washingtonpost.com
'Money Mules' Help Haul Cyber Criminals' Loot

By Brian Krebs
washingtonpost.com Staff Writer
Friday, January 25, 2008 10:51 AM

The e-mail offer of a work-at-home job was a godsend to Deena Monroe, a Statesville, N.C., single mom who had just been laid off from her position as a warehouse supervisor. The prospective employer said Monroe's resume had been spotted on job search site Careerbuilder.com and offered her the chance to make a few hundred dollars a week completing sales for a marketing company based in Australia.

Monroe said she researched the company named in the solicitation -- Adamant Global Pty Ltd. -- and concluded it was a legitimate firm. In mid-September, she decided to take the offer. She was asked to add an e-mail address to her account at PayPal, which the Adamant rep explained that she needed to transfer money on the company's behalf.

Soon after, Monroe received a deposit of $2,601 into her PayPal account, with instructions to transfer the money to her checking account, withdraw it and wire the bulk of the amount via Western Union to two separate addresses in India. She was told to keep 10 percent as her commission.

Less than two weeks later, Monroe received a terse e-mail from an eBay user who was curious when he might receive the new computer he'd won at auction, the one for which he'd sent precisely $2,601 to her PayPal account.

EBay investigated, concluding that Monroe's phantom employer had tied her PayPal account to a fraudulent auction. The auction site's verdict: She was responsible for repaying the full amount to the blameless auction winner. Monroe is now working two part-time jobs to pay the bills and to make the other victim whole.

"At first, the [buyer] was really mad and understandably so," Monroe said. "But I was just as irate because I had gotten taken, and there was nothing anyone could do about it."

Monroe was the victim of a "money mule" scam, in which criminals make use of third parties (often unsuspecting victims like Monroe) to launder stolen funds. Mule recruitment is an integral part of many cyber crime operations because money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement. The mules, therefore, serve as a vital buffer, making it easier for criminals to hide their tracks.

According to Bob Harrison, a U.K. resident who has tracked thousands of money mule operations on his Web site (www.bobbear.co.uk) for the past five years, several new mule sites are popping up every day.

"I've seen a tenfold increase in these sites since 2003, and the back-end operations behind them are becoming more sophisticated and automated," Harrison said.

Harrison said he receives e-mails from at least three money mule victims per week, and many more from would-be money mules thanking him for identifying the latest recruitment scam sites. The retired communications engineer said he uses various search engine optimization techniques in an attempt to ensure his site is returned higher in the rankings before any given money mule site, with the aim that potential money mules researching an innocent company whose good name is being used by mule sites will turn up his profile pages before landing at the imposter's site.

One factor making it easy for criminals to recruit mules is the emergence of easy money transfer services like PayPal. Sensitive data like bank account numbers and bank routing numbers aren't needed for mules to move money. Instead, many mule operations simply ask recruits for the e-mail address tied to a PayPal account, or to add a second e-mail address to it.

The mule recruiters also have perfected the art of impersonating established online businesses. In nearly every money mule scam, the fraudsters build fake store fronts by copying the names, trademarks and Web content of legitimate online companies. In Monroe's case, the scammers had stolen all of the content (save for the contact information) from the Web site of the real Adamant Global Pty (adamantglobal.com.au) and copied it over to the counterfeit site at globaladamant.com, the domain advertised in recruiting e-mails.

Another unwitting money mule -- Sandy Flood, 41, from Woodbridge, Va. ¿ responded to a work-at-home offer that arrived in an e-mail from an employer who'd found her resume at Monster.com. The initial e-mail was from a woman claiming to work for the New Jersey offices of a company called diamond-finance.info. Flood said she, too, researched the company online and decided it was legitimate after visiting the site. She would later learn the Web site name of the real Diamond Finance lacks a hyphen between the two words.

After signing a standard employment contract and faxing it back to the company, Flood received five transfers of $215 each into her PayPal account over a 48-hour period. Shortly after she moved the $1,075 to her checking account, PayPal called to say the transactions were suspicious. Just a few days later, PayPal's investigators found her at fault and responsible for paying back the money. Meanwhile, the counterfeit Diamond Finance Web site had disappeared. Luckily for Flood, PayPal contacted her before she had wired the money to the criminals.

eBay spokesperson Amanda Pires said eBay and Paypal users should be extremely wary whenever a company or individual requests money transfers via Western Union, as consumers have no recourse if something later goes wrong with the transaction.

"Online fraud including phishing and work-from-home scams are effective only if a someone gives over his or her online credentials," Pires said. "E-mail addresses, password, personal financial info should be protected just as an ATM number or credit card number would be protected in the offline world."

No specific data is available on how many people get taken in by the scams, though several thousand Americans are probably recruited to act as mules every year, according to Matt Richard, a security researcher at Sterling, Va.-based iDefense who has studied this form of fraud.

Underreporting may also be influenced by victims who eventually realize they are embroiled in a criminal operation but are afraid to report their plight to authorities. "By reporting themselves, money mules really are tying their own noose," Richard said. "I think many of these mules in the back of their mind at some point know that the job is too good to be true."

Several factors suggest a strong link between money mule recruiters and phishing and computer virus writing operations. Examining the messages blasted out in a recent money mule recruitment spam run, Harrison found unusual computer coding embedded in the messages. The code ¿- designed to confuse spam filters-- was set to display in white so as to be invisible to a human, but readable to machines.

Harrison said he has seen the same type of code in phishing e-mails sent by a notorious Russian phishing gang known as the "Rock Group," an outfit security experts say is responsible for more than half of all phishing messages sent on any given day.

Ron Plesco, CEO of the National Cyber Forensics and Training Alliance, an industry-law enforcement partnership based in Pittsburgh, said money mule operations have become a key part of the ecosystem of cyber crime, where moving money across borders without generating suspicion from authorities is a must. "There is a whole sub group or people who will move money for you via money mules," he said. "There is a whole subculture that can be hired out to move stolen funds for you through money mules."

Money mule recruiters also found an ally in the author(s) of one of the more prolific families of malicious software, an e-mail based Trojan-horse program known as the "Storm worm." For the first nine months since its inception in January 2007, the millions of Storm-infected PCs were used almost exclusively to pump out spam touting shares of penny stocks in complex investment scams.

Then, roughly once a month starting in September, the network of Storm-infected machines was spotted being used to funnel mule recruitment e-mails, said Joe Stewart, a senior security researcher at Atlanta-based SecureWorks.

All of the messages directed interested recipients to sign up at various online forums. Some were traditional money mule come-ons that tried to maintain a veneer of legitimacy, while other campaigns sought to play on another class of money mule recruits: Those who understand full well that they are aiding criminals but nonetheless believe they can reap a share of the profits.

One of the messages sent over the Storm network targeting this group was straight and to-the-point, with a subject line that read, "Work as a middle man for $8000/month." The rest of the message suggested the criminals' ability to enjoy the benefits of their stolen bounty was limited only by the size of the money mule pool.:

"We have large amount of funds on numerous bank accounts which needs to be laundered. We need your help to do that. You'll get 10% of each transaction coming into your bank account."

Experts say almost all money mules -- both unwitting and complicit -- end up losing money.

The old adage, "If an offer or deal sounds too good to be true, it probably is," is just as appropriate in the online world than it is in the physical world, said eBay's Pires.

"The scams are becoming more sophisticated, but the basic rules of common sense and online security have not changed in a long time," Pires said. "It doesn't matter how sophisticated these scams get, these rules still apply."

View all comments that have been posted about this article.

© 2008 Washingtonpost.Newsweek Interactive