TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC

Frequency-X_BlogEntry

  International Money Mule Recruitment – Part II - The Recruitment Site 
Posted by Gunter Ollmann on August 15, 2007 at 11:15 PM EDT.

Continuing yesterday’s international money mule theme and the FAQ, I figured it would be worthwhile running through a fairly typical mule recruitment website – in this case, one that appears to have been around for quite some time (which is pretty weird given how quickly phishing sites are normally taken down).

This particular mule recruitment company first came to public attention in December last year, and some historical information can be found on iDeceive’s “Suckers Wanted” blog, but is still up – materializing under yet another domain name registration.  Welcome to Impex Consult Financial Consulting Group (currently available at www.impexonline.biz)

Impex Consult

Impex Consult Financial Consulting Group claims to have been established in 1994 with offices in over 20 countries offering consulting and financial audits (amongst many other related services), and “was listed among the top ten international audit & consulting companies and is known as a reliable supplier of audit & financial consulting services to a number à leading corporations.” (Zero’s a number isn’t it?)

The site itself probably appears to be legitimate to most visitors.  It even provides the ability to view the site in German, Spanish and French in addition to the default of English (International English – not US English :-)

If you know what the site’s really about, it’s actually kind of amusing.  I found the list of partner certificates and accolades at the bottom of the main page to be quite entertaining – you can hardly tell where they’ve superimposed their company name on top of the pictures.

The giveaway of course can be found on the vacancies page, way at the bottom – below some other job listings such as “Legal Department Specialist”, “Office Manager” and “Marketing Specialist” – it’s time to become a “Transactions Specialist”.

EXPECTATIONS FROM CANDIDATE: 
    * Ability to manage payments between the company and its clients
    * Ability to plan and organize his/her work
    * Ability to contribute 3-4 hours daily.
    * Advanced user skills with PC, Internet, and e-mail.
    * Full legal age.
What We Offer:
    * 10% commission on each transaction.
    * Freedom in planning your work.
    * Part-time is possible.

All you have to do is tell them about yourself and you’ll be listed in their “Candidate Data Bank, if you fill out an application form in the format and fitting in with the content we require”.  However, if you apply for one of those other jobs (Office Manager etc.) you’ll find that Impex Consult “reserve the right to offer a candidate a different vacancy suitable to his/her profile" and probably end up being offered the "Transaction Specialist" role anyway.

Where in the World?

So, where in the world are Impex Consult located?  Well, on the website, they give their details as being in Hong Kong.

(Don’t you just love how all those payment logo’s are meant to add a certain elegant legitimacy to the site?)

Doing a quick domain registration Whois, I retrieved the following:

Domain Name:                              IMPEXONLINE.BIZ
Domain ID:                                   D16336048-BIZ
Sponsoring Registrar:                    DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID:        303
Domain Status:                              ok
Registrant ID:                                DI_5529681
Registrant Name:                           Impex
Registrant Organization:                 Impex Consult
Registrant Address1:                      11 Pedder St
Registrant City:                             Hong Kong
Registrant State/Province:               Nagasaki
Registrant Postal Code:                   412536
Registrant Country:                        Japan
Registrant Country Code:                JP
Registrant Phone Number:               +008.5230158090
Registrant Email:                            adminov@sovsem.net
Name Server:                                 NS1.MODHOST.RU
Name Server:                                 NS2.MODHOST.RU
Created by Registrar:                      DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar:               DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Domain Registration Date:                Wed Feb 07 14:45:50 GMT 2007
Domain Expiration Date:                   Wed Feb 06 23:59:59 GMT 2008
Domain Last Updated Date:               Mon Apr 09 02:40:56 GMT 2007

You’d do well to notice the following things:

  1. The registrant address and city match the claim on their web site. (Hong Kong, China)
  2. The registrant city, country and country code don’t match their claim. (Nagasaki, Japan)
  3. The telephone number is a +852 number. (Hong Kong, China)
  4. The registrant email address isadminov@sovsem.net, which can be tracked down to a fly-by-night webmail gateway. (Moscow, Russia) 
  5. The name servers are located with modhost.ru, a popular Russian ISP. (Moscow, Russia)
  6. It looks like the domain was first registered back in early February this year via PUBLICDOMAINREGISTRY.COM.

(If you want a convenient jump point from which to run all these passive information gathering queries, try the tools section here)

Where is the web server physically hosted?  A quick traceroute reveals that it is a virtual web site hosted at modhost.ru (the same Russian ISP hosting the name servers). Actually, after querying a public database that keeps record of web hosts associated with IP addresses (in this case DomainTools), we see that this particular hosting domain serves up some 325+ virtual hosts – of which www.impexonline.biz is just one.  I wouldn’t be surprised to learn that there are several other clones of the recruitment site hosted within this environment – but under different domain registrations.

One last thing I noticed were the MX records.  According to the DNS records, mail for Impex Consult goes to mail.impexonline.biz.  However, while its IP address resolves to the same modhost.ru host, it appears that SMTP traffic is transparently proxied to a mail server that goes by the name of saturn.bsys-net.ru.

Subsequent investigations into the bsys-net.ru domain start to get pretty messy - including registration details claiming origins of “Limited Liability Company Bank"s Systems” with phone numbers prefixed with Kazakhstan dialing codes and cyclic references to the domain bsys.ru.  Perhaps the most interesting visible aspect is the fact that these domains were registered mid-November 2006, about the same time that the original recruitment spam for Impex Consult first started to appear – coincidence?  It’s probably also worth noting that the web sites associated with these domains have been up for quite some time, and are still “under construction”.

Conclusions

So, what can I say in conclusion?  I guess the most important takeaways from this sample analysis are:

  1. Mule recruitment sites are designed to install a feeling of legitimacy and often take great care to disguise the true nature of the “company”.
  2. The companies portrayed within the various web sites hang around for much longer than their phishing counterparts, and keep on cropping up under alternative domain registrations for many months.  In fact some mule recruitment sites located in more exotic locations have been around for years.
  3. Divining who the people are behind the scam is pretty difficult – if not impossible.  Fake and misleading domain registration details, combined with web and mail hosting from fly-by-night ISP’s in faraway lands, make it pretty difficult for anyone but law enforcement backed by international collaborative agreements.

All in all, if it sounds too good to be true, it probably is.

     
    Copyright 2001-2007 © Gunter Ollmann