International Money Mule Recruitment – Part II - The Recruitment Site : 2007 : Frequency-X Blog : Blog : Home | ||
|
International Money Mule Recruitment – Part II - The Recruitment
Site Continuing yesterday’s international money mule theme and the FAQ, I figured it would be worthwhile running through a fairly typical mule recruitment website – in this case, one that appears to have been around for quite some time (which is pretty weird given how quickly phishing sites are normally taken down). This particular mule recruitment company first came to public attention in December last year, and some historical information can be found on iDeceive’s “Suckers Wanted” blog, but is still up – materializing under yet another domain name registration. Welcome to Impex Consult Financial Consulting Group (currently available at www.impexonline.biz) Impex Consult Impex Consult Financial Consulting Group claims to have been established in 1994 with offices in over 20 countries offering consulting and financial audits (amongst many other related services), and “was listed among the top ten international audit & consulting companies and is known as a reliable supplier of audit & financial consulting services to a number à leading corporations.” (Zero’s a number isn’t it?) The site itself probably appears to be legitimate to most visitors. It even provides the ability to view the site in German, Spanish and French in addition to the default of English (International English – not US English :-)
If you know what the site’s really about, it’s actually kind of amusing. I found the list of partner certificates and accolades at the bottom of the main page to be quite entertaining – you can hardly tell where they’ve superimposed their company name on top of the pictures. The giveaway of course can be found on the vacancies page, way at the bottom – below some other job listings such as “Legal Department Specialist”, “Office Manager” and “Marketing Specialist” – it’s time to become a “Transactions Specialist”.
EXPECTATIONS
FROM CANDIDATE: All you have to do is tell them about yourself and you’ll be listed in their “Candidate Data Bank, if you fill out an application form in the format and fitting in with the content we require”. However, if you apply for one of those other jobs (Office Manager etc.) you’ll find that Impex Consult “reserve the right to offer a candidate a different vacancy suitable to his/her profile" and probably end up being offered the "Transaction Specialist" role anyway. Where in the World? So, where in the world are Impex Consult located? Well, on the website, they give their details as being in Hong Kong.
(Don’t you just love how all those payment logo’s are meant to add a certain elegant legitimacy to the site?) Doing a quick domain registration Whois, I retrieved the following: Domain
Name: IMPEXONLINE.BIZ You’d do well to notice the following things:
(If you want a convenient jump point from which to run all these passive information gathering queries, try the tools section here) Where is the web server physically hosted? A quick traceroute reveals that it is a virtual web site hosted at modhost.ru (the same Russian ISP hosting the name servers). Actually, after querying a public database that keeps record of web hosts associated with IP addresses (in this case DomainTools), we see that this particular hosting domain serves up some 325+ virtual hosts – of which www.impexonline.biz is just one. I wouldn’t be surprised to learn that there are several other clones of the recruitment site hosted within this environment – but under different domain registrations. One last thing I noticed were the MX records. According to the DNS records, mail for Impex Consult goes to mail.impexonline.biz. However, while its IP address resolves to the same modhost.ru host, it appears that SMTP traffic is transparently proxied to a mail server that goes by the name of saturn.bsys-net.ru. Subsequent investigations into the bsys-net.ru domain start to get pretty messy - including registration details claiming origins of “Limited Liability Company Bank"s Systems” with phone numbers prefixed with Kazakhstan dialing codes and cyclic references to the domain bsys.ru. Perhaps the most interesting visible aspect is the fact that these domains were registered mid-November 2006, about the same time that the original recruitment spam for Impex Consult first started to appear – coincidence? It’s probably also worth noting that the web sites associated with these domains have been up for quite some time, and are still “under construction”. Conclusions So, what can I say in conclusion? I guess the most important takeaways from this sample analysis are:
All in all, if it sounds too good to be true, it probably is. |
|