April 22, 2010

A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account.

On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account, chief executive Melanie Eakel said. Over the course of the previous two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000.

“They said ‘You’re overdraft,’ and I told them that was impossible because we didn’t do our payroll…we do it every Thursday,  not on Mondays at 2 a.m., which was when this was put through,” Eakel said. “I told them we did not authorize that.”

A few days later, however, the First National Bank of Fort Smith sent JE Systems a letter saying the bank would not be responsible for the loss. First National did not return calls seeking comment.

“They said it was our [Internet] address that was used to process the payments, and our online banking user name and password,” Eakel said. “I feel like the bank should have caught this.


As Eakel discovered the hard way, businesses do not enjoy the same legal protection against online banking fraud afforded to consumers. All the attackers need to do is trick an employee with access to a company’s bank accounts into opening a booby-trapped e-mail attachment or specially crafted link: From there, the attackers can plant malware on the target’s system and siphon any credentials stored on or transmitted through the infected PC.

Whether or not that company will ultimately lose money from such an intrusion depends on a great many factors (including whether or not the bad guys who stole the credentials ever get around to using them). Having interviewed more than 100 companies that have been hit with this type of attack, however, I can say that when a victim loses money there is usually plenty of blame to go around for the both the bank and the customer.

First off, far too many banks still rely purely on user-facing security mechanisms for authentication, such as passwords, secret questions, and one-time tokens. All of these — even when used in tandem — have been defeated by the organized criminal gangs that targeted the companies I have interviewed.

Part of the problem is that most banks — even the smaller ones — no longer know their customers, by sight or by name. Consequently, few banks actually have a good feel for what their customers’ normal transaction activity looks like. That wouldn’t be such a big deal if most banks substituted that lack of knowledge for some type of technology that builds a profile of customer transactions, and then alerts the bank and/or the customer when anomalies arise. However, relatively few banks employ this type of technology today, particularly for their commercial customers.

Many of the business owners who lose sizable amounts of money from this type of fraud are not in the habit of reconciling their books on a daily basis. Indeed, a majority of the victims I’ve interviewed who lost substantial sums failed to detect the missing money for more than 24 hours. This is not to say that victims who discover the fraud on the same day it is perpetrated always recover some or all their money, but they stand a far better chance of doing so than those who don’t detect it right away.

Back to the banks for a second: At what point are the financial institutions of this country going to begin placing giant red flags on new accounts that suddenly receive deposits of slightly less than $10,000, money which the account holder shows up to withdraw in cash shortly thereafter? For that matter, shouldn’t the companies that facilitate the subsequent wire transfers be held to a higher standard?


JE Systems was robbed with the help of at least a dozen different “money mules,” willing or unwitting individuals in the United States who are hired through work-at-home job scams to help crooks launder their money. In every case I’ve covered, the mules pulled the money out in cash, wired the funds overseas to Ukraine and Moldova, and kept about eight percent in “commission” (minus the hefty wire fees).

For her part, Eakel said her company certainly could have been more vigilant with its books. But she added that she’d like to see some of the money mules prosecuted for aiding and abetting fraud.

“It’s overwhelming my emotion to talk about this,” Eakel told Krebs on Security in a phone interview, audibly choking on the words. “These mules or whatever they are need to find a real job and a legal, honest way to earn their money just like the rest of us, and stop stealing from innocent small businesses. Honestly, I don’t understand how these individuals can sleep at night.”


Category: Small Business Victims

eBanking Guidance for Banks and Businesses

Regulators Revisit eBanking Security Guidelines

59 thoughts on “Fire Alarm Company Burned by e-Banking Fraud

  1. emv x man

    It’s banks like First National Bank of Fort Smith that are a compelling reason for businesses to go back to writing cheques; of course they should have seen – and stopped – the irregular activity.

  2. Kevin

    Online banking: just DONT do it!

    The company was not robbed, the bank was. Why isn’t the bank stepping up to protect its customers? Do they not want the business?

    P.S. Death to mules!

  3. Matthew Walker

    It appears once again a transaction authentication requirement for the outgoing online transfer could have prevented the theft, at least transaction authentication of the outgoing account creation.

    Interesting however if the transfer was authorized at 2am it is likely nothing more than a username and password was implemented by the bank (I cannot imagine staff being online at this time which they would need to be tricked by a MITB type Trojan attack on an OTP token).
    If a simple username and password were all that was required to authenticate an outgoing transfer of that size the bank should definitely be held responsible.

    The be fair to the mules I can understand how some people could genuinely fooled into believing they have a real job, some of the spiels are pretty convincing and not everyone goes through life assuming deceit.

    1. Mike

      “If it sounds too good to be true, it is.”

      Why would someone pay you money to receive an automated transaction, withdraw it in cash, then wire it somewhere? Why wouldn’t the transaction just go to its final destination? Are you doing any work which in any way justifies taking a relatively large commission? This isn’t “going through life assuming deceit”, this is “you think you’re going to cash in and are willing to ignore the obvious signs that you’re involved in something shady”.

      1. Matthew Walker

        The common story is they need a local payment processor to collect on their behalf because of local payment restrictions. This actually isnt so farfetched as many countries in Asia, Middle East and probably Eastern Europe do have difficult regulatory laws on the external transfer of money. Even Paypal had their cross border service stopped in India last January because of regulatory complications.


        Trying to register with a an online credit card processing company in many parts of the world is almost impossible and even I (Living in Asia) at one point when setting up an online business considered asking a friend in America to register an account with Paypal America on my behalf purely to take advantage of the extra API features Paypal only offers to their US customers (primarily being able to charge directly on your website and not have to forward everyone to a giant Paypal Ad processing page with a tiny hidden link to charge peoples credit card). HSBC in Hong Kong wants a half million dollar account deposit before they will grant on site credit card processing so you can imagine the nightmare for merchants in somewhere like Pakistan. All these things could under reasonable circumstances drive a genuine company to a similar situation.

        The 10% fee rate is not entirely out of reality either as I have seen genuine online processors asking exactly 10% for difficult countries and online websites of pornographic contentget charged around this rate where apparently the chargeback rates are enormous.

        Would I fall for the scam, no, and I do believe many mules know exactly what they are getting themselves into however I am certain many genuinely have no idea it is a scam and prosecuting these types of people (possibly older people from a more honest time) wouldn’t be a just thing to do.

        1. Mike

          So how does being asked to skirt local regulations not equate to something shady in your mind? In the example you give, the mule isn’t tricked into doing something illegal, they’re simply tricked into do a different illegal thing than they were told they’d be doing. My point remains–don’t make excuses for the mules because they should know that they’re being asked to do something shady even if they’re not sure what it is.

          1. Matthew Walker

            It is not skirting any local laws for the mule so you need to define “illegal” more clearly, as far as I know “starting a business” in America isnt illegal. The job requests are almost always purporting to be from an international company and they dont say “we are breaking our own countries laws” they talk about technical implementation difficulties and business opportunities.

            Dont think I dont fully believe many of the mules know exactly what they are doing and then just act simple when the police turn up however there will be alot of decent regular folks behind those doors too.

            For those here saying “death to the mules” or give them life in prison for bank robbery I think you need to step outside the IT circle and go and talk to the average person and realize they have no idea about international monetary regulatory standards, Online payment processing procedures or how international business is normally conducted. None of that would even remotely equate to doing something illegal in their minds especially as I said before that a little google research will show international online payment processing is a major headache for legitimate companies.

      2. Louis

        There is something misunderstood here, those people are fooled into perpetrating a crime.

        The work they do is hog-wash, like translating fake documents or answering surveys, or whatever.

        They get a notice of being required in assistance to solve a problem, which turns out to be the handling of those funds.

      3. AlphaCentauri

        “Why would someone pay you money to receive an automated transaction, withdraw it in cash, then wire it somewhere? ”

        We aren’t talking about financial wizards when we talk about money mules. We’re talking about people who are usually out of work and desperately broke, people who weren’t making much money when they did have a job. They hear about people on Wall Street getting six and seven figure incomes, work which basically consists of having people send them money in an automated transaction and sending it somewhere. They don’t understand how there can be such a disparity in what they got paid for working hard all night cleaning toilets and what someone else makes for going out to lunch with rich people. They think they’re being offered a chance to get into the same line of work. Since there is zero chance of them actually keeping the money they were “paid,” ignorance and naivete are the only explanation.

        We could help the situation by making sure everyone in the US got a thorough education in economics in school. But then it might be harder to find cheap labor to clean our public toilets.

    2. Rick

      It appears once again someone is using an insecure solution for online banking when Bk explained eons ago how to do it with little or no risk whatsoever.

      1. AlphaCentauri

        This is a little different from the ZeuS man in the middle attacks discussed in other articles. While it’s not inconceivable a firefighter might be doing banking at 2 am, the story we’re told is that no one did any online banking at that time at all. The password had to have been captured earlier. Very unsophisticated malware can do that. Based on the experiences a lot of us have when we visit relatives for holidays and spend time getting all the malware off their computers, banks need to be assuming there is crap on a high percentage of their customers’ computers. Since they’re still encouraging online banking, and since they have to reimburse non-commercial customers’ losses, one would hope they have some strategy to deal with the problem.

  4. Rob

    I agree that there is blame to go around but I don’t think the banks will change until it is forced on them. I suppose the discipline of the market place could force them but that seems unlikely given how unaware of this problem people still are.

    Updated guidance from the FFIEC is needed and it needs to be strong – along the lines of stating that transactions must be secured even when initiated from malware infected computes.

    In the mean time banks will continue to steer towards either convenience or security. This goes for large and small banks. Some banks require very good common sense security measures that make defeating them difficult. Others require almost no security and make it much more likely that their customers will be victims. Leveling the playing field with more specific guidance from the regulators would go along way.

    1. TheGeezer

      “I don’t think the banks will change until it is forced on them”

      The laws on usury are quite clear, yet many banks have been skirting these laws. Massachusetts announced it would move nearly a quarter of a billion dollars away from banks that refused to cap their interest rates to meet a state guideline of 18%.

      Organized community pressure is required to exert this type of pressure. Some have done it with the help of Metro IAF. (see video: http://www.youtube.com/watch?v=MIk-OLiVq1c).

      The same pressure should be applied to registrars whose Computer Emergency Response Team (CERT) does not consider deactivating domains registered with them for the sole purpose of installing bots, viruses and other malware as an emergency.

      This should also apply to web hosting companies who turn a blind eye to hosting sites with the express purpose of phishing. One such web hosting company is http://www.t35.com whose member sites represented 10% of all phishing activity reported to http://www.phishtank.com in march of this year.
      (ref: http://www.siteadvisor.com/sites/www.t35.com).

  5. TheGeezer

    And we can expect this to continue as long as there are registrars unwilling to take down domains which are being used for the famous IRS exploit which tricks the recipient into installing the zbot under the guise of ‘reviewing’ their tax statement.

    The Zeus/Avalanche botnet has tried several of their favorite registrars for the IRS exploit since late february. So far, these registrars have been very quick in unregistering these fraudulent domains, including even Moldova!! But they will eventually find a complicit registrar.

    As I write this, they are using St. Helena (cert@nic.sh) for their IRS exploit domains. Internet Computer Bureau plc. (http://www.icb.co.uk/) claims to provide “technical and policy” support (Info@icb.co.uk) for the St. Helena “sh” ccTLD domains.

    However, they seem to have no interest in taking down domains which clearly exist for the sole purpose of installing the zeus bot.

    And of course, ICANN can’t help. They will respond with “we’re not law enforcement” which of course we all know. But they are also not a regulatory body either for the same reason that the US Congress has trouble regulating financial institutions; too many of their voting members represent the very institutions that profit from the lack of regulation.

    1. TheGeezer

      Update: The St. Helena domains used for IRS fraud (install of zeus bot) were taken down at 10-04-22 17:43, less than 7 hours after I posted this comment. They had been up for at least 45 hours. Sometimes a little negative publicity is what is needed.

  6. wiredog

    First, is there insurance companies can buy against this sort of thing? If so, is there an online banking ‘best practices’ certification like the “UL” one?

    Second, I get emails via Career Builder about once a month or so from money mule recruiters and have been forwarding them to you. Are those useful to you, or am I wasting your time?

  7. Jose L. Navarro

    All these problems will be solved when the Banks and the customers understand that the solution for this type of fraud is very simple.
    Provide or use a dedicated workstation for banking purposes ONLY! No access to other Internet sites allowed that the Bank, No Email access allowed on this workstation, no browsing to any other sites permitted at ALL on this PC. With the cost of about $300 you can buy yourself peace of mind. Of course that if there is internal collusion or fraud from within the clients’ offices this cannot be stopped, but it will make it quite easy to find if you have restricted access to this workstation.

    An once of precaution today is worth a ton of regret tomorrow!

    1. ThinClient

      Even less than $300 when you use a thin client workstation. It’s especially safe, with a read-only file system, which reloads a fresh copy of the OS from Flash memory every time you turn it on. No hard drive to become infected.

      I just happen to have 25 HP/Neoware e140 Thin Clients in stock that would do just fine.


      These are new, with keyboards, in the original packaging, never used.

      They could even share the Keyboard, Video Screen & Mouse of your primary PC, by using a KVM switch.

      Email: Admin Contact for idelphia.net

    2. Nicholas Weaver

      Even better as a business, JUST DON’T DO ONLINE BANKING unless you get a letter from the bank, in advance, saying that they, not you, will eat the cost of such fraud.

      Doing online banking on a dedicated terminal defeats much of the advantage of online banking in the first place, namely, being able to integrate it into the accounting software.

      Frankly speaking, printing checks on a printer would be better than a dedicated terminal with online banking: then at least you gain much of the real benefits, without the risk.

      1. Rick

        Bk says: use a live Linux CD or switch to OS X or a Linux or a BSD.
        You say: no way – I’d rather abandon online banking than abandon Windows.

        Do you see the sign on your forehead?

        1. Mr West

          Come on please… Switching to ANY OS with a Write bit on IS NOT A SOLUTION. Here we go again with “… get a mac” as a solution. Just becuase the Mac (and Linux) is a solution that is CURRENTLY enjoying an “ignored status” by most hackers, does NOT mean that their users won’t be the ones crying on Krebs next week. Please when you offer a solution make sure it doesn’t suffer from the same potential flaws that allowed the original failing or you are truely doing the person taking your advice a disservice.

        2. Andy

          I think what is required is a degree of flexibility from all parties concerned. To say one would rather abandon online banking than abandon windows is silly. Use Windows by all means for other tasks, just be sensible and don’t use Windows for online banking. Common sense is required.

          If the bank you are with isn’t going to improve it’s security including that for internet banking then move to a better bank. Not always possible but if a bank starts losing customers they might just get their act together, especially if they know why.

          Is this type of fraud on the news much? If it was it might just get peoples attention and they might change their behaviour and stop themselves having their bank accounts emptied. Wait until it happens to a company owned by a senator or someone else high up. Things might happen then.

          I use Linux. My choice, has been for years and will be for years to come.

    3. Terry Ritter

      “Provide or use a dedicated workstation for banking purposes ONLY!”

      While using “a dedicated workstation” is better than nothing, it is not nearly enough. Any computer operator can make one mistake, and it only takes one mistake for malware to infect Microsoft Windows. Once infected, the computer remains infected and the malware runs on each and every session until the operating system is re-installed, which almost never happens. The computer owner and operator generally have no idea that their computer has become infected.

      Not using Microsoft Windows is important because almost all serious malware uses Windows. Modern malware is about profit, and around 93 percent of browsing occurs under Windows. By not using Windows we avoid most serious malware.

      Using a “Live” boot CD is best, because malware normally infects an easy-to-write hard drive, but cannot infect a tough boot CD or DVD. By booting from a DVD, every session starts out clean, and then we do banking before anything else.

      Those concerned about securing online banking can and should learn to use a simple, free, Linux “live” DVD. I use Puppy Linux. I am using it now.

      For me, Puppy is basically an easy way to start and run the Firefox browser and then work in the browser instead of fooling around in Linux. While Puppy is easy enough to use, some technical help probably will be needed to set it up. Information is available online, including my articles:


      1. Rick

        Here is is again – someone merely reiterating what Bk’s said all along. And you eejits just mod it down. Tell me this site isn’t being astroturfed by MSFT.

        1. wiredog

          Not MSFT. I suspect some of BKs opponents are doing it.

    4. jml

      Re: “No access to other Internet sites allowed that the Bank,” which I presume was meant to say “than the Bank”, one of my compatriots started down this path, and then queried me on the best way to write “permit” firewall rules for Akamai, as the bank website uses Akamai as part of its website.

      Not sure whether this was solely static content, but since I’ve heard presentations from Akamai about how they’re now offering “application acceleration” services to increase responsiveness of dynamic Javascript websites, I’m thinking it’s not-unlikely that there’s also code coming down from Akamai to the banking web browser. And while I’m sure Akamai does diligence in their code-submission and distribution processes, I can’t help but think of the malware-distributing ad networks when I lie in bed, not sleeping.


    5. Marty

      One of Brian’s best suggestions deserves repeating here:

      “Any solution that does not assume the customer’s machine *is already compromised by malware* stands zero chance of beating the bad guys at their own game. ”

      This must be the baseline for all online banking.

    6. PeteyB

      Would a virtual machine used only for online banking still be succeptable to these attacks? I’m just wondering why people always reccomend using seperate “hardened” machine when Virtual Machines are so easy to set up.

      1. BrianKrebs Post author

        Petey, thanks for your question. Virtual machines are probably better than nothing, but they would almost certainly be susceptible to these sorts of attacks.

        Bear in mind that most keystroke loggers hook the keyboard at a fundamental level on the infected PC. Which means in theory that they could just as easily hook the keystrokes on a virtual machine that’s running on top of Windows.

        What’s more, most malware includes what’s known as a form grabber, which can theoretically capture credentials sent in any outgoing http or https:// transactions on an infected Windows machine.

  8. Laura

    Another way to detect this type of behavior is to perform behavior analytics on a per-session basis. This is much less expensive than doing behavior analytics per user and can be very effective.

    1. Solo Owl

      Huh? Please be precise, or link us to a description.

      1. PeteyB

        What Laura is reffering to is monitoring the way your client interacts with your online banking site. ZueS works by knowing the layout of the specific site it is going to attack (form layout, which pages contain which information, etc.) so if your client is jumping between non linked pages, or entering information too fast, or hidden input fields are superfluously added to pages, the bank should be alerted by this suspiscious activity and dissalow the transer.

  9. WPSecurityLock

    Wow! It’s unbelievable the length thieves will go to.

    Thanks for sharing this eye-opening story. It’s a great reminder to keep a watchful eye on all our online business accounts.

    Securely yours,

    Regina Smola

  10. Brice Smith

    I understand that banks can do more to detect fraud based on what is the “norm” for a customer. What I don’t understand is the companies themselves have to accept some of the blame. They are the ones clicking on links and/or attachments about a UPS/DHL/FedEx shipment that didn’t arrive for some strange reason. They need to seek out help and spend a little bit or they may lose a lot in the end.

  11. Marty

    Another great report/analysis Brian.

    This is just another example of a bank being robbed due to the bank having inadequate security, and then directly passing their loss onto their customer.

    “They said ‘You’re overdraft,’ and I told them that was impossible because we didn’t do our payroll…we do it every Thursday, not on Mondays at 2 a.m., which was when this was put through…”

    This would be laughable if it weren’t so sad. It is trivial for the bank to implement fraud detection services that would have detected and held this anomalous transaction until it could be verified. Why don’t they? Because they dont have to! The bank can allow this type of bank robbery to occur and it is too easy for the bank to just directly pass their loss onto their customer, no questions asked.

    “But she added that she’d like to see some of the money mules prosecuted for aiding and abetting fraud.”

    Well said. These “money mules” are accomplices to bank robbery (no different from one who drives the “get-away” car). Publically prosecute and put a couple of these “money mules” in jail and we will see a big drop in this type of fraud. Money mules are no less guilty (unwitting or otherwise) than drug mules or money launderers.

    Something that is closely related is “identity theft”. Why do you think the banking industry invented the term “identity theft”? [Keep in mind that there is no such thing as “identity theft”, one’s “identity” can’t be stolen!] The term “identity theft” was invented as a way for financial institutions to directly pass their losses due to bank robbery onto their customers, no questions asked. Think about it. The sad part is, too many people have actually bought into the whole “identity theft” ruse, letting the banks off the hook to directly pass the bank’s losses onto their customers. [Lots of bankers giving high-fives]

  12. Alarm Guy

    Are you kidding me? Robbery alarm?
    “pull here in the case you are stealing stuff” not a deterrent, just a sign that says “i can afford an alarm.

  13. Alarm Guy

    “They said it was our [Internet] address that was used to process the payments, and our online banking user name and password,”

    What? are they saying they are not responsible for payments online from their site?

    if it’s his ip address, then the hackers could not have been from another location. they need to check video tapes and bust the clean up crew who stumbled into the bosses office with his computer on.
    they also need to just go to the account that the money was shipped to.

    the rest of their rant and frustration is newbish and immature.

    1. Erik

      And I thought this site was visited by techies only… Ever heard of remotely controlling a computer? Once the customer’s computer is under control of the bad guy, he just opens a Remote Desktop session to it and uses it to initiate the transfer.

    2. BrianKrebs Post author

      Hi Alarm Guy. Just a quick note about the malware that these gangs typically use to steal credentials from victims: Zeus.

      Zeus often ships with a plugin called “backconnect,” which allows the bad guys to tunnel back through the victim’s PC to access the bank’s site. This is designed to get past the technology that some banks employ, which examines not on the IP address of the customer’s transaction, but also tries to validate the “device fingerprint” of the customers’ browser.

    3. ITGuy

      Wow! Alarm Guy you really have no idea how these scams work do you? One of the first things we did was review security cameras to rule out the possibility of an internal attack. Your comments are the only Newbish and immature ones here.

  14. Gavin

    For those that see prosecuting the “mules” as part of the solution, I understand, but I don’t doubt for one second that it would not fix the problem in the least. I’d draw attention back to one of Krebs’ February blogs, “$164,000 E-Banking Loss” here, which gives rather more of the unsuspecting accomplice’s angle:


    The cybercriminals go to great lengths to seem legitimate and there will always be a large number of entirely honest people falling for their ruses.

    I wonder if there should be a greater movement towards careful vetting of the classifieds pages and websites of those companies posting job applications though? It would be infeasible to pass legislation that forces every job-posting outlet to background-check every submission, but the major online job search players have a duty in my opinion to keep their services as free and clear of such dirt (and provide copious warnings for users).

    This is exactly the same logic as suggesting (rightfully in my opinion) that banks have an obligation to keep financial transactions through their systems as free from fraud as they can, using pattern detection software, delays on red-flagged transactions, online banking education to the end-users and so on.

    The only solutions to this kind of crime will come from participation and awareness from the companies and individuals involved at every stage in the fraud pathway.

    — Gavin

    1. Beeker

      One of the main thing that “mule” gets recruited is the desperation on money issues as the economy has tanked for the past 3 years that push normal people into doing something they would not normally do. I’ve gotten my shares of it and deleted it because it looks legitimate. I even got one with a slick website identifying the company, only problem is they do not have some information about the company and it’s purely non existent when you try to find out about the company in other ways. With that, I deleted it.

      The point is that the banks should be vigilant in looking at the timing of the money going in or out especially when you are dealing with payroll as the story is about. The time was at 2 am on a Monday not the normal Thursday payroll day.

      My experience(I am an accountant and know the banking system due to my experience working there) is that companies have the tendency to delineate the different accounts for specific purposes with a master account out of sight only accessed by senior management personnel.
      I am guessing the Fire Alarm company did not have a specific account that identified to the bank that it is a payroll account which should have been a tip-off when activities occurs on other days than the normal day.

      1. AlphaCentauri

        In addition to have slick websites, they incorporate phishing techniques — they spoof legitimate companies’ websites the same way sites that steal passwords do. So a potential mule who is trying to do his homework and research the company offering him this job will find it’s a legitimate company that has been around for a while. Except that he’s researching the real company based on the name on the website, not the domain name in the browser navigation window. Most people wouldn’t know how to look up the whois on a domain to distinguish domains owned by the real company (eg., amazonaws.com really is owned by Amazon) and spoofed websites on domains registered two days ago with fake registrant information.

      2. ITGuy

        The account was a payroll only account and yes there shouldve been huge red flags going up when activity occured on odd days, at odd hours, to odd people all across the United States.

  15. AlphaCentauri

    For people who want to know what one of these looks like, there is an active domain at personalfincomp.com right now. I found it by searching some of the text from a similar site listed on bobbear.com. (I don’t recommend going there with Internet Explorer or with Javascript/Flash enabled).

    You can see why bobbear is nervous about risking legal action from owners of websites he profiles. It’s not that easy to see that this is fraudulent. The site presents itself as catering to companies looking to hire people, not to money mules. You have to dig to find their company personnel page personalfincomp.com/about/team.htm that lists people supposedly with the company since 2001, though the domain was only registered in March 2010. Without bobbear, I’d never know that the same people supposedly work for Allston Group, Inc. too. allstongroupinc.tw/about/team (All the job listings are dated since the date of the domain registration, so again, it’s not obvious there’s a discrepancy.) The domain is registered with Melbourne/Yahoo using privacy protection, so you can’t just check the registrant details. When you follow the link for “vacancies” to personalfincomp.com/vacancies/default.htm you see what is probably the real come on:

    >Our vacancies:
    >Accounts Receivable Specialist
    >Location: USA, statewide (The vacancy is valid for US residents only)
    >Employee Type: Full-Time Employee
    >HR Training & Development Specialist
    >Location: USA, Boston (The vacancy is valid for US residents only)
    >Employee Type: Full-Time Employee
    >Payment Processing Assistant (hot)
    >Location: USA, Canada (This vacancy is valid for US and Canadian residents ONLY)
    >Employee Type: Part-Time Employee
    >AVAILABLE More Detail
    >MARKETING DEPARTMENT MANAGER (financial services market analyst)
    >Location: USA, Boston
    >Employee Type: Full-Time Employee
    >Computer Operator
    >Location: USA, Boston
    >Employee Type: Full-Time Employee
    >System Administrator
    >Location: USA, Boston
    >Employee Type: Full-Time Employee
    >Location: USA, Boston
    >Employee Type: Full-Time Employee
    >Customer Service Manager
    >Location: USA, Boston
    >Employee Type: Full-Time Employee
    >Sr. Secretary
    >Location: United Kingdom, London
    >Employee Type: Full-Time Employee
    >Tax Manager
    >Location: Germany, Berlin
    >Employee Type: Full-Time Employee
    >Regional Operations Director
    >Location: USA, Boston
    >Employee Type: Full-Time Employee
    >Chief Financial Officer
    >Location: Germany, Berlin
    >Employee Type: Full-Time Employee
    >Audit Manager
    >Location: Canada, Ontario
    >Employee Type: Full-Time Employee

    So it gives the impression it’s a multinational company, that they’ve hired a lot of people, and that there is only one opening still available. The vacancies that have supposedly been filled require significant education and experience. But the one that is open does not:

    >Payment Processor
    >Status: Open
    >Employee Type: Part-Time Employee
    >Number of employees required: 3
    >Candidate Requirements:
    > * not less than 18 years old
    > * internet access
    > * availability by phone (1-2 hours a day)
    > * a bank account to process payments
    > * good credit history with your bank (new bank account is optional)
    > * no criminal offense or convictions
    > * experience in the field of finance is preferred
    >We are searching for employees to process
    >payments coming from our clients. Allston Group
    >Inc. will provide an agent with detailed instructions
    >as in regard to payment processing operations,
    >including sender full name and amount total for each
    >separate case. When funds enter employee’s bank
    >account, Payment Processing Agents duty is to
    >withdraw cash and transfer the funds via
    >International Wire Transfer or Western
    >Union/Money Gram money transfer systems. The
    >main advantage of our services is the shortest
    >possible time within which the seller can receive
    >money for the services/goods sold. If this operation
    >is delayed, our clients are entitled to cancel their
    >contract with us and we suffer financial loss.
    >Therefore, successful applicant must be very
    >responsible and careful!
    >Successful applicants are offered the position on a
    >probationary period basis (1 month). This is the
    >period when a new employee will be trained and
    >receive online support while working and being paid.
    >A personal supervisor can recommend termination
    >during/after the trial period depending on agent’s
    >activity. New employee should be responsible and
    >strictly follow supervisor’s recommendations to pass
    >the Probationary Period successfully and be
    >employed by us on a regular basis.
    >During the probationary period we offer USD 2,300
    >monthly salary plus 8% commission for each
    >payment processing operation. For example, an
    >average $5,000 payment will entail $400
    >commission (but WU/MG fee is paid from this
    >money, please see below for more details).
    >Furthermore, we offer $50 bonus for each
    >transaction completed by 11 a.m. (local time). With
    >the current number of clients, on average, your
    >overall income will amount to up to USD 4,000 per
    >month. A successful agent may ask for additional
    >tasks and earn more. After the probationary period,
    >base salary goes up to USD 3,000 per month plus
    >8% commission. Base salary ($2,300) will be
    >transferred at the end of the month to employee’s
    >bank account via Direct Deposit. Commission (8%) is
    >to be deducted from the processed money at the
    >time of the transfer.
    > * Payment Processing Agents is supposed to
    >process received assets during one business day, i.e.
    >from the moment of money entering their bank
    >account to the moment of re-send to our client in
    >accordance with contract terms. If money enters
    >employee’s account on a day-off or holiday, all
    >payment processing procedures have to be
    >completed during the next working day.
    > * Payment Processing Agents receives invoices for
    >each transaction every 14 days. This document is a
    >confirmation of transaction validity and in case of
    >any (if any at all) unforeseen circumstances it will
    >evidence your personal non-participation. All
    >invoices will contain detailed information on money
    >sender and will be both sealed and certified with
    >President’s signature.
    > * After the Probationary Period completion,
    >invoices will be sent every business day.
    > * Since business transfers can be processed with
    >delays, Payment Processing Agents should specify
    >each transfer as a private transaction. This provision
    >is also applicable in case of a third party interest in
    >the transfer.
    > * Our clients appreciate our operational efficiency
    >and are ready to pay extra fee for shorter
    >transaction terms. If we manage to deliver goods to
    >buyer within 5 days, the deal is considered to be
    >fulfilled at the earliest possible date.
    > * All the fees (WU/MG) are paid from employee’s
    >commission. HOWEVER, our company undertakes
    >to reimburse part of expenses which are incurred in
    >connection with money transfer (WIRE or by
    >Western Union/Money gram system) should money
    >transfer charges exceed 3%. All in all, your net profit
    >will amount to 5-8% of the total amount of each
    >payment processing operation.
    > * We don’t ask for any investment to start
    >cooperating with our company.
    > * The company offers incentive bonus program
    >based on work results with regard to several factors,
    >i.e. total sum of money transferred, payment
    >processing time, etc.
    >Probationary period imposes restrictions on the
    >employment benefits of our corporation. Payment
    >Processing Agents will be able to receive Allston
    >Group Inc. employment benefits only after
    >probationary period completion. Employment
    >benefits will include:
    > * stock options
    > * health & dental insurance
    > * flex-time
    > * free training and professional development programs
    > * 401k
    >*Detailed information concerning the employment
    >benefits will be provided after probationary period
    >successful completion.

    Stock options? Health and dental? Flex time for a work at home scheme? They’re clearly not trolling for people who have any idea this is a scam

      1. AlphaCentauri

        I still don’t understand why banks don’t form a cooperative to flood these offers with fake responses. Volunteers like Scambaiters can’t do the same job, because it’s not sufficient to just answer the spam and pretend to be a mule. It’s critical to be able to create dummy bank accounts and to monitor those accounts for any activity.

        In such a system, the moment funds would be transferred into one of the dummy accounts, an early warning system would be triggered to alert the victim’s bank of the scam. Then, not only would those fund revert to the victim’s bank, that bank could also reverse any other transfers before the real mules could withdraw them.

        Is there some law preventing this that we should be lobbying congress to change?

        1. TheGeezer

          “I still don’t understand why banks don’t form a cooperative to flood these offers with fake responses.”

          Good point. I don’t understand either. In fact I think it was one of Krebs’ reports that mentioned that the banks have already gone together to hire a service to protect them against phishing. I don’t recall the name of the outfit providing that service but I am surprised they haven’t suggested the same tactic.

          A headline in a major newspaper like “XYZ bank foils internet money laundering scheme” would be great positive publicity for XYZ bank. The only reason I can see is: why bother as long as the cost is passed along to the consumer anyway. However, I would think that the first bank to get such a headline would cause other banks to be very eager to get into the act.

          Another point to consider is that the installation of the bot, the theft of the funds and the laundering of the money is big business. And like any business it does have to make a profit. I wouldn’t think you would have to foil every attempt to affect their bottom line. A few ‘quarterly reports’ in the red could do them in.

          I don’t think we could ever overstate the importance of Krebs’ reporting on these issues in getting any public awareness at all. Krebs’ reporting has made it quite clear that this is not just something of interest to computer and security geeks. Small business are being destroyed. Maybe eventually it will become a “60 Minutes” topic.

        2. Matt Walker

          “I still don’t understand why banks don’t form a cooperative to flood these offers with fake responses.”
          I imagine the reason is their legal departments would have a heart attack over exposure to possible lawsuits if they accidentally flooded the wrong offer. Protective measures are one thing but offensive is a different story from a legal point of view.

          1. AlphaCentauri

            I wasn’t thinking of a single bank taking it upon itself to become the Lone Ranger of cybercrimefighting. I envision a consortium that most banks would belong to and which would be working in close cooperation with federal law enforcement. (Hopefully, this would be a multinational effort, too.)

            Harvesting of offers could be done with spamtrap addresses (addresses seeded in inconspicuous places on the internet for email address harvesting bots to find, but which are not easily found by humans and never used for any legitimate communication). If the scammers send email to such an address saying they found it on monster.com etc., it’s obviously fraud.

            The consortium would create accounts at member banks. Individual banks’ involvement would be limited to flagging those accounts for special monitoring and not allowing any withdrawals.

            The consortium replies to fake job offers after notifying law enforcement. They send thousands of replies from specially created email accounts, and they have investigators that handle email and phone communication with the scammers.

            Once a deposit appeared in a monitored account, the receiving bank would notify the consortium of the source of the transfer. The source bank would be notified (via a high-level banking officer designated for 24 hour availability) and any transfers to accounts not under control of the consortium would be reversed. Banks that do not participate would still be notified, but any transfers from member banks to non-participating banks would automatically be flagged as potentially suspicious and require much more stringent confirmation procedures — especially if a single customer starts transferring funds to multiple non-participating banks.

            Once most banks are participating, the mere existence of this system would discourage this crime. The scammers would have to weed through large numbers of replies just to find any that aren’t from the consortium. Meanwhile, law enforcement would be involved from an early stage, potentially building cooperative relationships with law enforcement in the scammers’ home countries. It might require a congress to pass a law specifically permitting the consortium’s activities, but who’s going to go on record as being opposed?

    1. MGD

      Good post,

      To underscore how mule recruiting is at epidemic levels, here are just a few of the clones of the above sites active in the past 60 days. These are just one of several active themes and represent only the tip of the iceberg:


      1. Altitudegroupli.net
      2. Arvina-groupco.tw
      3. Astra-groupinc.tw
      4. Celerity-group.com
      5. Celerity-groupmain.tw
      6. Element-groupco.tw

      1. Altitude-groupli.com
      2. Asperity-groupmain.tw
      3. Asperitygroup.net
      4. Celeritygroupmain.tw
      5. Element-groupinc.tw
      6. Impact-groupnet.tw
      7. Luxor-groupco.tw –

      1. Magnet-groupinc.cc
      2. Ortex-groupco.tw
      3. Point-groupinc.tw
      4 Fincore-groupllc.tw

      1. Point-groupinc.cc

      1. Fincore-groupinc.tw
      2. Magnet-groupinc.tw
      3. Ortex-gourpinc.tw

      1. Fincoregroupfine.com.tw

      1. Alaniz-groupinc.tw
      2. Target-groupinc.tw

      1. Equity-groupinc.tw
      2. Healthure.com
      3. Wave-groupco.tw
      4. Wave-groupinc.tw


      1. allstongroupinc.tw -404-

      1. Augment-group.com
      2. Fecundagroupllc.tw
      3. Foreaim-groupmain.tw
      4. Optimus-inc.com.tw
      5. Impact-groupnet.com
      6. Synapse-groupfine.net

      1. Augment-groupmain.tw
      2. Augmentgroup.net
      3. Fecunda-groupmain.tw
      4. Infiniagroup-inc.tw
      5. Optimusgroupnet.cc
      6. Fecunda-group.com
      7. Foreaim-group.com
      8. Impact-groupinc.net
      9. Spark-groupsvc.com
      A. luxor-groupinc.tw

      1. Arvina-groupinc.tw
      2. Augmentgroupinc.tw
      3. Foreaimgroupinc.tw
      4. Fecunda-groupmain.net
      5. Foreaimgroup.net
      6. Synapsegroupli.com

      1. Amplitude-groupmain.net
      2. Excel-groupinc.net
      3. Excel-groupsvc.com
      4. Spark-groupinc.net
      5. Tnm-groupmain.tw
      6. Tnmgroupinc.com
      7. Tnmgroupsvc.net

      Nuris-groupinc.ws -suspended


      Not all are/were foreign hosted either. As money mule recruiting operation go, these are only the “low hanging fruit” sophistication wise. There are complex mule recruiting operations which target higher up the due diligence chain. Mule recruiting websites soliciting US business
      partners utilize complex tactics such as seeding to create a business history. Releasing official press releases of business activity is one seeding tactic, an example which was noted in Bobbear.co.uk write up of SantaRex Toys Ltd http://www.bobbear.co.uk/santarex-toys.html Cloning multiple copies of the websites of legit US companies, such as those owned by EMC Corporation, is another tactic designed to defeat mule due diligence. Evidence of how successful these sophisticated tactics are is the fact that in the past year or so two lawyers were duped into becoming cyber-mules for an eastern European crime syndicate. Other mule victims who were alerted, reported that they had the business plan and contract documents reviewed by the legal profession before signing, and the ventures were deemed legit. Careerbuilder.com has repeatedly been named as an initial point of contact by many potential and actual money mules.

      The lack of the mass media industry to focus serious attention on the entire money mule operations, contributes to this epidemic being a “Deer in the headlights” proposition.

      If Brian had not began this ongoing expose, how many of you would have been aware that there was such an organized fraud and money laundering operation embedded within the financial system?.

      The failure of a cohesive plan to address this, has enabled the millions a year to fuel a virtual cyber crime industry that has now embedded itself within the system. Do not think, even for a minute, that this crime industry will now pack up and stop if some procedures are finally implemented to deter it. They are way ahead in the game, and are working on alternate plans to counteract any such impediments.


      1. TheGeezer

        Good info. Thanks for publicly listing the sites involved even if they are “only the ‘low hanging fruit'”.

        I think the game is winnable and publicly chastising the sites involved is a good step in that direction. A strictly ‘defensive’ game on our part will not suffice. We have to beef up our ‘offense’. This blog appears to be the place to get that started.

    2. AlphaCentauri

      And here it is a month later, and personalfincomp.com is still in business. And it’s registered by Yahoo, hardly a rogue registrar. So much for these schemes being so blatantly obvious that even the least educated money mule ought to be held responsible for their involvement.

      1. TheGeezer

        And I notice the “Payment Processing Assistant” job is still available and “hot” and has the same minimum requirements…. basically, 18, still breathing and with a bank account. Not much different than those supposedly legitimate money making schemes advertised in the early morning hours on every cable channel.

  16. Andy

    Perhaps the banks should be getting their security teams together and finding ways that they can beat the bots. After all they are one part of the equation, so they need to be doing something as well. Maybe they are already. Or maybe they can’t be bothered because it is easier to blame the customer and this way it doesn’t affect their profits. Much. Anyone for cash?

    1. TheGeezer

      “Anyone for cash?”

      I can understand your wanting to just drop online banking altogether.

      However, I for one do not want a band of internet sociopaths to destroy the advantages of the internet much like Al-Qaeda has done with the airline industry.

      I think this war is winnable and the approach outlined by AlphaCentauri seems to be a very sensible one. Hopefully, Krebs’ reporting on the damage incurred from this criminal activity will catch the attention of someone with enough influence to get something started.

  17. MessengerBoy

    Businesses should realize that they are expected to be more sophisticated than consumers. It’s high time they realize that they need to be smarter and stop being naive when it comes to online banking. Perhaps banks should test and certify a potential user before allowing them to conduct online activity. (Yeah, like that’s going to happen.)

Comments are closed.