FDIC: Uptick in 'money mule' scams
The Federal Deposit Insurance Corporation (FDIC) is warning financial institutions about an uptick in scams involving unauthorized funds transfers from hacked online bank accounts to so-called "money mules," people hired through work-at-home scams to help cyber criminals overseas launder money.
According to the FDIC, the following are examples of events that may indicate money mule account activity:
-A customer who just opened a new account suddenly receives one or several deposits, each totaling a little less than $10,000, and then withdraws all but approximately eight to 10 percent of the total (the mule's "commission").
-A foreign exchange student with a J-1 Visa and fraudulent passport opening a student account with a high volume of incoming/outgoing money transfer/wire activity.
In tracking more than 50 companies over the past five months that have been victimized with the help of willing or unwitting money mules, I've spoke to dozens of folks who got caught up in these scams.
While a majority of mules I interviewed received a single fraudulent payment from only one victimized company, some were sent money from multiple victims, or signed up with more than one mule recruitment firm. In fact, one mule I tracked down recently admitted to receiving funds from at least two hacked companies. This individual also was among the phantom employees added to a company's payroll after a breach last month at payroll processing giant PayChoice.
"The FDIC alert and reporting by the Washington Post suggest that cyber criminals are increasingly using money mules to target banks and related financial databases," PayChoice chief executive Robert Digby said in an e-mailed statement. "The recent attack on PayChoice appears to fit that pattern."
On Sept. 23, unknown hackers broke into Moorestown, N.J.-based PayChoice, a company that provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. The thieves stole the names, e-mail addresses, user names and passwords that a large number of PayChoice's customers used to access onlinemployer.com, PayChoice's service portal. Not long after that, the attackers then included that information in spoofed e-mails to PayChoice's clients, addressing each recipient by name and warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.
When I first got wind of that breach, I immediately wondered if the culprits might be the same individuals responsible for a rash of incidents I've investigated this year in which attackers used password-stealing Trojans to swipe the banking credentials of small to mid-sized firms. In every case, the attackers used that access to put money mules on the payrolls of those companies and then send the mules sub-$10,000 bank transfers.
PayChoice responded to that breach by forcing customers to change their passwords. But sometime during the week of Oct. 12, some PayChoice customers reported seeing phantom employees added to their outgoing payroll. PayChoice alerted its customers that hackers had again breached its systems, and urged customers to be on the lookout for unauthorized payroll transfers to four specific people and associated bank accounts. PayChoice said one of those individuals was named Ronald Cutshall, and that an account associated with Cutshall ended in the numbers 7766.
Security Fix recently caught up a Ronnie Cutshall from Greeneville, N.C. who acknowledged having an account at the local GreenBank ending in those four digits.
Cutshall, 48, runs a small horse carriage service called Greeneville Carriage Co.. Cutshall said he had never heard of PayChoice, but he did admit to receiving $9,600 from a company called American Realty on Oct. 6. At least, that was the name of the company on the receipt his erstwhile employers sent him (see the screenshot below). The bank routing number on the $9,600 payment Cutshall said he received from American Realty traced back to Georgia, but attempts to reach the victim were unsuccessful (there are more than 100 companies in Georgia with some approximation of that name).
According to Cutshall, approximately three weeks prior to receiving that $9,600 bank transfer, he had been recruited over the Internet as a finance manager by a company called the Fairline Group (the company's Web site is at fairline-group.cn), which said it had found his resume on a popular job search site.
Several requests for comment e-mailed to addresses listed at Fairline Group's Web site went unanswered. But the Web-based interface used by the group to manage employees is similar as ta firm purporting to be the Scope Group, another mule recruitment firm identified in a previous blog post (see 'Money Mule' Recruitment Network Exposed).
ZDNet blogger Dancho Danchev has written extensively about the links between the Fairline Group's Web site and other sites used by money mule recruiters, which share internet infrastructure and Web site registration details.
Cutshall said he withdrew all but about $750 of the $9,600 transfer from American Realty, and then wired the money via Western Union to his employers in Ukraine, as instructed.
Cutshall said that on Oct. 16 he received yet another unexpected transfer, totaling $3,441.97. This time, however, Greeneville Bank froze his account, just hours after the money was deposited.
Turns out, at about the same time he was recruited by Fairline, Cutshall had responded to a job offer from a company called Medical Payments Inc.-- at the Web site medical-payments.org -- which also reported finding his resume on an Internet job search site. According to the e-mail sent from his contact at that site, the name on the bank transfer as the source account was a law firm in Central Florida by the name of "The Law Offices of Thomas." That is almost certainly not the full name of the victim organization in this case, since most bank transfer receipts list only a finite number of characters in the "from" field of any given transaction.
I checked with PayChoice: Neither the $9,600 payment nor the $3,441 transfer matched amounts that were intended for Cutshall from customers of PayChoice that had phantom employees added to their payrolls. Cutshall said he doesn't recall signing up with any other work-at-home recruitment firms. This suggests that the attackers who added his name to the payroll of PayChoice's customer may also have been responsible for adding him to the payroll for the hacked realty company and/or law firm. Alternatively, there may be two or three separate criminal groups responsible for the incidents, with each group pulling money mules from a single mule recruitment service.
Cutshall, who describes himself as a nurse and a 16-year veteran who fought in the first Gulf War, said he researched both companies online before joining up with them, and that their Web sites looked legitimate. Cutshall he would never have had anything to do with these companies had he known or suspected they were fraudulent.
"I just was wanting to provide for my family," he said. "But when I seen that this money was supposed to go to Ukraine, I was like 'Wait a minute.' I'm an old soldier from the Cold War. I'll do it this time, but after this I ain't helping nobody if I don't know where the money is coming from or where it's going."
For its part, PayChoice said it has "conducted a comprehensive review of its IT infrastructure, including network devices, servers, applications and IT operating procedures, and that it is "deploying responsive measures recommended by industry-leading security experts."
"While law enforcement authorities have asked us not to provide detailed information to the public, PayChoice has responded vigorously to last month's breach of our online system," Digby said.
Note to readers: This blog post refers to an entities calling themselves the Fairline Group, and Medical Payments Inc. -- using the Web site names fairline-group.cn and medical-payments.org, respectively -- that allegedly helped recruit people to help commit online crime. Because fraudsters tend to use generic-sounding names when they create fake corporations, there may be a number of businesses which have names similar to those named in this story that have nothing to do with the perpetrators of this crime.
November 2, 2009; 6:00 AM ET
Categories: Fraud , From the Bunker , Small Business Victims , Web Fraud 2.0 | Tags: fdic, money mules, paychoice
Save & Share: Previous: A makeover for federal cybersecurity reporting
Next: What Windows Autorun Has Wrought
Posted by: blasmaic | November 2, 2009 10:05 AM | Report abuse
Posted by: jackrussell252521 | November 2, 2009 10:56 AM | Report abuse
Posted by: michaelargast | November 2, 2009 12:10 PM | Report abuse
Posted by: ummhuh1 | November 2, 2009 12:44 PM | Report abuse
Posted by: bellabone | November 2, 2009 1:56 PM | Report abuse
Posted by: tuber | November 2, 2009 2:13 PM | Report abuse
Posted by: blasmaic | November 2, 2009 3:18 PM | Report abuse
Posted by: Dawny_Chambers | November 2, 2009 4:32 PM | Report abuse
Posted by: observer31 | November 2, 2009 7:48 PM | Report abuse
Posted by: observer31 | November 2, 2009 7:51 PM | Report abuse
Posted by: observer31 | November 2, 2009 7:52 PM | Report abuse
Posted by: 20yrskinfan | November 2, 2009 8:55 PM | Report abuse
Posted by: -MGD- | November 2, 2009 10:36 PM | Report abuse
Posted by: firstname.lastname@example.org | November 3, 2009 3:34 AM | Report abuse
Posted by: featheredge99 | November 5, 2009 12:18 AM | Report abuse
The comments to this entry are closed.