September 18, 2014 By Steven D'Alfonso 4 min read

For a more recent article on money mules, read “How Cybercriminals Use Money Mule Accounts to Profit From Online Fraud.”

Money mules are an important element in the process to cash out compromised financial accounts. A money mule is a person who receives and transfers illegally acquired money on behalf of others and receives a commission in return. Cybercriminals, often located in Eastern European countries, require the help of accomplices located in-country to cash out compromised accounts.

Money mules may be knowing, witting accomplices or unknowing, unwitting accomplices. The use of mules is low-risk for the criminals, who remain anonymous while the mules acting on their behalf run a high risk of being exposed, arrested, convicted and sent to prison.

Schemes for Targeting Knowing Money Mules

The old-fashioned method for fraudsters to recruit a mule was through real-world interactions. Low-level players in organized crime groups (OCGs) or individuals looking to make a quick buck would be tasked with this job. Their job would entail moving money from point A to point B. These professional mules still exist, though anti-money-laundering laws and regulations have become the norm, and financial institutions have created methodologies to better catch these instances. Thus, it is now harder for traditional professional mules to complete their tasks.

OCGs adapted to this new environment by creating a number of schemes focused on unknowing money mules. The role of the professional mule became the mule herder. A mule herder is someone who recruits people to carry out the fraudulent transactions. With technology and the Internet, mule herders no longer have to rely on being physically close to mules to ensure their schemes are completed.

“A single mule herder can run multiple mule operations, each focusing on a different country and language,” writes Idan Aharoni for SecurityWeek. “If in the past most mules were accomplices, today they’re mostly unwitting mules, regular Joes who get scammed into being mules and are not necessarily less innocent than the actual victims of the fraud.”

Professional Mules

Professional mules are adapting to today’s technologies and utilizing commercially available crimeware to complete their fraud. Crimeware is a type of malicious software designed to carry out or facilitate illegal online activity.

A well-known case involved a cyber-ring of 70 money mules that defrauded millions of dollars from U.S. and U.K. banks by utilizing the Zeus Trojan crimeware. The Zeus Trojan operates through Microsoft Windows operating systems and is used to carry out criminal tasks such as stealing banking information and installing CryptoLocker ransomware. It spreads through phishing schemes and malicious downloads.

The majority of the criminals were from Russia, Kazakhstan, Belarus and the Ukraine and comprised a mule organization of mule herders, individuals who obtained false passports and the mules themselves. While some of the individuals in this scheme were unaware of the fraud, the majority of the players were knowing parts of the operation. The controllers of the malicious Trojan spread it to victims’ PCs through email. Once a victim’s computer was infected, the malware let the attackers steal victims’ banking information, thus allowing for the transfer of money from victim accounts to mule accounts. The mules would then withdraw the funds and send them to their accomplices, keeping a small portion for themselves.

Another example of a professional mule situation is auto auction fraud schemes. Criminal groups, often in Romania, establish online auctions for nonexistent cars or merchandise. Victims who respond to the fraudulent listings are instructed to send payment to a mule account. The mule then transfers the proceeds overseas to his or her co-conspirators. One of the most well-known professional auto auction money mules is Romanian Adrian Ghighina, who pleaded guilty to wire fraud in 2011. According to the U.S. Department of Justice, Ghighina acted as a money mule for four years, moving around the United States and opening bank accounts under fake names. The accounts were used to receive the illicit proceeds from victims of fraudulent auto auction fraud.

J-1 Visa Money Mules

The State Department’s J-1 Visa Exchange Visitor Program is a cultural exchange initiative. There are many subprograms for purposes such as au pair work, visiting physicians, scholarly research and internships. The program also includes the Summer Work Travel and University Student programs, which have been exploited by OGCs to recruit and place money mules within the United States.

Young adults are recruited in their home countries through social networking sites, online advertisements and personal contacts to serve as money mules while working or studying in the United States. The mules open an account and provide that number to their handler or to the OCG. The OCG hackers use various online techniques to compromise the online banking credentials of consumers. Once they are compromised, the OCG may initiate an Automated Clearing House (ACH) transfer to the account of the mule, who will then transmit the funds electronically to the OCG or will withdraw it in cash and smuggle it back to his or her home country for delivery to the OCG.

Perhaps the largest and most famous take down of a J-1 Visa operation was Operation ACHing Mules in 2010. Charges against 37 people acting as mules or mule herders were filed in the Southern District of New York. The international fraud ring, based in Eastern Europe, was responsible for stealing more than $3 million from small businesses and municipalities.

The ring recruited young adults who had J-1 Visas through Russian social network sites. The mules were then provided with fake passports. Once in the United States, they opened bank accounts under aliases. The accounts were destination points for ACH transfers from compromised victims’ accounts. The illicit funds were either sent back to Eastern Europe via ACH or the mules withdrew cash from an ATM and smuggled it overseas.

Be On the Lookout

The unequivocal knowing mules are those who enter the illicit arrangements fully aware of the illegal nature of what they are doing. Money mule transactions, particularly from mules acting complicity with the crime group, represent a serious anti-money-laundering compliance threat to which financial institutions may be subject to punitive fines. Identifying money mule accounts is a challenge for anti-money-laundering programs. The Federal Deposit Insurance Corporation has highlighted additional red flags that can be used to help identify mule activity, which can be found in a previously reported Security Intelligence article, “Money Mule Targets: The Extremely Gullible and Financially Distressed.”

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today