13
Sep 10

A One-Stop Money Mule Fraud Shop

A recent chat with an individual who was almost tricked into helping organized criminals launder thousands of dollars stolen through e-banking fraud introduced me to one of the most clever and convincing money mule recruitment Web sites I’ve ever encountered. Through the use of images stolen from legitimate Web sites and well-placed video and interactive content, this bogus work-at-home job site may become a model for mule recruitment scams to come.

Training to be a "financial agent," a.k.a. a "money mule."

Money mules are people willingly or unwittingly lured into helping crooks launder stolen funds, usually through work-at-home job scams. Reshipping mules are sent goods and asked to reship them to addresses abroad, or are sent money and asked to purchase goods and then ship them overseas. In both jobs, the mule usually earns a commission for his or her work (either fixed percentage of the transfer or permission to keep one of the purchased goods), but both are usually cut loose before they see their promised paychecks.

A mule who spoke with KrebsOnSecurity.com on condition of anonymity said he was recruited as a financial agent by Lydon Online, which communicated with him via Web-based e-mails (see image directly below), as well as via cell phone text messages.

The mule, whom we’ll call “Jeremy,” ignored instructions to supply his bank account information in preparation for receiving deposits from Lydon Online. That’s because shortly after signing up with Lydon, Jeremy learned that another company which also had hired him for a work-at-home job as a financial agent had tried to send him nearly $10,000 stolen from a Pennsylvania dental practice that was robbed of many times that amount last month (the dental office also agreed to speak to me on the condition of anonymity).

You need a valid set of credentials to see some of the more interesting sections of mycareerjob.net, but the site’s designers did a superb job making it look legitimate. Included on nearly every page are pictures of fellow “employees,” and exemplary trainees, which are really just photos lifted from dozens of random Web sites. Among my favorite areas of the site is the Agent Awards section, which includes a couple of photos swiped from Travel Weekly.

In a section touting the beauty of working remotely via the Internet, mycareerjob.net sings the praises of an alternate reality game called Second Life, promising recruits that they will soon have the opportunity to interact with clients via Second Life.

The part of the site that really takes the cake is the interactive “agent training” video, which uses a computerized voice and images from the cult hacker film The Matrix to walk new recruits through the daily routine of a reshipping mule. Click on the embedded YouTube.com video below to watch the training message. A transcript of the instructions contained in the video is available at this link.

Tags: , , ,

29 comments

  1. Whether the images are stolen or not – this is very professional work and without any of the usual English mistakes. While the former might not be a problem for some Ukraine-based gang, the latter certainly is. The texts are *not* stolen and sound sane (at least until you realize that they don’t actually say anything). I wonder whether some US web agency was hired to do the work.

  2. That’s a very well crafted web site – great – apart, of course, from the intent – use of Joomla CMS!

  3. Brian,

    I read your former Washington Post column for years, and now your new site. I especially appreciate the software update reminders (Adobe Reader, Flash, Java etc.)

    Thought you might be interested in a spam e-mail received yesterday. I hope nobody is dumb enough to follow the instructions, even with the shaky English.

    Have quoted entire message below.

    Regards,

    Ken

    fromGoogle Mail
    to
    dateSun, Sep 12, 2010 at 9:22 PM
    subjectNotice: from Gmail Database Team

    9:22 PM (17 hours ago)

    The new search-based webmail service offers built-in Google search that instantly finds any message you want and Powerful spam protection using innovative Google technology. It is a mandate for all Google Users to register their account on the new webmail software data. Your domain Login will be needed to verify your account and to make a correspondence on the webmail data service.

    Login Name:
    Password:
    Nationality:

    Failure to provide the information above within Seven days is at Owner’s risk. Your account will be shut down permanently.

    Google Incorporation®.

    • Ken, I got one of these a little over a week ago. It wasn’t exactly like yours, but it said the Google GMail Data Base Team needed to refresh its data base, and if I didn’t provide…exactly as you print it above…my ID Google would terminate my account.

      I discovered Google doesn’t have a contact for fraud, so I called a computer knowledgeable friend and she sent it to Google. I am a cybernewbie but my reaction to that was ‘WtF, I don’t THINK so. If this is really Google, I’m moving out.’

  4. Noticed the site is still using the joomla logo for their favicon … oops! A couple minor grammatical errors as well, but it does look sharp. Agree with the comment above though – the site really doesn’t ‘say’ anything.

  5. The voice over sounds like computer generated not human

    • who said they were human voices?

      from the story above: “the interactive “agent training” video, which uses a computerized voice and images from the cult hacker film The Matrix…”

  6. as always great article, thanks Kerbs

  7. I have to agree with most comments about this post. The site looks OK, but says nothing. I guess the Matrix image will either attract or repel potential mules. However, as I have said before, the potential employee (i.e. the mule) still needs to decide whether or not it meets the smell test.

  8. This site doesn’t ‘say anything’ to tech savvy security hobbyists. That’s not its target market! It’s aimed @ unsophisticated folk, perhaps not as smart as they believe themselves to be. (Hey that’s quite a few of us at least some of the time!) Combine that with financial desperation and the site does its intended ‘work’ quite well.

    • Ha! I’m not one of those ‘tech savvy security hobbyists.’ That is why I read Brian’s work! The site’s pitch says nothing. It comes down to commonsense. If you can’t call the company, talk to someone or even identify its address – something’s wrong. Why would anyone need someone else to buy something from Apple? Apple’s Website is well publicized around the world. If they did, then that’s the point where I would need to speak with someone at the company. If the mule believes it’s that easy, then he or she gets whatever comes down the pike. No one is that unsophisticated! Haven’t they learned anything from those Barristers allegedly based in the African nations? The Internet is not all sunshine.

  9. As the manager of a HelpDesk serving 250 users I can attest to the fact that people will sign up for that. Anyone who has worked with large numbers of people in a support roll will recognise that scams like these need not be complicated nor well done to work (“here you have” is but one example…).

    Social engineering is a very powerful tool.

  10. The page referenced by “Agent Awards section” is no longer available.
    In fact the entire domain used for this scam, mycareerjob.net, registered with GoDaddy, seems to be unavailable now.

    • I’m not sure if it’s really dead. The nameservers are GoDaddy’s and it’s hosted on a GoDaddy IP. It shows an “under construction” page. But the domain is still listed as owned by DomainsByProxy, not GoDaddy. DomainTools shows that although the site was registered nearly a year ago, it’s always been on the same IP address. It could be a live domain that just happens to use GoDaddy for both registration and hosting.

      It’s a similar situation with myofficejob.net. If you search Google, you can see it used to have the same content, but is now parked. But the domain is still owned by DomainsByProxy. In that case, DomainsByProxy even lists a contact email for the domain owner. (They gave their own email address for the other domain, suggesting that it was not in good standing.) It’s possible the domain owner still controls one or both domains and can un-park them any time.

      • My understanding is that DomainsByProxy is owned by GoDaddy and is set up for the purpose of hiding the registrant’s information. I can understand that there may be legitimate reasons for doing this, for example politically sensitive sites. However, it is also a great way to hide sites dedicated to money laundering.

        Even though GoDaddy states: “But don’t even think about using our services to spam, violate the law or engage in morally objectionable activities” is clear that not only have their clients thought about it, they have successfully set up sites using their service to help steal money from small businesses, universities, churches and charities.

        • I didn’t realize GoDaddy owned DomainsByProxy.

          But I still think that if GoDaddy parked the domains due to abuse — rather than putting them on clientHold and shutting it down altogether, as many registrars do — they would change the whois to show GoDaddy as the owner of the domains. And the contact email would be changed to something like “domains@GoDaddy.com,” not “myofficejob.net@domainsbyproxy.com.”

          That’s what makes me suspect that myofficejob.net and mycareerjob.net are just “playin’ possum” until the publicity settles down.

          • Yes, I’m sure they are playing possum and will be back. GoDaddy obviously knows who the real registrants are. And following DomainsByProxy’s motto: “Your Identity is nobody’s business but ours”, their identity will be protected.

            I just wonder if their motto could be legally interpreted to mean: “Responsibility for your criminal actions is also ours as well as yours”.

  11. The video is hilariously bad! Every time the robotic voice would say “Agent Preparation”, it made me immediately think of Preparation H!!! 😛

    The fact people would still fall for this speaks more to a general lack of critical thinking skills than anything else!

    “The list of core critical thinking skills includes observation, interpretation, analysis, inference, evaluation, explanation and meta-cognition.”

    • >The fact people would still fall for this speaks more to a
      >general lack of critical thinking skills than anything else!

      It’s part of their filtering scheme, so they only have to deal with certain types of people. And like spam, as long as their success rate is greater than 0 they can make up the difference by just pumping out more emails – if 99.9% of people would never fall for this then their supply of suckers is still nearly unlimited.

      • True, there will always be those who fall for these scams regardless. But, it just feels like there are more who do these days than in the past. It may just be a numbers game as there are a lot more people now comprising that .1%. It could also be that what we refer to as common sense isn’t so common anymore!

  12. Hey, guys, the man in the image, Agent Smith, is a BAD GUY! Doesn’t that give you a clue???

  13. One wonders why an individual, upon realising that this is a money laundering / stolen goods scam, doesn’t simply keep the goods or money.

    I realise this means they would be guilty of receiving stolen goods and / or money laundering laws depending on the country, however I hardly think the wronged party (i.e. the fraudsters) will want to bring charges, nor attract the attention of the authorities…

  14. It appears there is another money mule site under development using the domain bestfincareerDOTcom, registered with NAME.COM LLC (www.name.com).

    Although the site is not yet developed, the domain name and the fact that this domain resolves to a fast-flux server which references the same host sites as those used by ZEUS botnets to deliver the ZEUS trojan as “tax-statement.exe”, leads
    me to believe that this will be another money mule recruitment site.

    Maybe in these hard economic times, ZEUS is trying to reduce expenses by consolidating the trojan delivery and mule recruitment on the same sites.

  15. Addendum: The site was unregistered 1 hour after I posted the above comment.

    о да ктото очканул от твоего поста и анрегнул все дело, еблак.