January 13, 2010

I have written a great deal about how organized cyber gangs in Eastern Europe drained tens of millions of dollars from the bank accounts of small- to mid-sized businesses last year. But new evidence indicates one of the gangs chiefly responsible for these attacks managed to hack directly into a U.S. bank last year and siphon off tens of thousands of dollars.

On July 30, 2009, at least five individuals across the United States each received an electronic transfer of funds for roughly $9,000, along with instructions to pull the cash out of their account and wire the funds in chunks of less than $3,000 via Western Union and Moneygram to three different individuals in Ukraine and Moldova.

The recipients had all been hired through work-at-home job offers via popular job search Web sites, and were told they would be acting as agents for an international finance company. The recruits were told that their job was to help their employers expedite money transfers for international customers that were — for some overly complicated reason or another — not otherwise able to move payments overseas in a timely enough manner.

The money was sent to these five U.S. recruits by an organized ring of computer thieves in Eastern Europe that specializes in hacking into business bank accounts. The attackers likely infiltrated the bank the same way they broke into the accounts of dozens of small businesses last year: By spamming out e-mails that spoofed a variety of trusted entities, from the IRS, to the Social Security Administration and UPS, urging recipients to download an attached password-stealing virus disguised as a tax form, benefits claim or a shipping label, for example. Recipients who opened the poisoned attachments infected their PCs, and the thieves struck gold whenever they managed to infect a PC belonging to someone with access to the company’s bank accounts online.

In each of those attacks, when the attackers found credentials for commercial bank accounts, they would log in to the victim’s account and set up bogus payroll payments to the newly-hired financial agents — known to the criminals and law enforcement alike as “money mules.” I’ve also interviewed dozens of these mules, and each one I spoke with said the deposits they received were all accompanied by e-mail messages stating the amount and time of the transfer, as well as the name of the “client” whose money their employers were supposedly “helping” to move.  In every case, the name listed in the e-mail as the “client” was in fact a company that the thieves had looted (see Money Mule Recruitment Network Exposed for another example of this).

On July 30, 2009, the thieves sent out at least five payments totaling nearly $50,000 to five separate money mules. In each case, the name of the client listed in the e-mail message the criminals sent to alert them of the transfer read “FIRST SENTRY BANK,” suggesting that the theft was the result of a computer compromise inside of First Sentry.

I attempted numerous times to get a response from someone at Huntington, West Virginia based First Sentry Bank about the July attack. I left no fewer than seven phone messages and sent several e-mails to bank employees, explaining who I was and the reason for my inquiry. To this day, I have yet to receive so much as a “no comment.”

One of the money mules who helped move money out of First Sentry was a 65-year-old woman from Von Ormy, Texas, who spoke on condition of anonymity. She said she successfully withdrew the $9,099 sent to her from First Sentry, and wired it to three different individuals in Eastern Europe, as instructed. Four other money mules who also helped launder funds stolen from First Sentry said they also received similar amounts, and that their e-mailed receipts also listed First Sentry as the client. It is quite possible that the mules I spoke with represent a fraction of those who received funds in this attack: Some of the more than two dozen victims of this crime that I’ve chronicled lost upwards of $500,000.

The Von Ormy mule said she suspected the job may not have been legitimate, but decided she needed the money too badly to turn it down. She said she made about $500 off the transaction, after paying the fees to wire the money.

“I’m a senior citizen on a fixed income, and I hate to say it, but I did make some good money,” she said. “I knew it was too good to be true after making that doggone much money in one day, but it helped me out a lot.”

Below is the transaction message sent from the thieves to the Texas-based mule. Bobbear.co.uk, which does tireless work to track these scam Web sites, has a writeup here on the site used to recruit the Von Ormy mule.

—– Original Message —–

From: noreply@alliance-group.cc

To: [redacted]

Sent: Thursday, July 30, 2009 6:58 AM

Subject: Attention: Transaction 136282 – new task for you

Dear [redacted],

We are glad to inform you about a new task! Please review transfer details:

Date: 30.07.2009 12:56:01
Reference: 154226QL-30
Amount: USD 9099
Commission: USD 727.92 (8 %)
FROM: FIRST SENTRY BANK

Funds should already be there at your bank account. Please contact your bank urgently and confirm that the money is available for withdrawal.

The next thing you have to do is to inform your personnel supervisor about the task status and perform three basic actions:

1. LEARN MORE.
Make sure you’ve already read our detailed manual at: hxxp://alliance-group.cc/member/admin/job_instructions.php

2. WITHDRAW THE FUNDS.
Please visit your bank as soon as possible and withdraw the received funds. Usually this procedure doesn’t take more than 30 minutes.

3. TRANSFER MONEY VIA WESTERN UNION (MONEY GRAM).
After cash withdrawal you are to make transfer(s) at your local Western Union location(s). Commission (8 %) should be deducted from the received money. WU fees along with all other costs, such as bank fees, transportation costs, etc. are covered by you and are deducted from your commission.

* According to the contract terms, should your expenditures exceed 3% of the amount transferred, we’ll compensate you the difference. For more info, please read the EXHIBIT A part of the contract.

You are to make the following transfer(s):

Type: Money Gram
Amount: 2790 USD
Recipient’s First Name: Igor
Recipient’s Last Name: Ilyin
Recipient’s City: Odessa
Recipient’s Country: Ukraine

Type: Money Gram
Amount: 2700 USD
Recipient’s First Name: VERA
Recipient’s Last Name: KSENOFONTOVA
Recipient’s City: Donetsk
Recipient’s Country: Ukraine

Type: Western Union
Amount: 2880 USD
Recipient’s First Name: Constantin
Recipient’s Last Name: Grozav
Recipient’s City: Chisinau
Recipient’s Country: Moldova

IMPORTANT: Before leaving for bank or WU you must read the detailed FAQ available HERE: hxxp://alliance-group.cc/member/admin/job_instructions.php

*We kindly ask you to specify purpose of WU transfer: family (if required). It will allow us to avoid delays connected with Western Union policy concerning business transfers.

**All transfers must be made in USD. Use MONEY IN MINUTES type only (not MONEY IN DAYS).

***We recommend to use 2-3 different locations to complete the transaction.

Sincerely,

Support Team
Alliance Group Inc
support@alliance-group.cc


23 thoughts on “Money Mules Helped to Rob W. Va. Bank

  1. SpamIsLame

    I don’t know whether you’ve ever gotten a comment from them in the past, but shouldn’t Western Union be on the hook for at least a portion of this criminal activity?

    Theft from the bank – which arguably should by now have all kinds of security measures in place regarding thyis rash of ongoing withdrawal abuse – is only the first half of the problem. Western Union and Moneygram are the actual crux of the crime being committed, and the criminals behind this know it.

    Has anyone from Western Union ever made any comment regarding this continuing abuse?

    SiL / IKS / concerned citizen

      1. Rachel

        Hi I think i hav been pulled into one of these scams what should i do ? This is not my real email as i cant trust anyone at this point because of these people.

        1. BrianKrebs Post author

          Walk away. If they send you money or a check, do nothing with it, except report it to your bank. In fact, might be a good idea to print out the emails you’ve received from them and go down to the bank and explain what happened. They should be able to help you close the account and open a new one.

  2. AlphaCentauri

    Can anyone explain why the US banking industry is so disorganized that they can’t get together to sign up thousands of bogus money mules every time a spam “work at home” email goes out, then wait for the replies to find out which bank is going to be looted?

  3. Evan Francen

    Nice work Brian! Very informative and representative of the fact that criminals will stop at nothing to get the money they covet. As information security professionals, we should be careful to not underestimate the motivation and skill of some of our adversaries.

    How many hours of research did you put into this?

    1. BrianKrebs Post author

      Thanks. Too many, I’ve been working on this off and on since Sept. Since First Sentry has been dodging my requests for comment, I wanted to make sure I’d heard the same story from enough mules.

  4. d

    While I understand the Von Ormy mule needed the money, she still was wrong. And she readily knew that fact. Do these mules ever get prosecuted? For as many times that Brian has reported this story, it’s sad more people aren’t aware of the scam and that the banking industry hasn’t warned it customers against becoming mules. Until that happens it’s too much money for some to resist!

  5. N3UJJ

    For the record:
    BB&T has posted on every drive-in window I have been to, warning signs of possible scamming.
    I also took a moment to go to the First Sentry website and posted a comment about them ignoring the issue.

    Keep up the good work Brian.

  6. Matt

    I’m also curious about the legal repercussions of being a “money mule”.

    While I realize that ultimately there’s no answer to this until someone hashes it out in court, does being provably ignorant of the fact that they’re helping move stolen money shield them from prosecution? Does being provably knowing of the fact that the “job” is not legitimate make them an accessory? What standard of proof would it take to make a mule an accessory to the theft?

    1. AndyfromTucson

      Generally serious crimes require as an element of the crime that the perpetrator knew what he was doing (in this case aiding in a theft). These mules can argue that they thought it was a legitimate job, or just shut their mouths and not say anything and leave prosecutors with the difficult job of proving that the mule knew they were transferring stolen money. By using lots of mules, and having each one handle relatively small amounts, they make it very unattractive for prosecutors to go after the mules.

      If the banking industry did a media campaign along the lines of “work at home jobs involving money showing up in your account that you have to send somewhere else are criminal scams” then prosecutors would have an easier job (and fewer people would sign up for them).

  7. TheGeezer

    Expect this to continue as long as the registrars are complicit in this activity. An exploit on HSBC is currently in progress. It downloads a bot, certificate.exe, after gathering your bank credentials. The domain used for this exploit was registered with domainpeople.com. The registrar was notified by a researcher and given samples of the exploit more than 24 hours ago. No response. The exploit continues. The solution by most domain resellers is to no longer supply registrant information so their negligence in registering fraudulent domains is not seen.

    1. AlphaCentauri

      @TheGeezer – Your complaint is valid about phishing/malware domains allowed to remain alive for hours or days, especially those hosted on botnets, where there is no single hosting service that can shut down the website if the registrar fails to act. I looked at domainpeople’s registration agreement and have some ideas, but it’s off topic here. You may wish to become a member at inboxrevenge.com and start a thread there if you are having trouble getting a particular domain shut down.

  8. t_joe

    The more I read about these money mules, the less I think they are free from culpability. There are enough red flags to make anyone realize that these are dodgy transactions, and yet they engage in them anyway. The woman quoted in the article said she had her “I knew it was too good to be true” moment after collecting her loot, but it’s hard to believe she didn’t have this realization much earlier in the process.

  9. NE716

    The mules have plausible deniability. There is also the matter of intent, and it would be extremely difficult to prove criminal intent on the part of these people. Toss in the fact that the amounts are not large, whether it’s the money moved or the mule fee, and you are spending more money in the court and prison system than the impact on society.
    Since it’s tough to determine intent, you can’t distinguish a true criminal from a person looking for a few bucks. With the ever increasing gap in the distribution of wealth, we will see more folks acting as mules in the future. But the solution is not to imprison all mules, that just won’t make sense and will be too costly. We need law enforcement, the banking industry, ISP’s, etc. to work together against the real perpetrators of this activity – the groups behind it.

    1. BrianKrebs Post author

      This is correct, I think. Put yourself in the shoes of a local prosecutor who has to convince a jury of the defendant’s peers, most of whom probably aren’t much brighter than these mules, that the mule knew what they were getting into. That’s probably a non-starter for even ambitious, junior prosecutors.

      That said, what these mules are doing is probably not dissimilar legally from people who pass bad checks or cash fraudulent checks. Ignorance of the law is not a legal defense, but sadly it is often a sufficient one.

      1. AndyfromTucson

        Ignorance of the law is never a defense. What is a defense, for many crimes, is ignorance of the true nature of the act the perpetrator is committing. For example, if you are hired to sit in a booth an push a red button when a buzzer goes off, and it turns out that the button fires a gun that kills someone, then you are not guilty of murder because you had no idea you were firing a gun. However, there are a number of crimes that by their definition do not require proof of knowledge of the act. Most traffic laws do not require knowledge of the act; so not knowing you were speeding is no defense. I imagine (but don’t know) that some of the bad check laws are written this way too. All this to say, in order to make money mules liable without proving knowledge of the act they were committing (transferring stolen money) you would have to have new laws passed making it a crime to transfer stolen money even if the perpetrator didn’t know the money was stolen.

        1. Stardance

          @AndyfromTucson: Quote: “Most traffic laws do not require knowledge of the act; so not knowing you were speeding is no defense.” Traffic laws require the driver to know the speed at which the vehicle they are driving is moving, at all times, and to always know the speed limit for the span of the road on which they are currently driving. So, if you didn’t know that the vehicle was exceeding the speed limit, then you have broken the first law, and if you didn’t know the speed limit, then you have broken the second law, and if you did know both the limit and the fact that the vehicle was moving above the limit, then you’ve broken another law instead. You might avoid a fine and get a “fix it” ticket instead if you can convince the officer (or the judge) that the speedometer is dysfunctional or not operating, but that is not likely, IMHO.

  10. Bob Bear

    Thanks for the mention, Brian, and keep up the good work publicising this criminal activity. There definitely seems to be a severe lack of education on the subject, judging by many of the responses I get.

    Anyone who comes across any similar money mule or reshipping fraud recruiting scam, please do let me know about it, along with any spam copy via my webform on http://bobbear.com/ or http://bobbear.co.uk/

  11. Rick Zeman

    Nothing will change until the banks will lose more money than it will cost to effect meaningful changes (same with data breaches).

    Brian:
    “Ignorance of the law is not a legal defense, but sadly it is often a sufficient one.”
    Sadly, no truer words have been spoken.

  12. MGD

    Brian,

    Congratulations on your new venture, and I look forward to your continuing excellent work.

    Apparently our cyber paths continue to cross in the cesspools of organized cybercrime. As an avid reader of your outstanding series on “Cyber Gangs Fleece Small Businesses”. I can’t help but note some of the similarities between the Clampi / Zeus / Zbot bank looting operations, and that of the multi million dollar annual card fraud laundering operation which has operated within the global financial system unfettered for over half a decade.

    The published reports of the actual cash transfer drop instructions given to these mules, is what highlighted some of the similarities. In both cases, I believe that the named Western Union drops are also picked up by mules at the other end, and that it is one of several steps in the laundering process. It is my opinion that there is an organized Eastern European crminal version of a sort of “Hawala”, which specifically services cyber criminals and their ongoing global crimes, is untracable, and utilizes Western Union and Money Gram.

    If you look at some of the published reports given to the mules in the small business bank account fleecing, such as:

    ================================================
    Dear (MY NAME),

    We are glad to inform you about the new task! Please review transfer details:

    Date: 02.02.2009 12:07:57
    Reference: 217077PB-21
    Amount: USD 9350
    Commission: USD 748 (8 %)
    FROM: Company: L S Starrett Nashvl

    IMPORTANT: THE TRANSACTION MUST BE COMPLETED VIA WESTERN UNION ONLY (NOT MONEY GRAM).

    Funds should be on your bank account already. Please contact your bank urgently and confirm that money is available for withdrawal.

    The next thing you have to do is to inform your personnel supervisor about the task status and execute three basic actions:

    1. LEARN MORE.
    Make sure you’ve already read our detailed manual: >http://mmt-group.cc/member/admin/job_instructions.php

    2. WITHDRAW THE FUNDS.
    Please visit your bank as soon as possible and withdraw the received funds. Usually this procedure doesn’t take more than 30 minutes.

    3. TRANSFER MONEY VIA WESTERN UNION.
    After cash withdrawal you are to make transfer(s) in local Western Union location(s). Commission (8 %) should be deducted from the received money. WU fees along with all other costs, such as bank fees, transportation costs and so on are paid by you and are deducted from your commission.

    * According to the contract should your expenditures are greater than 3% of the transferred sum, we’ll compensate the difference. To get more detailed info, please read the EXHIBIT A part of the contract.

    You have to make the following transfer(s):

    Type: Western Union
    Amount: 2870 USD
    Receiver’s First Name: VICTOR
    Receiver’s Last Name: GALUSCA
    Receiver’s City: Chisinau
    Receiver’s Country: Moldova

    Type: Western Union
    Amount: 2800 USD
    Receiver’s First Name: CONSTANTIN
    Receiver’s Last Name: ROIBU
    Receiver’s City: Chisinau
    Receiver’s Country: Moldova

    Type: Western Union
    Amount: 2931 USD
    Receiver’s First Name: LEONID
    Receiver’s Last Name: RYCHKOV
    Receiver’s City: Moscow
    Receiver’s Country: Russia

    IMPORTANT: Before leaving for bank or WU you must read the detailed FAQ available HERE: http://mmt-group.cc/member/admin/job_instructions.php

    *We kindly ask you to specify purpose of WU transfer: family (if required). It will allow us to avoid the delays connected to Western Union policy concerning business transfers.

    Sincerely,

    Support Team
    MMT Group Inc.
    support@mmt-group.cc
    ================================================
    Ref: http://scamfraudalert.wordpress.com/2009/10/10/criscom-group-inc-criscomgroupco-cncriscom-groupinc-cccriscom-group-cc/

    Chisinau, Moldova repeatedly shows up as the origination point of hundreds of spam forum posts which were used to seed search engines by the organized crime syndicate card fraud laundering operation. The posts were used to create references and ranking for the fake business names used on Careerbuilder.com for recruiting cyber mules. Over 150 job adds for cyber mules were placed on Careerbuilder for the fake recruiting company Skydexsoft.com. (Warning: Skydex Soft was infected with iframe malware exploits). That was preceeded by numerous forum posts from supposed customers praising the company. Those postings originated from Chisnau Moldova, IP Address: 91.214.201.92 static-91-214-201-92.roxnet.md, and also from starnet.md in Chisinau. Those IPs were also the source of several hundreds of forum posts which used various card fraud laundering domain names with telephone numbers as their forum aliases. http://www.dslreports.com/forum/r19620593-Ebook-websites-fraud-charges-DevbillDigitalAgePluto?hifilter=Moldova The purpose of the latter was to demote search engine rankings of subsequent victim card fraud reports from the various fraud websites.

    In one of your “Cyber Gangs Fleece Small Businesses” reports, you listed these mule instructions:

    ================================================
    (WU commission included in $9221.40USD ). But remember everything must be complete in an two hours since you withdraw the money.)

    MONEY TRANSFER SYSTEM (WWW.WESTERNUNION.COM, LOOK FOR THE NEAREST BRANCHES ON THE WEBSITE)

    *Please send money via Western union branches,because it much more faster*

    !!!Do not send money via Bank,because it slower!!!

    You should choose option “Send in one minute”

    YOU NEED TO FIND 3 BRANCHES of Western Union AND SEND ONE EQUAL PIECE FOR THE FIRST RECEIVER FROM 1 BRANCH,SECOND EQUAL PIECE FOR THE SECOND RECEIVER FROM 2 BRANCH
    AND THIRD EQUAL PIECE FOR THE THIRD RECEIVER FROM 3 BRANCH .

    !!Details of our 1 client:

    *NOTE* (!!!PLEASE PAY WESTERN UNION TRANSACTION FEES FROM $3073 USD!!!!!)
    FIRST NAME: Valeriy
    SURNAME: Zobnin
    CITY: Poltava
    COUNTRY: Ukraine

    !!Details of our 2 client:

    *NOTE* (!!!PLEASE PAY WESTERN UNION TRANSACTION FEES FROM $3073 USD!!!!!)
    FIRST NAME: Andrey
    SURNAME: Kostin
    CITY: Rovno
    COUNTRY: Ukraine

    !!Details of our 3 client:

    *NOTE* (!!!PLEASE PAY WESTERN UNION TRANSACTION FEES FROM $3073 USD!!!!!)
    FIRST NAME: Boris
    SURNAME: Valinurov
    CITY: Kiev
    COUNTRY: Ukraine
    ================================================

    Ref: http://voices.washingtonpost.com/securityfix/Merian%20S.%20Terry.txt

    Ref: http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html

    For three years the Ukraine has been the originating point of several similar Western Union transfers, which were sent to the US to cover the US Bank fees, Authorize.net merchant account setup fees, and LLC registration costs, for the card fraud laundering website facilities.

    Circa December 2007, the following email was sent to a duped cyber mule to cover the set up costs for BestTech solutions (www.bst-design.com):

    ================================================
    From: Marek Shulcovicz Shulcovicz2002@gmail.com

    Sent: Monday, December 24, 2007

    Subject: sales representative

    Hello,

    First of all, I would like to wish you a merry Christmas!

    Let’s get back to work now. I got a confirmation that the amount of money needed for the company registration was sent to you about an hour ago. You can get it via Western Union. Below you can find all the information you will need to receive this transfer :

    SENDER : grigoriy gorvat
    CITY, COUNTRY : Dnipropetrovsk, Ukraine
    MTCN : 41263XXXXX
    AMOUNT : $XXX

    SENDER : vadim zagray
    CITY, COUNTRY : Kyiv, Ukraine
    MTCN : 19610XXXXX
    AMOUNT : $XXX

    After receiving the Western Union transfer please send me an e-mail message to confirm the fact that you are in possession of the amount of money needed and you have started the company registration process. After that please read the following step-by-step instructions to set up your work.

    o Recommendations for company legalization via LegalZoom.com
    1. It is highly recommended that the company name would include the word Solutions, Technologies and Design.
    2. If it is required to indicate the scope of activity of the company, please indicate software sales / website development
    3. Get a Tax ID*

    * There are two ways of getting a Tax ID

    a. You can find a special form in your Express Gold package, that will be delivered to you along with your new company documents. After filling out this form and sending it to IRS, you will get your Tax ID for free in two weeks.

    b. LegalZoom.com gives you an opportunity to get a Tax ID while you are registering your company. You are going to need extra $49 to do so.

    ….

    ..

    The moment when you sign the contract will be the start of your first working day.

    Should you have questions, I am always ready to answer them.

    Best Regards,
    Marek Shulcovicz
    EffectiveSoft Ltd.
    ================================================

    The recruiting of that cyber-mule began with this introduction:

    ================================================

    From: personal_manager@effectivesoft.biz
    Sent: Tuesday, December 11, 2007 6:07 AM
    To: REDACTED

    Subject: Career advancement opportunity. Apply now.

    Hello,

    We came to know about your CV while we were browsing on monster.com.
    After perusal of your experience, we came to a decision that you might be
    a good candidate for a position we have open now.

    Position outlines:

    EffectiveSoft is looking to fulfill vacancies for Sales Representatives who would
    be responsible for developing a new sale approach for our software products

    Company Data:
    EffectiveSoft Ltd. was based in 2003.
    ….
    ..
    .
    ================================================

    Circa January 2008 another duped cyber-mule who was recruited by fellowsolutions.com, and was subsequently assigned a card fraud laundering website of IPD-TECHNOLOGIES.COM, was sent funds to cover the LLC, business bank account, and Authorize.net set up fees:

    =====================================
    From: Aleksandr Kostanda aleksandrkostanda@yahoo.com

    To: XXXXXXXXXXXXXXX

    Subject: Aleksandr Kostanda

    We sent $500 through the Western Union. You can pick up the money.

    The datas to get the money:

    Sender:
    The first name: NATALYA
    The second name: MITROFANOVA
    MTCN: 814-678-XXXX
    Address: Nikolaev, Ukraine
    Sum: $XXX

    We sent it from Ukraine because it’s the cheapest way to send the
    money for us.

    Best regards,
    Aleksandr Kostanda.
    Fellow Solutions, Inc.
    36 Dragan Tsankov Blvd.,
    Sophia, 1057
    Bulgaria,
    Phone/Fax for US: (606) 764-1922
    fellowsolutions.com
    =====================================

    Just a few months ago, in an unexpected turn of events, the Ukraine once again showed up as the source of a $2,000 Western Union in bound transfer to the US, to support the organized crime syndicate’s card fraud laundering operation. In this case the unwitting cyber-mule who had set up an LLC and three FBNs to support three of the crime syndicate’s card fraud laundering websites, was tracked down and finally reached after about two months in operation. By that time the syndicate had processed around $100,000 in fraudulent charges to hijacked card data. At the time of initial contact the mule reported having made foreign wire transfers of some of the fraud proceeds a day earlier. After instructing the mule to lock out the authorize.net account and place it in test mode, they were then instructed to contact the bank the following morning and to try and revoke wire transfers made in the previous day or two. Around $80,000 of the fraud proceeds had already been sent out of the country.

    In this case the inbound Western Union cash from the Ukraine was a surprise ending to a ruse which was created to stall the cyber criminals, while attempts were made to freeze the foreign bank account where the card fraud proceeds were going to. Though it is typical for the fraud proceeds to be withdrawn in cash upon receipt at the foreign bank accounts, numerous fraud entities would have been wiring funds there, so there may have been a chance to freeze fresh wires. Unfortunately the process of revocation was handled as a typical recall and not as a fraud event, so the criminals were alerted to the attempted revocation. In order to deflect the criminals attention, a ruse was created to explain what they were seeing from their end, and the Western Union surprise was the unexpected result. That scenario can best be seen from these edited communication transcripts:

    After first phone call:

    ==========================
    Subject: Follow up to telephone conversation

    Please forward me copies of the emails that worldcreativestudio.com
    sent you which contain instructions to wire the money.
    ==========================
    ==========================

    Hi MGD,

    Needless to say, I am speechless and in a complete state of shock. I went
    ahead and placed all 3 accounts on test mode and changed all the passwords.
    These people do not have access to the bank accounts. How long would you say
    it takes for the sales to stop going through once the accounts are in test
    mode?

    ==========================
    ==========================
    Hi,

    As soon as you place it in test mode then no more charges will be processed.
    The criminals may be still processing charges into the system, as it will
    take them a while to realize that the system once set to test mode will
    accept the entries, however, it will discard and not process them. For
    ethical and other reasons, you can now no longer contest the disputed
    charges from the card victims. Depending on the available current funds in
    the account it is best to issue credits to as many of the current pending
    disputes as possible.

    Also, I need the wiring details ASAP, so I can try and have the Latvian bank
    account frozen. Based on the limited information that you gave me over the
    phone regarding the beneficiary name of “DIMEFIELD MANAGEMENT LTD.” in the
    British Virgin Islands, I have came up with this as a possible address:

    PO Box 3469,
    Geneva Place,
    Waterfront Drive,
    Road Town,
    Tortola,
    British Virgin Islands.

    The BVI is a known haven of offshore shell company registrations for Russian and
    other money laundering criminals.
    ==========================
    ==========================
    Hi MGD,

    Here is the bank info you need:

    ———- Forwarded message ———-
    From: adrian_nowak@worldcreativestudio.com
    Date: 2009

    Subject: Adrian Nowak. World Creative Studio, Inc.

    Hello,

    Please do the transfer to our bank account today.

    Here it’s the bank info:

    Beneficiary’s Bank Name: Aizkraukles banka
    Beneficiary’s Bank SWIFT code: AIZKLV22
    Beneficiary’s Bank Address: Elizabetes 23, LV-1010, Riga, Latvia.
    Beneficiary Account: LV29AIZK0001140110388
    Beneficiary Name: DIMELFIELD MANAGEMENT LTD
    Beneficiary address: Geneva place Waterfront Drive Road, Town Tortola,
    British Virgin Islands
    Detail of the payment: For law consulting invoice 29072009/1 dated
    30/07/2009

    Please be sure that you write down exact Detail of Payment. It’s very
    important for us.

    The transfer must be from your company name Remote Access Group, Inc.,

    from the bank business account.
    When you do the transfer please tell me the sum of it.

    Best regards,

    Adrian Nowak.
    Chief manager of World Creative Studio, Inc.
    adrian_nowak@worldcreativestudio.com
    Phone/Fax for the USA: (954) 208-7279

    ———- Forwarded message ———-

    From: adrian_nowak@worldcreativestudio.com
    Date: XXXXXX 2009

    Subject: Adrian Nowak. World Creative Studio, Inc

    Hello,

    Yes please do the transfers tomorrow.

    Detail of payments:
    1 account: For law consulting invoice 19082009/1 dated 20/08/2009
    2 account: For law consulting invoice 19082009/2 dated 20/08/2009
    3 account: For law consulting invoice 19082009/3 dated 20/08/2009

    Best regards,

    Adrian Nowak.
    Chief manager of World Creative Studio, Inc.
    >adrian_nowak@worldcreativestudio.com
    Phone/Fax for the USA: (954) 208-7279

    ==========================
    ==========================
    From: MGD

    To Cyber-Mule:

    Thanks, I do not need exact, just a guess as to the approximate total
    transfers.
    ==========================

    ==========================

    From Cyber-Mule:

    13 transfers totaling $87,592. I did the math earlier. Are you already in
    touch with that bank?

    Thanks for your help…
    ==========================
    ==========================
    To Cyber-Mule:

    Go to Wachovia ASAP and try and initiate a revocation on the last wire
    transfers that just left. Foreign transfers take a few days, and they may be
    able to recall it if it has not reached the account at the Latvian bank
    ==========================
    ==========================
    XXXXX@ab.lv XXXX@ab.lv

    XXX@fktk.lv

    Subject: ALERT: Criminal Money Laundering report (AML) at Aizkraukles Banka

    FRAUD ALERT: Criminal Money Laundering report

    ==========================
    ==========================

    From: MGD

    To: XXXX at jordans-international.com

    Subject: DIMELFIELD MANAGEMENT LTD

    The above company appears to be using your address:

    DIMELFIELD MANAGEMENT LTD
    Geneva place,
    Waterfront Drive Road,
    Town Tortola,
    British Virgin Islands.

    I was wondering if you can confirm if they are a legitimate company at your
    address. Or maybe they were registered through your service and are allowed
    to use your mailing address.

    ==========================
    ==========================

    From: XXXXX at jordans-bvi.com

    Subject: RE: DIMELFIELD MANAGEMENT LTD

    Dear MGD,

    I confirm that the above company is a legitimately registered BVI Business
    Company (company number 1498731). We provide the registered office and agent
    to this company.

    Best regards
    ==========================
    ==========================

    Dear XXXX,

    Thank you very much for your confirmation and prompt reply.

    I have an additional question, are the registered details for DIMELFIELD
    MANAGEMENT LTD a public record?. For example, the owner name or registration
    contact details.

    ==========================
    ==========================

    Dear MGD,

    A company search of the public record will reveal the Company Name, Company
    number, registered office, registered agent, authorised share capital, the
    last licence fee paid, whether the company is in good standing, and whether
    the company is in liquidation or has any litigation proceedings, or charges
    filed.

    Directors and shareholders details are not on public record.

    A charge for a company search as above is $150.

    Please let me know if I can assist you further.

    Best regards

    ==========================
    ==========================

    The Cyber criminals are now aware of the Wachovia bank request to Aizkraukles Banka
    for the return of the funds. Normal procedures require that the recipient sign off and
    authorize the return of wires. Obviously even if the funds were still there that is not going to happen. In order to stall for time and for other events to take place the cyber mule initially responded to the crime syndicate’s inquiry on the authorize.net merchant processing account lockout as may being related to excessive chargebacks, and said they would find out what was going on.

    ==========================

    From Cyber-mule:

    This was the last message I got from them…

    ———- Forwarded message ———-
    From: >adrian_nowak@worldcreativestudio.com

    Subject: Adrian Nowak. World Creative Studio, Inc.

    Hello,

    Will we be able to start to sell on September 1st? Then we would limit
    our sales up to $40,000 for each account. And there will be always
    enough funds to cover all chargebacks. Or will we not be able to start to sell again?

    It’s impossible to return the transfers because they were directed to
    pay our other services already.

    Best regards,
    Adrian Nowak.
    Chief manager of World Creative Studio, Inc.
    adrian_nowak@worldcreativestudio.com
    Phone/Fax for the USA: (954) 208-7279
    ==========================
    ==========================
    To: cyber-mule

    Excellent, got it.

    I see they are asking about if they will be able to continue billing. I
    suggest you tell them this:

    ——
    “Due to the growing number of charge backs the merchant account underwriter
    told me that they require me to give them an additional $2,000 to be held in
    reserve to cover any pending charge backs and the associated fees. This
    reserve is above and beyond any pending or actual receipts. They require
    this reserve to be on deposit before they will allow the accounts to be
    released for additional card processing. Since that $2,000 is above and
    beyond the funds that are in the bank account, I am not willing to fund this
    out of my pocket.

    If you wish to continue processing sales then you need to wire this $2,000
    back to business bank account, or send it in some form. That is why I tried
    to recall the last transfer in order to cover this new requirement”. If you
    do not wish to cover this reserve requirement I will be unable to have the
    processing account released. The underwriter at Transfirst said that they
    are experiencing an increased amount of chargebacks in general from
    ecommerce, and are increasing the reserve requirements on certain designated
    accounts to protect themselves.”
    ——

    They may be too smart and knowledgeable to believe this, however, it is
    close enough to reality that they may go for it. Especially if they think
    that they will be able to continue processing fraud charges. The amount is
    small enough that they might consider it worth the risk.
    ==========================

    ==========================
    Hey MGD,

    This is what they had to say to that:

    ———- Forwarded message ———-
    From: >adrian_nowak@worldcreativestudio.com

    Subject: Adrian Nowak. World Creative Studio, Inc.

    Hello,

    Why can they no take this reserve from the hold funds on third
    website? They hold aprox. $7,000. So they can take all these money for
    all 3 websites for reserve.
    Or we can sell for each website for $2,000 and they take these funds
    for the reserve.

    What you sent to us we spent all funds for advertising.

    Best regards,
    Adrian Nowak.
    Chief manager of World Creative Studio, Inc.
    adrian_nowak@worldcreativestudio.com
    Phone/Fax for the USA: (954) 208-7279
    =========================

    =========================

    To Cyber-Mule:

    LOL !! “We spent it on advertising” the lying scum. That is right up there
    with “the dog ate my homework”

    How ironic, not only do the criminals not spend even a penny advertising the sites,
    they block every one of the hundreds of them from even being found by search
    engines.

    Take your time in answering, but we will put the ball back in their court by
    saying

    “They told me that the $2,000 is the balance needed to meet the total
    required reserve. As I told you, I do not have that additional money, nor
    should I have to use my personal money to support the business. The merchant
    account underwriter’s risk department said that those additional funds will
    have to be on deposit before they will release the accounts for further
    processing. So it will be impossible to generate that balance from
    additional sales. Let me know what you wish to do, as I will need to look
    for other employment quickly if you are not going to continue the business.”

    =======================================
    =======================================

    Check this out MGD!!

    —————————————–
    From: adrian_nowak@worldcreativestudio.com
    Date:

    Subject: Adrian Nowak. World Creative Studio, Inc.

    Hello,

    We sent you $2,000 trough the Western Union.
    Please pick up the money and inform me when you get them.
    The money was sent to these datas:

    Sender’s first name: Lisova
    Sender’s second name: VIKTORIYA
    MTCN: 294-693-XXXX
    City: NIKOLAEV
    Country: Ukraine
    Sum: $1000

    Sender’s first name: VALERIY
    Sender’s second name: CHUNIHIN
    MTCN: 466-675-XXXX
    City: NIKOLAEV
    Country: Ukraine
    Sum: $1000

    We sent the money from Ukraine branch because it’s more cheaper than here.
    You can pick up the money in any time now.

    Please deposit these funds to cover the balances as they require. Also
    please tell at your bank to refuse from their inquiry to return the
    last wire transfers. The transfers will not come back in any case
    because there are not funds on this bank account. Only our bank
    manager ask us what to do with your inquiry. Just tell at the bank
    that you did the inquiry by mistake.

    Best regards,
    Adrian Nowak.
    Chief manager of World Creative Studio, Inc.
    adrian_nowak@worldcreativestudio.com
    Phone/Fax for the USA: (954) 208-7279
    ===================================================

    Though over the years the millions in fraud proceeds have gone from various US banks to assorted foreign banks, inbound support funds have primarily come via Western Union from the Ukraine. More recently they have also used Russian PayPal accounts for set up costs. The connections at this stage between the two fraud operations may be anecdotal. You have reported that several of the lootings from business accounts were made via direct transfers to foreign bank accounts. Though none of those details have been published so far, It would be interesting to see if they have anything in common with the other multi year ongoing fraud operation. Organized cyber crime is way ahead of any efforts by the finanical system to impede their operations. As for Western Union and Money Gram, they are the holy grail of fraudulent money laundering. If cash transfers via those systems were halted for a week, it would have the same effect on cyber crime as the combined results of pulling the plug on Atrivo, McColo, and 3FN / Pricewert.

  13. Mike

    If they actually go so far as to lie about the purpose of the transaction (“family”) it should be a simple case of fraud.

  14. Ty Purcell

    Brian,

    So if computers inside First Sentry were compromised, was First Sentry also the originating bank of the transaction to the mules, or was it another bank since sometimes small banks use larger banks as correspondent banks?

Comments are closed.