Network News

X My Profile
View More Activity

'Money Mule' Recruitment Network Exposed

In a blog post earlier this week, Security Fix examined the crucial role of "money mules" -- people in the United States who are willingly or unwittingly recruited to help cyber fraudsters steal money from businesses. In this column, we'll peer a bit deeper into how mules are recruited, and how they often communicate with their employers.

Security Fix interviewed one of the mules hired to receive money from Sanford School District, a small school system in Colorado that was robbed of $117,000 last month when hackers used the district's online banking credentials to send sub-$10,000 payments to this mule and 16 others.

The mule I spoke with said she was hired by a company called the Scope Group Inc., which claimed to be a nearly 20-year-old investment firm operating out of New York. The Scope Group did not return e-mails seeking comment, but there is no listing for a current company by that name in the New York State business register. Also, the company's Web site is hosted in China, and its domain name -- www.scope-group.cn-- ends with a Chinese country code. In addition, that domain name was registered on June 25, 2009, just a few weeks before the fraud against Sanford School District was perpetrated.

The Sanford mule -- who spoke on the condition of anonymity out of fear of reprisals by the hacked company and perhaps by the hackers themselves -- said the Scope Group approached her via e-mail, saying it had found her resume on Careerbuilder.com, and would she be interested in a work-at-home job acting as a "financial manager"? Having worked as a payroll manager in a previous job, the mule said she thought it was a perfect fit. Besides, she said, she'd been out of work since March.

The mule said that after responding to the initial recruitment e-mail, she was directed to create a profile at the Web site www.scope-group.cn. She was then asked to provide a large amount of personal and financial data, including her name, address, Social Security number, bank account and routing numbers, as well as a scanned copy of her drivers license. During the enrollment, she was prompted several times to make sure that her bank would allow her to withdraw up to at least $10,000 a day.

When she initially received a $9,815 transfer from Sanford School District's account, her managers sent her a notice through the scope-group.cn site that the funds had been deposited into her bank account (see screen shot below). According to the task notice sent to her through her Scope Group account, the money was transferred with the notation "Conejos School District 6J," one of the schools in the Sanford School District (for more on that attack, see Cyber Crooks Target Public and Private Schools).

What follows is a series of screen shots of and excerpts from messages she was sent leading up to receiving that transfer.

scopetask1a.jpg

After signing up, the woman was told to log in to her account at the Scope Group Web site every weekday morning from 9 a.m. to 11 a.m. local time, and to periodically check her "tasks" and "messages" folders -- more or less a Web-based e-mail inbox --- for news of incoming deposits.

Below is the body of text taken from a message sent to our mule -- and ostensibly all Scope Group employees who complete the signup process and are preparing to start their first day on the job.

My name is Thomas Chavers. I am Personnel Manager of Scope Group Inc. and will be your supervisor.

First of all I would like to congratulate you on the beginning of your work with Scope Group Inc. as a Financial Manager.

Having gained operational experience in Scope Group Inc., I recommend all new employees to treat seriously every small detail they may encounter in the course of their work. You have a real chance to obtain quick promotion in the nearest future if our management is satisfied with your job results.

Please strictly follow my instructions, do your best to perform your functional duties properly, be responsible and careful and the results will not take long to appear!

REMEMBER that you will be working with funds belonging to other people. Delays are unacceptable as we sign legally binding contracts with our clients.

According to the agreement (see EXHIBIT A: COMPENSATION) we have concluded, Scope Group Inc. is entitled to cutting back on agent's commission in case of payment processing terms violation by the agent. In case Financial Agent unreasonably delays transferring the money he/she received at his/her bank account for the period exceeding one business day, we may impose sanctions on him/her (if only the delay was not caused by any Force Majeur circumstances) and apply to arbitration and claim for reimbursement of the amount transferred to his/her account or for compensation of any other damage, if any, caused by such a delay.

We guarantee that you'll get your first task within 5 business days if you observe the following conditions:

- Every day at 9 a. m. sharp check your e-mail and Task Manager (TM) account.(PLEASE NOTE that our system logs all your activities.)

- Be always available via cell phone during business hours (preferred).

Scope Group Inc. has a right to cancel the contract if these conditions are not observed. If you observe these conditions only partially you may be at risk of getting discharged after the Probationary Period.

*ALSO, Our system automatically adds bonuses ($50-$100) if you check your TM account regularly.


The Scope Group apparently wants employees to know that if they get any bright ideas -- like trying to make off with a $9,500 deposit and neglecting to wire the money as instructed -- that the company won't hesitate to alert the FBI and/or other appropriate law enforcement agencies. Mules also are reminded that their employers have a great deal of information about them, including their IP address (not to mention every other piece of data one might need to steal a mule's identity at some date in the future). Again, from the introductory e-mail sent to our mule:

scopegreet.jpg

"IMPORTANT: In the past we registered attempts of fraud and as the amounts of transactions handled by our financial managers are quite considerable, we closely cooperate with the police, FBI, Criminal Police Organization in all the countries of the world. Scope Group Inc. has a security department that supervises such issues.Your every visit on the site is logged by our system and your IP address is saved.

***We recommend to use 2-3 different locations to complete the transaction.

After cash withdrawal you are to make transfer(s) at your local Western Union location(s). Commission (8 %) should be deducted from the received money. WU fees along with all other costs, such as bank fees, transportation costs, etc. are covered by you and are deducted from your commission.

The Sanford mule I interviewed said the bank account she gave the Scope Group to receive deposits was a business account, and that her bank's fraud division closed it immediately after it learned the $9,815 transfer she received was fraudulent. They also changed her business account balance to -$888,888.88, a figure the mule said her bank told her was assigned to accounts as an indication that they are to receive no future debits or credits.

"I had to prove to my bank that I was a victim of fraud," the mule told Security Fix. "I had to fax them the receipts for the wire transfers I sent after I received the money, to prove that I didn't just keep it. They said that since I was the victim of fraud, the bank would normally file an insurance claim, and that's how they would recoup the money."

I should note that because these fraudsters tend to use generic-sounding names for their fake corporations, there are a number of businesses which have names similar to The Scope Group that have nothing to do with the perpetrators of this crime. I spoke with one gentleman from a legitimate Scope Group Inc. in Houston, who said the company had received close to 30 e-mails and phone calls over the past few weeks from curious or angry people wondering whether they were involved in the scam.

By Brian Krebs  |  September 24, 2009; 3:10 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Small Business Victims , Web Fraud 2.0  | Tags: money mules, sanford school district, scope group  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Maine Firm Sues Bank After $588,000 Cyber Heist
Next: Don't Get Web 2.0wned

Comments

I really hope you're working up to a major story in the regular paper, or a book. Lots of people who don't read this blog should see this.

Question: From reading through the documents it looks like she was expected to withhold 8% of any monies she was transferring as a commission? Or were they "going to" send it to her later?

Posted by: wiredog | September 24, 2009 3:44 PM | Report abuse

@wiredog -- yes, that's correct. they are instructed to keep 8 percent of the fraudulent deposit, but the cost of sending the wires via western union and moneygram is the mules' responsibility, so effectively cuts into their commission.

it's actually pretty costly to wire the money, b/c the mules are typically instructed to split each deposit into three different wires, and to go to different Western Union offices to wire the money. see the screen shot at this post for an idea of what i'm talking about here

http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html

Posted by: BTKrebs | September 24, 2009 3:58 PM | Report abuse

While there are still many red flags (.cn domain, bad english, the whole process) the fraudsters are getting much more sophisticated in trying to create the illusion of a legit business.

It would be nice to see the resume sites send a bulletin to their users outlining this type of scam since they are such a major pool of targets for the frausters.

@BTK, have you ever followed up with Western Union to understand their ability or effort to recover funds once they've been transferred?

Posted by: littlescraper | September 26, 2009 9:54 PM | Report abuse

@littlescraper - sort of. it's just that the time between the mule sending the wire to the fraudsters and the fraudsters picking up said wire is pretty small, so usually once it's sent, it's sent.

Posted by: BTKrebs | September 26, 2009 11:57 PM | Report abuse

You write that the mule says she was a victim of fraud, but I thought money mules can be prosecuted for participating in the scams. Can someone just claim ignorance in this case?

Posted by: revolutionaryreader | September 28, 2009 1:55 PM | Report abuse

Usually there is little recourse for the fraud victims to recover funds once they sent it out. The Moneygram/Western Union wire is pretty much immediate, while the supposed "cheque" from the fraud will bounce after a few days. The cheque in question could be a stolen one or a fake one.

The bottom line to all these frauds is that it works towards the victim's own greed in quick money.

Recently, even the BBC show Heir Hunters was used to promote certain "next-of-kin" inheritance scams. ( http://www.sophos.com/blogs/sophoslabs/v/post/6622 ) Using a prominent TV show does add a bit more plausibility just like the claim of "finding your resume on Career Builders"

Savio Lau, SophosLabs

Posted by: saviolau | September 28, 2009 2:06 PM | Report abuse

Excellent series of articles Brian.

Though careerbuilder.com does have alerts about these money mule jobs: http://www.careerbuilder.com/JobSeeker/Info/Fraud.aspx I do not believe that they are taking sufficient action to combat this epidemic. In my opinion, careerbuilder does not adequately vet employer applicant accounts. These criminals gain easy access to massive databases of resumes for targeting potential money mules. This activity has been going on for a long time.

For example, this same criminal operation that is listed here, was the subject of a report by a money mule on ripoffreport.com back in February 2009. That mule report lists how they recived a transfer of $9,300 taken from a company in TN., L S Starrett. The mule was then instructed to withdraw the cash and send it via Western Union to 3 recipients. Two in Chisinau, Moldova, and a third in Moscow, Russia.
http://www.ripoffreport.com/Miscellaneous-Companies/MMT-GROUP-INC/mmt-group-inc-scammers-pleas-479d3.htm


Besides Scope Group Inc aka scope-group.cn, these criminals have dozens of active fake recruiting websites.

An audit of a few of their active IP addresses shows the following fraud domains:


IP: 222.35.137.234

01. Cosco-groupli.com
02. Extreme-groupinc.com
03. Holding-groupmain.cn
04. Lime-groupnet.cn
05. Massive-groupsvc.cc
06. Premier-groupinc.com
07. Vision-groupsvc.com
08. Alliancegroupmain.cn
09. Entrust-group.cc
10. Entrust-groupsvc.cn
11. Vector-groupfine.cn


IP: 222.35.137.235

01. Extreme-groupco.cn
02. Invalda-groupli.com
03. Massive-groupsvc.cn
04. Melson-groupli.cn
05. Prime-groupco.com
06. Trans-groupinc.com
07. Cdi-groupmain.cn
08. Totalgroupinc.cn

IP: 222.35.137.236

01. Cosco-groupli.cn
02. Cosco-groupmain.com
03. Extreme-groupinc.cn
04. Massive-groupsvc.com
05. Regency-groupco.com
06. Rengo-groupli.com
07. United-groupnet.com
08. Alliance-group.cc
09. Alliance-groupmain.cn
10. Entrustgroup.cn
11. Scope-group.cn
12. Total-groupco.cn


IP:222.35.137.237

01. Affina-groupnet.com
02. Annuity-groupnet.cc
03. Holding-group.cn
04. Invalda-groupmain.com
05. Lime-groupnet.cc
06. Lime-groupsvc.com
07. Massivegroupsvc.cn
08. Puritan-groupinc.com
09. Redeye-groupco.com
10. Rengo-groupmain.com
11. Mena-groupsvc.com
12. Stock-groupmain.cc

IP: 222.35.137.238

01. Annuity-groupllc.com
02. Archway-groupinc.com
03. Integrity-groupsvc.com
04. Melson-groupli.com
05. Melson-groupmain.com
06. Saturn-groupsvc.com
07. Trans-groupmain.com
08. United-groupnet.cn
09. Alliance-groupmain.cc
10. Scope-groupmain.cn

Anyone recruited from resumes on file with careerbuilder.com by any of these entities, should be aware that they are recruiting money mules.

MGD

Posted by: -MGD- | September 28, 2009 5:56 PM | Report abuse

First of all, these folks are already being deni-
grated by having their gullibility discussed here-
in, so i think it's going a bit overboard to refer
to them as ``the mule'' and such, though it does
make a convenient shorthand for folks whose identi-
ties you're trying to protect, admittedly

Secondly, since the banks are not going to back up
their business and non-profit customers against
fraud, maybe they can all at least agree to create
a new category of embargo-ed funds: Besides those
available for immediate withdrawal and those
waiting for some check to be cleared, maybe a
category for funds that can't be immediately
wired anywhere--or payable to Western Union or
whatever other wire-transfer agency (if any others
there be)

This might recoup them enough on not having their
retail customers bilked and having to recoup them
(or on fraud insurance premiums or wherever the
savings would come from) to make up for their
loss of their debit-card overdraft insurance non-
sense, even. Well, maybe not that much, and maybe
they should take the imputed non-loss and put it into
a trust fund, anyway, either to remunerate their
non-retail customers who still get victimized or
to hire bounty hunters to get back the ill-gotten
goods from the perpetrators or maybe to sue wire-
transfer agencies for negligence--and maybe thus
encourage them to exercise diligence or try to get
the money back from the bad guys or whatever

Posted by: buckh | September 28, 2009 11:03 PM | Report abuse


A very similar deplorable event happened to me... i received the funds in the Mail and deposited the check and made the required inquiries about when the funds were cleared ... it was about 4 days after the deposit of 5,000 (-/+) that the bank said yes, they've cleared.
[The original notice to me: 'they found my name on Job Search board' and i think is was CAreerBuilder. THEY communicated by E-mail and phone.]
i went to the bank, took out the cash less my $280 commission and send it to someone in Oklahoma. The original check came from New York - i didn't think much of it being unemployed and desperate.
The funds i rec'vd went to purchase filing systems to complete the work processing station i would have in my home to do this great little side job.
NOT 45 min after i left the bank with the $5000.00 the bank called me and said the check was a fraud - and further dialogue, i was responsible for all of the money and i'm currently paying $141 a month to salvage my credit and my daughters credit who was inadvertently still on my bank acct as she opened it for me before i moved up here to Billings, MT from Los Angeles, a couple years prior.
i despise the bank for reneging, they said it was good they gave me the cash and it should be their responsibility for clearing what they later told me 'well that's the Federal Clearance not the actual clearance' crap. Liars and Crooks themselves for authorizing check clearance and then forcing me to repay or jeopardize my daughters credit.
Never bank at Stockman Bank.
1. i don't think any of the parties involved are doing anything about these scams. I told the police and they came by, took all my info and never heard from the BPD again.
2 Rich People don't get scammed. Just the poor and desperate.

Posted by: Darwin26 | September 29, 2009 2:39 AM | Report abuse

This whole Fake IRS spam / Zeus bot / Money mule / mass withdrawal setup uncovers a bunch of questions:

Assuming:

a) An individual joins one of these mule scam sites and receives a check. That check features the transit / branch numbers of the account of someone who was compromised by Zeus. So to the recipient bank it appears as a legitimate account (because it is) and they process the transaction.
b) Conversion to cash plus sending via Western Union means: no trace.

Questions:

a) Doesn't Western Union bear some responsibility for executing large transactions of this sort? Especially given that they have become the money wire platform of choice for all manner of criminal operations in the past four years or so, why hasn't any law enforcement agency started cracking down on Western Union, or requiring them to reveal recipient information? (Unless of course that also is fake, in which case what does this say about Western Union?)

b) Can't Western Union be subpoena'd by someone to divulge who collected the money? At which location? Providing which ID?

c) If a bank account holder suddenly, and with no prior evidence of having done so before, deposits and withdraws a check amounting to $10,000 or so, shouldn't this raise the alarm at the bank? If they do it a second time a few days later: shouldn't this FURTHER raise the alarm?

Clearly these criminals are exposing huge, huge holes in the current baking and money wire industries. They must have researched all of this for months before beginning to plan or execute any of this.

SiL / IKS / concerned citizen
http://ikillspammers.blogspot.com/

Posted by: killspammerz | September 29, 2009 1:50 PM | Report abuse

@ killspammerz

After reading about these scams on Security Fix, I became alarmed and contacted my bank to ensure there was a notice on my account forbidding any wire transfers that weren't initiated by a telephone call or visit to the bank.

As it turns out, I didn't need to do so: I live and bank in Canada, where banks do not allow wire transfers to be initiated/carried out through Internet banking.

Maybe not as convenient, but much, much safer.

Posted by: johanna3 | September 30, 2009 10:30 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company