May 9, 2013 By Etay Maor 3 min read

For a more recent article on money mules, read “How Cybercriminals Use Money Mule Accounts to Profit From Online Fraud.”

If “money makes the world go ’round” (according to “Cabaret”), then money mules make the fraud economy go ’round. A valuable asset in the world of fraudulent activities, money mules enable cyber criminals to cash out stolen money. After cyber criminals take over a victim’s account, they enlist the help of a third person — a mule — to retrieve the money and send it to them in an untraceable manner.

The Money Mule

Typically, criminals manipulate a money mule into receiving money from a victim’s account and transferring the money to the criminal using a payment service, such as Western Union or MoneyGram. To do so, fraudsters set up fake company websites that they use to recruit “financial managers” to manage the firm’s funds. The financial manager’s “job” is to receive payments from the company’s clients and then forward the payments (save a 2 to 10 percent commission) to company managers via a payment service. This tactic is the first lesson in Money Laundering 101.

Bogus websites that are used as fronts for recruiting money mules have been around for many years. The security team at IBM recently identified a Russian forum member who took the liberty of perfecting this scam and is now offering a universal money mule recruitment site kit.

The forum member offers a complete mule recruitment template package, including a back-end administration system, website template, spam e-mail templates, mule correspondence templates and more. The entire package is preconfigured for a fake brokerage company that is searching for “talented people to join our team of professionals.” IBM’s investigation uncovered a map of the company’s headquarters, which is conveniently located in the Moscow University campus.

The e-mail correspondence templates (titled “templates for drops”) include a number of scenarios in which the criminal needs to contact the money mule. Here are some examples:

Recruitment


Registration

Employee Details


Money Transfer


Some of the templates include requests for additional data or access to the mule’s bank account:

This package offers a comprehensive solution for those engaged in cyber crime, covering every aspect from mule recruitment to cashing out. This offering demonstrates, once again, that mules are critical players in the fraud ecosystem. Similar to the cases of the website targeting universal MitB and the credit card-targeting universal MitB, analysts are witnessing offers in the cyber underground that provide potential buyers with flexibility and scalability. Consumers must be made aware of these types of scams, as well as the perils of “work from home” offers that involve money transfers and questionable incoming transactions.

As a rule of thumb, any doubt is enough doubt. Online offers that seem even mildly suspicious are probably illegal.

View on-demand webinar: Cybercriminals Never Sleep

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today