a highly flawed legal system. It appears to me that there is little legislative and/or law enforcement motivation to go after this type of criminal."

I believe the problem is not with our own legal system, but that these criminals are not located in the US and not subject to our laws. The problem is with the law enforcement in places like Nigeria and places like the former Iron Curtain countries.

Posted by: dianmari | January 27, 2008 6:48 PM | Report abuse

One of the organized cyber thieves is CSP (consumer service perceptions).
Mark Michelson, Program Coordinator. this criminal has stolen millions of dollars from people. Report and stay away from CSP.

located at:
2809 rosevilla street
pasedena, CA 91107

and:
145 dickinson lane
wilmington, DE 19806
800-939-0812
626-242-1091
626-243-4428


Posted by: louis chan | January 28, 2008 2:45 AM | Report abuse

re: GTexas

Since your car was on private property, I that towing would be legal in most states. Most leases have some sort of boilerplate parking regulations that require current registration, etc. Most apartment complexes may not choose to enforce the rule strictly, once you get on their 'bad guy' list all bets are off. You then have to do everything by the book.

Posted by: blasher | January 28, 2008 11:20 AM | Report abuse

TJ,
All true, but you forgot the most important adage of all:
You can't cheat an honest man

Posted by: gregh | January 28, 2008 12:09 PM | Report abuse

why would anyone let a third party put their name on an account and use it for anything they wanted when the original anyone assumed all the risk? makes no sense if it's paypal or a co-signed loan - how could anyone think this is a "job"?

Posted by: puzzled | January 28, 2008 12:23 PM | Report abuse

For anyone interested, this is the scam email I received today that was the result of the Monster.com hack.

Dear Candidate,

This is Mrs. Rosa Thompson, assistant staff manager from Cyonix Healthcare.
I had the pleasure of reviewing your recent resume posted on the Internet;
right now we have open vacancy in your local area. Your education and
experience really interested us.
Today Cyonix Healthcare has a vacancy in your state. We are a company based
in Europe in United Kingdom. We receive orders from US and we need a
representative to process the payments due to the delays in clearing checks
here.

-Flexible program: two hours/business day at your choice, daytime and
evening time
-Work at home: checking e-mail and going to the bank
-Part time or full time
-Professional contact team with very good support and communication skills
-Other highlights: no selling involved, no kit to buy, we won't charge you
anything
-Monthly salary: $1,000 per month
-Commission: 10% of every check, instantly cash in hand that you will deduct
from the cashed amount.
IMPORTANT:
You must be over twenty one years old, U.S. citizenship and you need to have
an existing bank account. (We will never ask you for bank name, bank account
number, routing number, credit card, passwords, ssn number etc.)
If you do not meet these conditions no reply if necessary.
You do not have to pay anything to work for us like other internet companies
are asking.
No costs, nothing to buy. No membership to pay. No accounts to purchase.
Nothing to sell.
Top Cyonix Healthcare 5 earnings for the last month:
David J. Adamson,NY - $16,249.00
Brian L. Jones,VA - $15,082.00
John Johnston,IL - $14,921.00
Jenny Mc Kinney, CA - $13,782.00
Rose Likes,NY - $12,221.00
If you meet these conditions please contact us by replying at this e-mail
address and ask for: Representative Contract and detailed information about
this job.

Monster respects your online time and privacy. If you no longer wish to
receive Monster emails, please
submit your request.

Requests to unsubscribe or change preferences can be made only by clicking
the link above and may take up to 10 days to take effect.

To read the Monster Privacy Commitment, visit
about.monster.com/privacy/

Monster, 5 Clock Tower Place, Suite 500, Maynard, MA 01754

Add candidatereply@monster.com to your
address book to ensure delivery of Monster emails.


Posted by: Marilyn | January 29, 2008 2:05 AM | Report abuse

This is my favorite scam. I wonder if the fibbies are interested in taking them down.

Anti-Terrorist and Monitary Crimes Division.
FEDERAL BUREAU OF INVESTIGATION.
J. EDGAR. HOOVER BUILDING WASHINGTON D.C
03/05/2007

ATTENTION: Marilyn Phillips

This is to officially inform you that it has come to our notice, the Federal Bureau Investigation (FBI), that the sum of $25.5 Million U.S Dollars has been transferred to an account here in United State Of America in your name. The name we have on the fund as the rightful beneficiary is (Marilyn Phillips), That is why we have decided to contact you directly to acquire the proper verifications and proof from you to show that you are the rightful person to receive this fund, because the above mentioned amount is a big amount of money,
that is why we want to make sure is a legal money you are about to receive to verified that you are not involved with any money laundry.

Be informed that the fund have hit an account in U.S Bank, but right now we have ask not to release the fund to anybody that comes to them, unless we ask them to do so, because we have to carry out our
investigations first before releasing the fund to you. Note that the fund is in the Bank of America right now, but we have ask them not to credit it to any account yet, because we need some proof and
verifications from you before releasing.

So to this regards you are to reassure and proof to us the legitimate of the money you are about to receive by sending to us FBI Identification Record and also Diplomatic Immunity Seal Of Transfer DIST) to satisfy us that the money you are about to receive is free from Terrorism and
money laundry act. You are to forward the documents to us immediately if you have it with you, if you don't have it let us know so that we will direct and inform you where to obtain the document and send to us for our verification and proof of ownership which after we will ask the Bank
Of America to go ahead in Crediting the fund to you immediately. This Documents are to be issued to you from the place where the fund was transfer from, so get back to us immediately if you don't have the document so that we will inform you the particular place and what it will take to obtain it, because we have come to realize that the fund was transferred from the Federal Republic Of Nigeria according to our investigations.

An FBI Identification Record and Diplomatic Immunity Seal Of Transfer(DIST) often referred to as a Criminal History Record or Rap Sheet, is a listing of certain information taken from fingerprint
submissions retained by the FBI in connection with arrests and, in some
instances, federal employment, naturalization, or military service. If
the fingerprints are related to an arrest, the Identification Record includes name of the agency that submitted the fingerprints to the FBI, the date of arrest, the arrest charge, and the disposition of the arrest, if known to the FBI. All arrest data included in an Identification Record is obtained from fingerprint submissions,
disposition reports and other reports submitted by agencies having criminal justice responsibilities.

The United States Department of Justice Order 556-73 establishes rules and regulations for the subject of an FBI Identification Record to obtain a copy of his or her own Record for review. The FBI's Criminal Justice Information Services (CJIS) Division processes these requests.

An individual may request a copy of his or her own FBI Identification Record for personal review or to challenge information on the Record. Other reasons an individual may request a copy of his or her own Identification Record may include international adoption or to satisfy a
requirement to live or work in a foreign country (i.e., Diplomatic Immunity Seal Of Transfer, letter of good conduct, criminal history background, etc.)

On October 9, 1998, President Clinton signed into law the National Crime Prevention and Privacy Compact (Compact) Act of 1998, establishing an infrastructure by which states can exchange criminal records for no criminal justice purposes according to the laws of the requesting state, and provide reciprocity among the states to share
records without charging each other for the information. The Compact became effective April 28, 1999, after Montana and Georgia became the first two states to ratify it, respectively. To date, 27 states have ratified the Compact.

The Compact Council as a national independent authority, works in partnership with criminal history record custodians, end users, and policy makers to regulate and facilitate the sharing the complete, accurate, and timely criminal history record information to no criminal justice users in order to enhance public safety, welfare and security of Society while recognizing the importance of individual privacy rights

NOTE: We have asked for the above documents to make available the most
complete and up-to date records possible for no criminal justice purposes. If you fail to provide the Documents to us, we will charge you with the FBI and take our proper action against you for not
proofing to us the legitimate of the fund you are about to receive.

Faithfully Yours,

FBI Director
Robert S. Mueller, III

Posted by: Marilyn | January 29, 2008 2:14 AM | Report abuse

I guess I'm very naive, but it still amazes me that people smart enough to operate a computer fall for these scams. The text posted by Marilyn is typical--so full of grammatical errors it's obviously not written by a fluent English speaker, and so full of blithering nonsense, it would make even a bureaucracy blush.

Posted by: Marge | January 29, 2008 6:32 PM | Report abuse

> I guess I'm very naive, but it still amazes me that people smart enough to operate a computer fall for these scams. The text posted by Marilyn is typical--so full of grammatical errors it's obviously not written by a fluent English speaker, and so full of blithering nonsense, it would make even a bureaucracy blush.

TRUE, but the problem stems from the mass majority of people who have recently acquired/purchased a computer (say the last five years) don't really know what they are doing.

Chances are if you ask most people how to do a routine task such as modify indentations in Word or open up their Add/Remove Programs from Control Panel, they'll be dumfounded by the request. This leads me to believe that there's a growing number of idiots online who get pulled into these various scams. The most obvious example has to be the number of people infected by bots that are stealing their MySpace accounts.

It's just as it is with the DMV. There's plenty of licensed people who do horribly on the road. Likewise, there's a number of people online who do horribly on the internet.

The best way to prevent these things from happening is education. Spread the word like wildfire. Scammers have always existed to take from the gullable, but we can build our own communications networks to keep the public informed. From there it's whether they choose to read and take caution or dismiss the warnings, allowing their greed to get the best of them.

Posted by: barcodedmaggot | January 30, 2008 2:27 PM | Report abuse

"The best way to prevent these things from happening is education."

I wholeheartedly agree! Problem is, you can lead a horse to water, but you can't make em drink!

I see it everyday at work and via family/friends. Many just can't be bothered to be "educated". It's too much of an inconvenience or it's looked at as someone else's responsibility to protect them. Yet, they are the first ones screaming victim when something happens.

Posted by: TJ | January 31, 2008 1:40 PM | Report abuse

Its easy to criticise people who fall for scams, but scammers are master copywriters who are able to tap into the emotional aspects of working at home. Its not enough to have street smarts about what is legit and not legit in working at home. You have to control the emotions that lead you to think that this time it might be the real deal. Knowledge, common sense and a level head are the weapons to fight scammers.

Posted by: Leslie Truex | January 31, 2008 2:47 PM | Report abuse

Many people fall into the trap because they are desperate for a job. Unless you're out of work right now, you have no idea how hard it is to find work regardless of education, experience, etc. I have extensive legal experience and have been out of work for over seven months. And those of us who are older, employers for some reason just do not want to talk to us, much less hire us. So, you have to understand that most people are not looking for easy money, they're just looking for money period to keep from losing everything they've worked so hard to gain.

I desperately need a job, but I never have believed in a "fast buck" and I refuse to use my bank account for the benefit of paying others "off". Some, however, are not as educated. Right now I have two checks in my desk totaling over $7,000.00 from "You've won a contest" written on the Bank of America, and another from "you've won some contest or other" written on Citibank.

With each check I received a letter (oh the grand total of my prize was $85,000.00 from Better Homes & Garden, yeah right) which had a phone number to call. I called the number numerous times and only got a message that the mailbox was full. I kept at it until such time as I reached a man with a foreign accent who told me to call back when I cashed the check. The checks would probably bounce and all of my private banking information and assets would probably bounce right of the bank with it.

Desperate or not, always make sure it's legitimate. In my mind working at McDonalds for minimum wage beats the hell out of doing prison time for what . . . $25.00 per month plus room and board. :) At least if you work at McDonalds, you can go home at the end of the day. :)

Posted by: Gabrielle | February 1, 2008 4:05 PM | Report abuse

I recently received the Cyonix Healthcare scam email. It's easy to see by some of the word choices and sentence structure that English is not there native language, nor are they professional. One example is the Cyonix Healthcare Scam:
"We are a company based in Europe in United Kingdom. We receive orders from US"
What a joke. First of all who wouldn't know what continent the UK is in. Would you really trust someone with processing checks and taking money to a bank for you if they didn't know something that basic. Secondly you wouldn't say "We receive orders from US" It should be "We receive orders coming from the US" or some thing similar. The other example is the FBI scam: "we want to make sure is a legal money you are about to receive to verified that you are not involved with any money laundry." HaHaHa they sound like they are from China. The only way they could have made it more obvious they are from Asia would be to have written it as: "we want make sure is legal money you about to receive to verified you not involved with money laundry" The accounts receivable person at my work was falling for one of those scams from Nigeria. I couldn't believe someone with a Bachelors degree in accounting could be so naive. She was having some financial problems, so I'm sure that was a big part of the problem. Like one of the posters above stated the some people who get in desperate situations are easily taken advantage of or make poor moral decisions.

Posted by: VanHousen | February 2, 2008 10:11 AM | Report abuse

VanHousen writes:"She was having some financial problems, so I'm sure that was a big part of the problem. Like one of the posters above stated the some people who get in desperate situations are easily taken advantage of or make poor moral decisions."

Uh, aren't these the very people our legal system is trying to protect?

Posted by: michael webster | February 3, 2008 3:21 PM | Report abuse

I was offered a job as an internet assessor by a Well-known company. I also checked its website and it looks real. I was asked for my bank account to receive my salary. I still dont know what do with it. Do you have a list of companies to check if this company is a fake or not?
regards

Posted by: visit | February 5, 2008 10:37 AM | Report abuse

To the person who was asked to provide their bank acct# to receive your salary - don't give it! Once you hand over that information you've just given that person full access to your acct and they WILL take money from it. Alot of these scammers use the names, even logos or other likeness of legitimate companies in order to persuade people.

I also received the Cytronix email this morning. It just screams scammer. LOL.

Posted by: Christine | February 6, 2008 9:26 AM | Report abuse

Good you publish this, Bk. This is when malware isn't just a technical question anymore but also a moral one. I don't hold much hope for the Universe(tm) but at least you laid it out there and gave them a chance.

Posted by: Rick | February 7, 2008 11:30 AM | Report abuse

how can juridical systems try to even cope against organized crime that has 1000 times more money at their hands to fight off law enforcement ?
as long as cybercrime is not seen as organized crime and law enforcement is boosted we wont see the end of it for this century.
so yes in this case we , the citizens have to pick up where law enforcement is incapable. I for one am doing something. If we all do something, the earnings of these east european and west african crime gangs will diminish. we cannot fight stupidity but we can raise public awareness and do things like www.aa419.org

Posted by: autosec.de | February 22, 2008 4:18 PM | Report abuse

to "Visit":

I work as an Internet Assesor for Lionbridge, while Google is (probably) the main customer of them, as we work in Google interface and review (mainly) Google search results...

I applied, sent CV, then took exam, signed contract... then I sent personal data with bank IBAN code. I received first fee and no money is missing on the account...for now.

If you apply and follow certain procedure, then this is likely not scam. But if they offer you a job not knowing you, and if they ask you for bank account before any procedure, then this is likely a scam.

What company are you talking about?

Posted by: Mike | March 1, 2008 10:39 AM | Report abuse

Is there an organization that I can forward the emails that I receive such as these mentioned.

Posted by: Tony | March 20, 2008 7:08 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company