Posts Tagged: money mules


29
Nov 12

Online Service Offers Bank Robbers for Hire

An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise.

The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York. These associates are not mere “money mules,” unwitting and inexperienced Americans tricked and cajoled into laundering money after being hired for bogus work-at-home jobs. Rather, as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity (the ad refers to them as неразводные “nerazvodni” or “not deceived”). Put simply: These are mules that can be counted on not to freak out or disappear with the cash.

These complicit “foreign agents” in the U.S. can be hired to launder funds stolen through cyberheists and tax fraud.

The rest of the ad reads:

“We provide convenient service to our partners:

  • Unique administrative interface – fast response
  • We will react momentarily to any new task
  • Adapt every action of a money mule to client’s requirements
  • Timely payments via WebMoney/Liberty Reserve/Western Union, cash conversion with WU/MG
  • Cashout of tax return, D + P (dump & PIN, cashout of debit cards stolen via skimming)
  • Receive over mail or expensive merchandise pick up in a store
  • Mules are available for other interesting transactions

We work only by reference.”

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow-up Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

Continue reading →


19
Nov 12

MoneyGram Fined $100 Million for Wire Fraud

A week ago Friday, the U.S. Justice Department announced that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be unrelated to these cyber heists.

According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’  In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system.”

The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing (oh, and willful neglect of employee fraud).

“Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million…To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”

$100 million may seem like a painful fine, unless you take a look at MoneyGram’s company facts page, which states some fairly staggering figures: “MoneyGram has 293,000 agent locations in 197 countries and territories,” or, to put it another way, “more than twice the locations of McDonald’s, Starbucks, Subway and Wal-Mart combined.”

The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems.

Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists. In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances – and assuming there are funds to be plundered — add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.

The latest example: On Nov. 16, 2012, attackers logged into accounts at Performance Autoplex II Ltd., a Honda dealer based in Midland, Texas, and began adding money mules to the company’s payroll. The thieves added at least nine mules, sending each a little more than $9,000. One of the mules used in this attack — a Louisa Lies (no kidding, that’s her real last name) — got two transfers totaling $9,220.58. She was instructed to visit two different Western Union locations, sending a total of $3,844 to two different recipients (one in Russia, the other Ukraine); Lies sent another pair of transfers (again, to two different people in Russia and Ukraine) totaling just over $5,000, via two separate MoneyGram locations. Lies said she paid $155 in fees to Western Union, and $136 in MoneyGram charges.
Continue reading →


16
Jul 12

Spy Software Aims to Corral Money Mules

Borrowing from the playbook of corporations seeking better ways to track employee productivity, some cybercriminal gangs are investing in technologies that help them keep closer tabs on their most prized assets: “Money mules,” individuals willingly or unwittingly recruited to help fraudsters launder stolen funds. It seems that at least one mule recruitment gang employs custom software to spy on new recruits.

Last month, I heard from a reader in North Carolina named John who’d been roped into working for a company that claimed to be in the digital concierge and outsourcing business. John became suspicious that he was involved in something shady when they told him he should expect a transfer of nearly $10,000 to the personal bank account that he’d provided to his erstwhile employer in order to eventually receive a paycheck.

The software stole this glimpse of my test machine’s desktop.

The firm that hired John, a fictitious company called VIP One, recruits mules to help process fraudulent transfers from businesses victimized by account takeovers. Prior to sending its mules money, VIP One has prospective mules spend several weeks doing relatively meaningless busy work, for which they are promised payment at the end of the month.

VIP One requires all new recruits to install a “time tracking” application, basically a digital stopwatch that employees are expected to use to keep track of their time “on the job.” John was kind enough to let me take a peek inside his account at VIP One, and to download the time tracking software. It’s safe to say that time is certainly not the only thing being tracked by this program.

I installed the application in a Window XP virtual machine equipped with Wireshark, a free program that lets you inspect the data packets going in and out of a host machine. I pressed start and left the software alone for a few hours. A review of the Wireshark logs showed that the time tracking tool periodically and surreptitiously took screenshots of my system, uploading them to a site called gyazo.com. This Web site appears to be associated with a legitimate screen-grabbing application that automates the grabbing and posting online of screen captures.

My test machine also had several peripherals plugged into it, including a Webcam. To my surprise, further review of the logs showed that the time tracking tool hijacked my machine’s Web cam and took several pictures, also posting them to gyazo.com.

Continue reading →


23
Apr 12

Help Kickstart a Film on Cybercrime

A deep sense of doubt and dread began to sink in halfway through our journey down a long, lonely desert highway from just outside Austin to coastal Texas. We were racing against the clock (we’d just scarfed down our third meal in a row at a roadside Subway shop), yet my minivan companions — a filmmaker from California and a husband-and-wife camera crew — seemed pleased with the footage we’d collected so far. I was far less sanguine about our prospects, and was almost certain that our carefully-laid plans to ambush a money mule on camera were about to unravel.

'Money mule' Geridana heading home.

The scheme was hatched by Berkeley writer/director Charles Koppelman, who’d emailed me in mid-2011 about the possibility of catching some money mules on camera for a documentary he’s working on called Zero Day. Koppelman said the money shot would be a mule coming out of a bank with a wad of cash in hand, but that he’d settle for an old-fashioned sit-down interview.

At the time, I was working with a source who was injected into the communications networks of several money mule recruitment gangs. These miscreants specialize in hiring willing and unwitting “mules” through work-at-home job scams. The mules then are asked to process bank transfers that help organized cyber thieves launder money stolen from small businesses victimized by cybercrime. The networks my source was monitoring indicated the gang was grooming between 75 and 100 mules across the country on any given day, and that they were sending fraudulent transfers to mules almost daily.

I told Charles that for such a plan to work, we’d need to focus on areas that typically held the most number of mules per capita, and that meant somewhere in Florida or Texas. When my source indexed the mules and sorted them by hometown, we discovered that there were five mules being groomed for payments within about 200 miles of Austin, Texas. If we rented a car and checked in with my source on a regular basis, we might be able to secure the footage he was after, I suggested.

But I cautioned Koppelman that I gave our plan about a 20 percent chance of working. I predicted that most of the mules would quit, screw up the transfer task, or be used and discarded by the time we flew down there and actually hit the road. Indeed, when we reached our fleabag motel just south of Austin on Aug. 3, 2011, my prognostication had almost come true entirely: We were down to one last money mule: Geridana, a young, unemployed single mother of two from Webster, a small town of about 9,000 residents in southeastern Texas.

On the morning of Aug. 4, we piled into the minivan again and raced down to Webster. We didn’t attempt to make contact with her until we were parked outside of her apartment complex, which was next door to a bail bonds shop. Turns out that Geridana was a bit of an oddity: The $9,000+ the thieves had just sent her was actually the fourth such transfer that Geridana had processed in as many weeks. The most pathetic aspect of the whole scheme? She never got paid her promised monthly salary or per-task commissions.

I’ll stop the story here, because I don’t want to spoil the movie. That is, if it ever attracts enough funding to be finished. The film is co-financed by BBC Storyville, but Koppelman and his son Walker just launched a Kickstarter campaign to raise $20,000 to ensure  continued filming of the project. A short introduction to their effort (including a scene starring Yours Truly) is available in the teaser video clip below. The filmmakers are also working with New York Times reporter John Markoff, Reuters reporter Joe Menn, and author Misha Glenny.


13
Apr 12

Thieves Replacing Money Mules With Prepaid Cards?

Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money.  They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

Some of the mule gangs I’ve identified.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have  at least 10 money mules at the ready.

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

Continue reading →


14
Nov 11

Title Firm Sues Bank Over $207k Cyberheist

A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

Continue reading →


10
Jun 11

FBI Investigating Cyber Theft of $139,000 from Pittsford, NY

Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.

The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.

Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.

Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer. I left a message with the FBI field office in New York but haven’t yet heard back.

“We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems,” Carpenter said. “We thought we were pretty secure.”

Carpenter said the fraud went undetected for days. He said the town normally does its direct deposit payroll bi-weekly on Wednesdays, and that the first fraudulent transfers happened during a non-payroll week.

Continue reading →


23
Feb 11

Sold a Lemon in Internet Banking

An online bank robbery in which computer crooks stole $63,000 from a Kansas car dealership illustrates the deftness with which cyber thieves are flouting the meager security measures protecting commercial accounts at many banks.

At 7:45 a..m. Monday, Nov. 1, 2010, the controller for Abilene, Kansas based Green Ford Sales, Inc. logged into his account at First Bank Kansas to check the company’s accounts. Seven hours later, he logged back in and submitted a payroll batch for company employees totaling $51,970. The bank’s authentication system sent him an e-mail to confirm the batch details, and the controller approved it.

The controller didn’t know it at the time, but thieves had already compromised his Microsoft Windows PC with a copy of the ZeuS trojan, which allowed them to monitor his computer and log in to the company’s bank account using his machine. Less than an hour after the bookkeeper approved the payroll batch, bank records show, the thieves logged in to Green Ford’s account from the same Internet address normally used by the dealership, using the controller’s correct user name and password.

The attackers cased the joint a bit — checking the transaction history, account summary and balance — and then logged out. They waited until 1:04 p.m. the next day to begin creating their own $63,000 payroll batch, by adding nine new “employees” to the company’s books. The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds.

Green Ford’s controller never received the confirmation email sent by the bank to verify the second payroll batch initiated by the fraudsters, because the crooks also had control over the controller’s e-mail account.

“They went through and deleted it,” said Green Ford owner Lease Duckwall. “If they had control over his machine, they’d have certainly had control over his email and the password for that, too.”

To me, this attack gets to the heart of why these e-banking thefts continue unabated at banks all over the country every week: An attacker who has compromised an account holder’s PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC. If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking trojans.

It is difficult to believe that there are still banks that are using nothing more than passwords for online authentication on commercial accounts. Then again, some of the techniques being folded into today’s banking trojans can defeat many of the most advanced client-side authentication mechanisms in use today.

Banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day’s end. But several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.

Perhaps the most elegant fraud techniques being built into trojans involve an approach known as “session riding,” where the fraudster in control of a victim PC simply waits until the user logs in, and then silently hijacks that session to move money out of the account.

Amit Klein, chief technology officer at Trusteer, blogged this week about a relatively new strain of malware dubbed OddJob, which hijacks customers’ online banking sessions in real time using their session ID tokens. According to Klein, OddJob keeps online banking sessions open after customers think they have “logged off,” enabling criminals to extract money and commit fraud unnoticed.

All of these developments illustrate the need for some kind of mechanism on the bank’s end for detecting fraudulent transactions, such as building profiles of what constitutes normal customer activity and looking for activity that appears to deviate from that profile. For example, in almost every case I’ve written about, the victim was robbed after thieves logged in and added multiple new names to the payroll. There are most certainly other such markers that are common to victims of commercial account fraud, and banks should be looking out for them. Unfortunately, far too many small to mid-sized banks outsource much of their visibility at the transaction level to third-party service providers, most of whom have been extremely slow to develop and implement solutions that would enable partner banks to flag many warning signs of account takeovers.

Continue reading →


8
Nov 10

Authorities Nab More ZeuS-Related Money Mules

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months.

In Wisconsin, police arrested two young men who were wanted as part of a crackdown in late September on money mules who were in the United States on J1 student visas. The men, both 21 years old, are thought to have helped transfer money overseas that was stolen from U.S. organizations with the help of malicious software planted by attackers in Eastern Europe.

Codreanu and Adam

Dorin Codreanu and Lilian Adam, both originally from Moldova, are being transferred to New York, where they were charged on Sept. 30 in connection with the international money laundering scheme (hat tip to Sophos).

In related news, the government of Moldova’s Specialized Services Center for Combating Economic Crimes and Corruption (CCECC) announced late last month that it had detained six individuals suspected of helping the same international ZeuS gang launder money.

All six of those detained were bank employees, and one worked at the Bank of Moldova. According to Moldovan authorities, the suspects allegedly specialized in intercepting Western Union and MoneyGram payments that mules had sent to Eastern Europe after receiving bank transfers from organizations victimized by the ZeuS Trojan.

Altogether, Moldovan prosecutors are looking at 12 suspects, including a government official who is alleged to have provided the group with copies of ID cards needed to open bank accounts. That nation’s anti-corruption center said it has conducted over 30 searches at detainees’ houses, and seized at least $300,000, a gun, and two luxury cars.

Eleven of the 37 money mules charged in September in connection with these attacks are still at large. Photos of the suspects are available at this alert posted by the FBI.


28
Sep 10

Fake LinkedIn Invite Leads to ZeuS Trojan

A major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan.

The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com.

On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.

This attack will no doubt fool a large number of people. Dan Tynan, a reporter for IT World, said he was tricked into clicking the link and possibly infecting his system.

It’s a good idea to avoid clicking social networking site invites that arrive by e-mail, especially if you don’t recognize the name of the person who’s inviting you. Instead, consider just browsing to the social networking site and handling any invites there. Also, this attack is a good reminder that it pays to stay up-to-date on the latest security patches.

What interests me most about this scam is that it shows that criminals wielding ZeuS are now using employment-oriented online services both to infect new PCs and to “cash out” these same victims, thanks to money mules recruited at job search sites like Monster.com and Careerbuilder.com.

I asked Cisco to supply more information about the domains used in this attack. Some of that information is included at the summary listed here (please take care with the domains on this list — they all should be considered hostile).