Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Abusing the WebMD Brand | Main | (In)Credible PayPal Phishing Attempt [Updated] »

February 16, 2010

Money Mule Recruitment

When crooks steal electronic banking login credentials via numerous PC infections, they log into the accounts and need to grab as much dough as they can as quickly as they can without causing electronic alarm bells to go off. To make the scheme work, the crooks need a way to extract the cash and have it flow to them in an untraceable way. Obviously, a direct transfer to their own bank accounts wouldn't work. Instead, they recruit individuals to act as "payment processors."

Funds are withdrawn from the hijacked bank account via electronic transfers into the accounts of these payment processors — usually in amounts under $10,000 to avoid being closely monitored by the banks. The payment processor must then quickly wire most of that money to their employer via Western Union or similar cash-based service. The processor gets to keep ten or so percent as commission (for a few hours, maybe).

The reason for haste is that the true owner of the money or his bank will eventually detect the fraudulent withdrawal. When that happens, the bank demands its money back from the payment processor's account in full. The processor's bank will usually comply, ripping a huge hole in the processor's personal bank account.

This is money laundering, pure and simple. The "payment processor" is a money mule, the financial equivalent of a drug smuggler. Surprisingly, I don't hear of many cases in which a money mule is prosecuted for his or her part in the fraud. But even without The Man coming down on them, money mules pay a hefty price.

Recruiting payment processors seems to be pretty easy, especially in these days of hard economic times. And when the crooks hide behind the flash and glamor of a real company, the "job" offer looks legitimate.

Shown below is an image of the beginning of a (virus-free) PDF document that claims to come from Codec in Ireland:

Money mule recruitment PDF file

I show the PDF file because it includes the logo art and real address of an Irish company called Codec. The From: field of the email message delivering this PDF file is an address at codec.ie, Codec's domain. Remember this, because there is a kicker at the end of this piece.

First of all, is the "real" Codec a real company? Their web site claims the company has been around since 1985. The name (which is new to me) comes from the compression of "Corporate" and "Decisions". Their domain name registration doesn't reveal a creation date, so that's no help.

With all due respect to the company if it is genuine, the consultancy buzzwords throughout the large web site are quite vague and sound almost made up. My eyes started to glaze over before I got very far. Although there are some traces of legitimacy on the site, I don't have the time to investigate this as thoroughly as I'd like. And, as computer media types know, searching for "codec" will not get me very far. In any case, to the untrained and unsuspecting eye, the web site looks very legitimate. That's all the recruiter needs.

Here is the full, unedited text of the PDF file, just so you can see how today's money mule recruiter is appealing to the masses:

Good Day,

We are the recruiting team at Codec, a registered company in Ireland with branches all over Europe. We are trying to expand our business to the USA and CANADA. It has been expensive and stressful for us to catch up with meetings and receive payment from clients outside the United Kingdom. We have decided to recruit agents in the united state of America that will represent our establishment in the aspect of record keeping and client's payments processing.

Customers in America will be asked to make payments for orders to you. You will record, process and remit the money to the accounting department. Payments will be made in cash, money orders and verified checks so you may need to have a bank account to apply for this position.

Note that only 21 years of age and above with good use of English can apply for this job offer. We need from you utmost honesty, trust, steady communication, easy access to the internet and a mobile phone number for quick communication. We do not mind you having another job, as this is a part time job but you need be committed and take our business serious at all times.

If you accept to work for us, you will receive $1000 (One Thousand Dollars Only) as salary every month ending and you are also entitled to remove a 10% commission off every transaction you make. i.e payment collected for the company through you.

If interested please reply with the following information. Your information will be processed within 48hrs and you can start work immediately

* Full Name.
* Residential Address (full address, zip code, state,)
* Contact Phone number(s).
* Cell number (For sms notification of assignments)
* Email Address
* Current Job
* Age

Charles Maybin
Human Resource Manager

Most recipients of this job offer will miss two significant problems with the message's authenticity.

First, although the company's physical address is in Ireland, the response telephone number is in the U.K. Of course, most of America's geographically-challenged folk don't know that Ireland is not part of the United Kingdom.

Second, although the From: address is a codec.ie address, the Reply-To: header is to a free sify.com email address.

Sadly, one statement in the offer letter may be true: that the crooks have so many bank accounts to hijack, that they're stressed in finding enough unwitting accomplices to complete the thefts.

Posted on February 16, 2010 at 10:56 AM