March 17, 2020

With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

On the surface, the Web site for the Vasty Health Care Foundation certainly looks legitimate. It includes various sections on funding relief efforts around the globe, explaining that it “connects nonprofits, donors, and companies in nearly every country around the world.” The site says it’s a nonprofit with offices based in Nebraska and Quebec, Canada.

Vasty is a phony charity that pretends to raise money for Coronavirus victims but instead hires people to help launder stolen funds. This and the rest of the content at Vasty’s site was lifted from GlobalGiving, a legitimate charity that is helping people affected by the pandemic.

The “Vasty Health Care Foundation” is one of several fraudulent Web sites that recruit money mules in the name of helping Coronavirus victims. The content on Vasty’s site was lifted almost entirely from globalgiving.org, a legitimate charity that actually is trying to help people affected by the pandemic.

“We have been contacted by job seekers asking if we are related to some of these job opportunities they’ve been finding on Indeed.com and Monster.com,” said Kevin Conroy, chief product officer at GlobalGiving. “And we always tell them no that’s not from us, and not to cash any checks someone may be giving them in relation to those offers.”

The Vasty domain — vastyhealthcarefoundation[.]com — was registered just weeks ago, although the site claims its organization has been around for years.

The crooks behind this scheme also seem to have submitted the Vasty name in custom links at vetting sites like The Better Business Bureau and Guidestar that ultimately take one to a summary of data on GlobalGiving. No doubt this is part of an effort to lend legitimacy to the Vasty name (hovering over the links above reveals the trickery).

What proof is there that Vasty isn’t a legitimate charity? None of the dozens of Canadian mules contacted by this author responded to requests for comment. But KrebsOnSecurity received copious amounts of information about this scam from Milwaukee, Wisc. based Hold Security, which managed to intercept key file exchanges between threat actors through public file sharing services.

Among those files were a set of form letters and boilerplate email messages that describe the ideal candidate for the job at Vasty and welcome new recruits to the Vasty payroll. Here’s a look at part of the job description, which includes (not pictured) a description of the healthcare plans and other benefits allegedly offered to Vasty employees.

After congratulating applicants (everyone who applies is “hired”) on their new positions, Vasty asks the recruits to do some busy work. In this case, new hires are sent to local pharmacies on some bogus errand, such as to inspect the pricing of face masks and hand sanitizer products for price-gouging.

“Now we have the first task for you. You will have to perform a trip within your city. So that we can compensate for transportation costs along with your hourly rate, I ask you to keep receipts confirming your expenses.

LOCATION: Sam’s Geneva Street Pharmacy

ADDRESS:  284 Geneva St, St. Catharines, ON L2N 2E8

I ask you to go to the pharmacy at the specified address. We are increasingly receiving reports of private sellers violating the pricing policy for products such as: aspirin, face masks are loose surgical masks with elastic loops that go around the ears, hand sanitizers.”

New recruits are then asked to assemble and submit a written report of their observations at the store in question.

These types of menial, meaningless tasks are a typical tactic of money mule recruitment schemes and they serve two main purposes: They separate out slackers from people who really need and want a job, and they help the employee feel like he’s doing something useful and legitimate (aside from just moving money around, which if brought up too soon might make him question whether the job is legit).

Eventually, after successfully completing one or more of these busy work tasks, the new hire is asked to process a “donation” from someone who wants to help fight the Coronavirus outbreak:

“Please read the instructions carefully. One donor wants to make donations to help fight the coronavirus. As you know, this is a big problem for most countries of the world. Every day we receive information from the World Health Organization that more and more people are sick. Quite a lot of people died from this virus. Some people simply don’t have enough funds to provide themselves with standard face masks and disinfectants to fight the virus.”

“The donor requests that Bitcoins be bought with his funds. For this task, you need to create your Bitcoin wallet, or use the QR code that we send you in this letter. You will receive from the donor up to 3000 CAD. Your commission up to 150 CAD will be included in this amount to cover your expenses. I remind you that you do not need to use your funds to buy bitcoins. The funds will be sent to you. You will need to receive cash atm or at your bank branch.”

What happens next is the employee then receives an electronic transfer of money into his bank account, is asked to withdraw the cash, and to keep 150 Canadian dollars for himself. He’s then instructed to take the remainder of the funds to a Bitcoin ATM and scan an emailed QR code with his mobile phone. This causes the cash he deposits into the Bitcoin ATM to be sent in an irreversible transaction to a Bitcoin wallet controlled by the scammers.

What’s going on behind the scenes is the funds that get deposited in the employee’s account are invariably stolen from other hacked bank accounts, and the employee is merely helping the crooks launder the stolen money into a form of payment that can’t be reversed.

Another boilerplate email intercepted by Hold Security shows Vasty’s new hires manager offering advice to employees who are asked by nosey bank employees about the nature of the funds withdrawal.

“Important: If you receive any questions from the bank regarding the purpose of the payment, you can open part of the instructions if necessary and inform that these funds are intended for payment of medicines. In any case, it is a personal payment and it will not be taxed. However, I strongly recommend that you not divulge the rest of the instructions for paying for medicines against coronavirus so as not to aggravate panic among the population.”

Americans shouldn’t feel left out of the scam: Hold Security founder Alex Holden says his analysts also intercepted a nearly identical set of scam templates targeting job seekers in the United States.

Money mule scammers specialize in hacking employer accounts at job recruitment Web sites like Monster.com, Hotjobs.com and other popular employment search services. Armed with the employer accounts, the crooks are free to search through millions of resumes and reach out to people who are currently between jobs or seeking part-time employment.

If you receive a job solicitation via email that sounds too-good-to-be-true, it probably is related in some way to one of these money-laundering schemes. Even if you can’t see the downside to you, someone is likely getting ripped off. Also, know that money mules — however unwitting — may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.

Overall, Holden said, established cybercriminals who specialize in recruiting and grooming money mules for financial crimes have been cooing of late over the potential glut of new mules. One mule vendor on a popular Russian-language crime forum posted Tuesday that his “drops” — the hacker slang term for money mules — weren’t scared of Coronavirus concerns.

“We got drops in masks!,” one vendor proclaimed.

“We continue to work despite the Coronavirus,” declared another drops vendor.

Any readers interested in helping others affected by the Coronavirus outbreak should consider giving through the organization Vasty is impersonating here; Global Giving. Alternatively, these two stories link to a number of other reputable organizations facilitating Coronavirus relief efforts.


19 thoughts on “Coronavirus Widens the Money Mule Pool

  1. The Sunshine State

    Another great informative article !

  2. Nobby Nobbs

    Thanks, Brian!

    The depths to which folks will sink…

    Incidentally, that Kevin Conroy, chief product officer at GlobalGiving, sounds like a real super-hero!

  3. Paul Mikol

    “The donor requests that Bitcoins be bought with his funds. For this task, you need to create your Bitcoin wallet, or use the QR code that we send you in this letter.”

    Sure OK by all means let us help the poor donor out… What a joke…

    FFS I don’t mean to be rote here but WTF is wrong with people…??

    Irony here is that in the spirit of trying to pay bills in between software development contracts (that of course take a good couple of months to actually come to fruition after the x number of HR then technical phone interviews), today would have been my 2nd week doing great in a decent restaurant job but as of today here in Austin, TX all bars and restaurants are closed due to COVID except for takeout/delivery….

    Naturally as a developer my optimistic nature immediately began entertaining the possibility that maybe remote/telecommuting dev opportunities may become more available given the COVID climate… But you can bet that while I have plenty of enough technical experience to not have to YET resort to any blatant “work from home scheme”, thanks to this article I’m now going to be making sure to take a good hard second-look at any postings that purport to be valid remote/telecommuting professional software development gigs regardless of whether or not they mention anything about COVID…

    Thank you yet again Cyberhero Krebs

  4. Jason

    Gotta scam the scammers. Keep the entire deposit 🙂

    1. Ryan

      Not recommended. Will have to provide some information linked to your Bank Account, even if it’s an anonymous e-mail usually full names are provided to the remitter, or at the very least, you’ll have some experienced social engineers targeting you. Don’t think you want these people coming after you.

      1. Vog Bedrog

        Not to mention being in receipt of stolen funds and there being a victim out there.

    2. Anonymous Coward

      The crooks don’t care, it’s not their money. You won’t be able to keep it, when the victimized business notices that the money was removed fraudulently, the bank will take the money out of your account.

  5. JimV

    There’s truth in that trite old saw about “a fool and his money are soon parted”…and far too many with fewer scruples that help to leverage what they can (to their advantage, of course) from anyone foolish enough to bite. There is some humor in the rare WTF? inventiveness of a grifting sender’s postulated story on occasion, but the vast majority are simply dross — and not at all credible, or many even reasonably close. Don’t be stupid, or foolish.

  6. Voldey

    It’s in Canada? Im Right If It’s a e-mail Money transfer?
    The Receiver Will confirm Right?

  7. JCitizen

    Bit coin ATM?! WOW!! I never knew such a thing existed! But then I’m ignorant on all things Bit Coin.

    1. CWoj

      Actually we were in Vegas recently, there’s a funny-named convenience chain there named “Terribles”, they were advertising a Bitcoin ATM, which was next to the regular ATM. For the gamblers, I guess…

    2. Simon Smith

      Oh yes, I have 3 cases already of blatant theft and fraud, and the vehicle of transfer from the banks seems to be BTC ATM’s. It is kind of silly actually as BTC is not fully anonymous. Where they succeed is in the unwillingness and incompetence of law enforcement.

  8. RFC Financial Planners

    I am very sad to see that some people are trying to make money on the coronavirus. Such is society now. Yes, everyone thinks only of himself. Coronavirus infection is indeed significantly more dangerous than the flu for sick people and people over 60 years old. Children and young patients usually tolerate the infection easily, often without any symptoms. Yes, there will be deaths from the coronavirus: thousands or even tens of thousands. How will deaths from terrorist attacks, tobacco, seatbelts, depression, other infections … I do not want to say that this is the norm, but why many information portals are trying to reignite panic in this regard. Good luck!

  9. Jem Shaw

    An excellent, articulate and thought-provoking article, and reminder that, not only are these scammers shamelessly unscrupulous, they’re also clever and fast on their feet. The Ethical Payments Foundation is eager to partner with organisations that can help increase transparency and seal up the holes through which these creatures squirm. Brian, I’d like to invite you to connect with us – your expertise and insight would be greatly welcomed.
    Thank you,
    Jem

  10. Simon Smith

    As always, great work Brian. I am seeing an increase in white collar crime as well. Personally, I am not shocked at how weak and unprepared business, government and consumers are.

    Sadly, I know it is easy to say after the fact, but education basic principles of security as a whole are evidently lacking no matter how much advice people easily dismissed in the past.

    Now, to fight these terrors we need unity and persistence and I’m confident we will get there.

  11. Heidi Diederich

    Hello,
    I was contacted by the creator of Vasty Health under their new name. Should I report it to the police?

Comments are closed.