Scam and "mule" recruitment.

For several years, it has become common to receive emails offering a part-time job at home, which is simply to transfer money on behalf of a foreign company. These emails are conventional spam, offering a deal that has little chance to be accepted, but they are sent to so many targets (for a marginal cost) that several victims will eventually accept the deal. In this case the victims will not buy fake Rolex or Viagra, or disclose their banking password, but appoint for an extra job.

These jobs offers are of course scams and the person hired that way is commonly called a "mule" (by analogy with the drug mule hired to carry - sometimes unwittingly –drugs or other illegal material). The job of the mule is often the following:

• Receive money on a purposely created bank account (or Paypal account)
• Convert this money into cash and transfer the cash abroad using  an international money service such as Western Union
  
• Take a small commission, as a fee for the service, on the amount of money sent.

This money mule scam has been known for several years. In early 2007,  the French CLUSIF devoted a briefing on that topic during its Annual Cybercrime Overview (see the "More Information" section below). At that time, the e-mails offering this type of job were still uncommon, and mostly written in English.

 

An e-mail sample

Things have evolved since that time. As an example, you reproduce below a scam e-mail we received mid-October. Except for the e-mail subject of the e-mail (which is a bit odd), it is surprising to see how persuasive this e-mail is:

• It really looks like a job offer,
• The language used is quite correct  (the email was in French),
• The terms used are credible.

This e-mail, as any spam, was sent by anonymous mass-mailers - possibly installed by hackers on compromised computers – which cannot be traced back to the originator. The only way to contact the originator is in fact a Gmail account mentioned at the end of the e-mail. In the other samples we got for the same spam the sender address and Gmail address were different, but the e-mail body was unchanged.

The only thing suspect is reading the words "make payments through WU / MG" which refers to "Western Union" and "MoneyGram" : two international services to send cash abroad.

Note: this e-mail sample was originally in French and has been translated for the purpose of this article. Our intent was to demonstrate that the email was written in a very good French …

From: Senior Solutions and Strategies [cumatt@desingel.be] Date: Saturday 24th October 2009 16:59 To: Cert-IST Subject: Profitable Business Job Opportunities N° 23 Date of publication: October 24th, 2009 Company: Senior Solutions and Strategies Do you want to integrate a branch of an international company based abroad? Vacancies: Bookkeeper Accounting and Management Intership Descriptif: 1.  BOOKKEEPER Number of Vacancies : 9 Education level required: Any Start date: asap Duration: 12 months Salary: 7% to 9% of each transaction Trial Period : 1 month Localisation :  any region Working hours: Part-time employment (1.5-2 hours per day) Activities: administrative correspondence telephone reception Reporting make payments through WU / MG   2.  ACCOUNTING AND MANAGEMENT INTERNSHIP Number of Vacancies : Unspecified Education level required: Any Start date: asap Duration: Unspecified Compensation: 7% to10% of each transaction Trial Period : 1 month Localisation : France Working hours: Part-time employment (2 hours per day) Activities: administrative correspondence telephone follow-up Various administrative tasks make payments through WU / MG conduct international payments You are dynamic and autonomous, you have a good adaptability, then please fill out the form below: Lastname: Firstname: Country: Town: ZIP Code: Phone: Mobile: E-mail: Additional information about you: Join us by sending your application by mail: Senior.Solutions.HR@gmail.com © Copyright 2002-2009 "Senior Solutions and Strategies

 

What happens to the mule then?

Once the mule has been hired, many scenarios are possible, depending on the type of scam. Here are some examples:

• Money laundering: The mule receives money on his account via wired transfers. He must then withdraw the money and send the cash via Western Union service to the crook.
  
  
• Stolen money flight: The crook asks the mule to open an account at a given bank. This account is then fed by the crook from other misappropriated accounts in the same bank (transfers between accounts in the same bank are generally less monitored). The mule is then asked to withdraw the money and to transfer it to the crook.
  
  
• Fake sales on Internet: The crook asks the mule to create a PayPal account; He then sells an item on Internet and instructs the buyer to send money to the mule's PayPal account. In fact, the buyer never gets the object he has bought and the mule has already transferred the money to crook when the fraud is discovered.

According to the reports we got, the same mule is never used for a long time, either because he will be spotted by the bank because of the transfers and withdrawals he performed, or because the victims of the scams complain about the mule.

As an anecdote, it was recently identified that the URLZone malware (a banker Trojan) changes its behaviour when it detects that it is analyzed, and transfers the misappropriate money to innocent victims to let the investigators think that those victims are mules ...

 

The reaction of the involved companies

The companies impacted by these scams (banks, Western Union, web sites dedicated to private sales, etc ...) are well aware of this phenomenon and take actions to counter them. This often takes the form of awareness programs targeting their customers.

Western Union also announced in October 2008 the creation of an "Alliance" (with Microsoft, Yahoo and African Development Bank) to fight against scams on the Internet. There should be also (non-public) technical measures in place to detect these frauds. For example, it might be possible for a bank to monitor customer's transactions and trigger alarms when suspicious transactions are detected. At the early 2007 CLUSIF briefing, a bank had indicated that it identified in 2006 12 mules within its customers.

 

Conclusion

The mule business is of course illegal (mules are considered as being accomplices of the crook who hired them), dangerous (the first result for the mule is usually to be automatic excluded by his  bank), and of short duration.
It is however very concerning to see that the e-mail offers for such a job are more and more credible and appealing. As we saw in the example above, it is quite possible to be lured by such an e-mail. Using caution and common sense should be enough to realize that these e-mails are scams.  But once baited, anyone could be tempted to believe that he discovered a legal and lucrative business!

 

For more information:

2006 Cybercrime Overview (in French): 

• http://www.cases.public.lu/fr/risques/2006/panorama/2_mules/index.html
• http://www.clusif.asso.fr/fr/production/ouvrages/type.asp?id=CYBER-CRIMINALITE

WashingtonPost.com - Brian Krebs :

• Money Mules' Help Haul Cyber Criminals' Loot
  http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012501435.html?sid=ST2008012501460
  
  
• Just Say No To Work-At-Home Money Mule Scams
  http://blog.washingtonpost.com/securityfix/2008/01/just_say_no_to_workathome_mone.html