International Money Mule Recruitment – Part I – The FAQ : 2007 : Frequency-X Blog : Blog : Home | ||
|
International Money Mule Recruitment – Part I – The FAQ My suspicion that not many people know what a money mule is has definitely been confirmed these past couple of weeks based upon the number of queries I’ve had about last months posting on the topic. So, this evening I figured I’d do two things – write up a short FAQ about the money mules, and walk through an example mule recruitment web site (this will go up tomorrow as a separate blog entry). Money Mule FAQ How long have these mules been around? I don’t have any hard figures on this (if you do, drop me an email, I'm interested in knowing more), but I’d assume that mule recruitment became increasingly important to phishers once the main retail banks aggressively started closing down or greatly limiting their online international transfer functions. Most consumer banking sites that I’m familiar with (or have pentested in the past) no longer allow same-day international transfers. This would hint to me that money mule recruitment has been around since the turn of the millennium. How do phishers recruit their mules? The most common way is through spam-based enticements. If you do a quick reconnoiter of your own spam caches, you’ll most likely find between two and five percent of it contains “get rich” messages or “work from home” jobs – many of which are in fact mule recruitment posts. A lot of these spam messages drive you towards commercial looking recruitment sites – carefully disguised to look like legitimate businesses. Why do people become mules? I guess it depends upon who they are. Since these recruitment sites often sound legitimate, with roles such as “online account manager” and “transaction specialist”, many people believe that they are in fact working for a real company – earning a little money on the side to compliment their fulltime job or pension, or for some quick cash while studying. On the other hand, I also hear that some people (even though they suspect that things aren’t really legitimate) take the risk because they don’t expect to be prosecuted for it – after all, they’re not the ones actually stealing the money right? - naiveté isn't a defense under law. How long do the mules last? That really depends on how sophisticated and knowledgeable the phishing crew is, how good the automated fraud detection systems are at the bank, and how quickly any victims raise the alarm on their account. Most banks have pretty sophisticated fraud detection systems, and it doesn’t take a genius to see that an automatic algorithm that detects lots of intra-bank transfers from accounts that don’t normally do transfers, to other accounts that don’t have a history of receiving intra-bank transfers, is probably going to be a fairly reliable hint to something not being quite right. Estimates range from a few days to a few weeks before the mule account is detected and deactivated. From then on it depends on how the bank plans to deal with the money mule – i.e. recover the money and/or prosecute. Is mule recruitment on the increase? Given the facts such as spam being on the increase, the percentage of spam that are phishing related, the increased sophistication of automated phishing deployment kits, the percentage of recruitment-based spam, and the way automated fraud detection systems work, the simple answer is YES – it has to be. Phishing is a professional organized crime. While the banks have honed their fraud detection systems, the phishers appear to have adopted transfer strategies designed to stay below the banks radar – often necessitating smaller intra-account transfer values (e.g. a few hundred instead of thousands of dollars) and distributing them over many more mule accounts – which has meant that the demand for mules is increasing, which has in turn driven an increase in recruitment sophistication (and bulk solicitation). What happens when the mule gets caught? That really depends upon the bank.
I’ve heard many things, but basically the first thing the bank
will do is freeze the mule’s bank account and attempt to return
the phishing victims money. If the mule’s account has
enough money in it to cover any previously transferred funds
(i.e. the mule already had an account with the bank with their
own personal money in it), they’ll use that to pay pack the
victims (i.e. the mule is now out-of-pocket). If they
can’t or they suspect that mule intentionally/knowingly engaged
in the money laundering process, that’s when law enforcement
gets brought in (or the bank may have a policy to always engage
law enforcement for any kind of customer fraud). One of
the problems though lies with the number of mules being caught,
and the (often) low money values of the crime (i.e. the
anti-fraud systems are pretty good) – which means it can become
increasingly burdensome for the bank and/or law enforcement to
prosecute. |
|