'Money Mules' Help Haul Cyber Criminals' Loot

Another unwitting money mule -- Sandy Flood, 41, from Woodbridge, Va. ¿ responded to a work-at-home offer that arrived in an e-mail from an employer who'd found her resume at Monster.com. The initial e-mail was from a woman claiming to work for the New Jersey offices of a company called diamond-finance.info. Flood said she, too, researched the company online and decided it was legitimate after visiting the site. She would later learn the Web site name of the real Diamond Finance lacks a hyphen between the two words.

After signing a standard employment contract and faxing it back to the company, Flood received five transfers of $215 each into her PayPal account over a 48-hour period. Shortly after she moved the $1,075 to her checking account, PayPal called to say the transactions were suspicious. Just a few days later, PayPal's investigators found her at fault and responsible for paying back the money. Meanwhile, the counterfeit Diamond Finance Web site had disappeared. Luckily for Flood, PayPal contacted her before she had wired the money to the criminals.

eBay spokesperson Amanda Pires said eBay and Paypal users should be extremely wary whenever a company or individual requests money transfers via Western Union, as consumers have no recourse if something later goes wrong with the transaction.

"Online fraud including phishing and work-from-home scams are effective only if a someone gives over his or her online credentials," Pires said. "E-mail addresses, password, personal financial info should be protected just as an ATM number or credit card number would be protected in the offline world."

No specific data is available on how many people get taken in by the scams, though several thousand Americans are probably recruited to act as mules every year, according to Matt Richard, a security researcher at Sterling, Va.-based iDefense who has studied this form of fraud.

Underreporting may also be influenced by victims who eventually realize they are embroiled in a criminal operation but are afraid to report their plight to authorities. "By reporting themselves, money mules really are tying their own noose," Richard said. "I think many of these mules in the back of their mind at some point know that the job is too good to be true."

Several factors suggest a strong link between money mule recruiters and phishing and computer virus writing operations. Examining the messages blasted out in a recent money mule recruitment spam run, Harrison found unusual computer coding embedded in the messages. The code ¿- designed to confuse spam filters-- was set to display in white so as to be invisible to a human, but readable to machines.

Harrison said he has seen the same type of code in phishing e-mails sent by a notorious Russian phishing gang known as the "Rock Group," an outfit security experts say is responsible for more than half of all phishing messages sent on any given day.

Ron Plesco, CEO of the National Cyber Forensics and Training Alliance, an industry-law enforcement partnership based in Pittsburgh, said money mule operations have become a key part of the ecosystem of cyber crime, where moving money across borders without generating suspicion from authorities is a must. "There is a whole sub group or people who will move money for you via money mules," he said. "There is a whole subculture that can be hired out to move stolen funds for you through money mules."

Money mule recruiters also found an ally in the author(s) of one of the more prolific families of malicious software, an e-mail based Trojan-horse program known as the "Storm worm." For the first nine months since its inception in January 2007, the millions of Storm-infected PCs were used almost exclusively to pump out spam touting shares of penny stocks in complex investment scams.

Then, roughly once a month starting in September, the network of Storm-infected machines was spotted being used to funnel mule recruitment e-mails, said Joe Stewart, a senior security researcher at Atlanta-based SecureWorks.

All of the messages directed interested recipients to sign up at various online forums. Some were traditional money mule come-ons that tried to maintain a veneer of legitimacy, while other campaigns sought to play on another class of money mule recruits: Those who understand full well that they are aiding criminals but nonetheless believe they can reap a share of the profits.

One of the messages sent over the Storm network targeting this group was straight and to-the-point, with a subject line that read, "Work as a middle man for $8000/month." The rest of the message suggested the criminals' ability to enjoy the benefits of their stolen bounty was limited only by the size of the money mule pool.:

"We have large amount of funds on numerous bank accounts which needs to be laundered. We need your help to do that. You'll get 10% of each transaction coming into your bank account."

Experts say almost all money mules -- both unwitting and complicit -- end up losing money.

The old adage, "If an offer or deal sounds too good to be true, it probably is," is just as appropriate in the online world than it is in the physical world, said eBay's Pires.

"The scams are becoming more sophisticated, but the basic rules of common sense and online security have not changed in a long time," Pires said. "It doesn't matter how sophisticated these scams get, these rules still apply."