The initial recruitment email was spammed from firstname.lastname@example.org with IP 126.96.36.199:
"Cefin Consulting & Finanace is one of the leading providers of consulting services in the world. Our success depends both on high quality of services and on professionally managed and reliable business processes. This is the reason why quality is our main concern. However, the only way to reach top-notch quality in our business is permanent struggle for quality and engineering of stable procedures. It is not possible to reach high quality standards without dedicated personnel striving for flawless operation of processes and projects in their daily life.
Currently we have a Financial Manager opening. No deadlines for applications are set. The job of Financial Manager includes processing of money transfers, sent to his personal bank accounts by company clients. Upon receiving a transfer the Financial Manager has to redirect it to the account specified by our dispatchers. All you need for this job are: 3-4 free hours a day, your wish, ability to work in a team and responsibility. The initial wages will equal 5% of total monthly turnover.
Requirements to Candidates:
- 20 years old and more
- Be able to check your email several times a day
- Should have personal (or business) bank account
- Have a skill to communicate and access to the Internet.
- Foreign language (English is preferable).
- To have an opportunity in any working hours to go to closest Western Union location and make money transfer .
What we offer:
- Generous wages - (Your earnings will originally make 5 % from each payment. Your earnings will originally make 5 % from each payment. After 5 remittances if you will operatively work and correctly, your earnings raises up to 10 %. )
- Opportunity of increase in your earnings.
- Free seminars and training courses (After 6 months of great work).
2010 © Cefin Consulting & FinanaceIf you are interested in this opening, don't hesitate to send your CV at our e-mail: email@example.com All right reserved."
Response received from firstname.lastname@example.org with IP 188.8.131.52, asking for the following details, althrough the DIY money-mule recruitment management interface automates the entire process, thereby allowing it to scale:
"If you have understood the meaning of work and ready to begin working with us, please send us your INFO in the following format:
1) First name; 2) Last name; 3) Country; 4) City; 5) Zip code; 6) Home Phone number, Work Phone number, Mobile Phone number; 7) Bank account info:; a) Bank name; b) Account name; c) Account number; d) Sort code; 8) Scan you passport or driver license"
The CV forwarding email provided is email@example.com, although they'll even recruit you without sending them the required CV.
What's special about the bogus company, is not the new template layout that they've purchased from a vendor offering creative for money-mule recruitment campaign, but their attempt to establish themselves as a trusted brand by featuring fake certificates issued by easily recognizable brands, such as Western Union, Money Gram, Investors in People, the World Business Community and even an award from the Chamber Awards for 2004 in the category - "Most Promising New Business".
Moreover, parked on the very same IP where the money mule recruitment is, are also domains currently serving live exploits, as well as a DIY interface for a spamming service known as "OS-CORP".
The certificates in question:
Cefin Consulting & Finance describes itself as:
"Cefin consulting & Finance was founded at the beginning of 1990. The emerged structure united specialists with unique background in management consulting, marketing research, business evaluation and stock-exchange operations.The following two companies constitute Cefin consulting & Finance:
- Omega Financial Dept. - the dedicated company in the field of securities operations;
- Omega Consult - the dedicated consulting company, rendering services in strategic planning and corporate management.
Top-notch dedicated professionals with key competence in various consulting fields constitute our rigorous staff. We boast to have management consulting and business strategy development experts, certified securities dealers, assessment and registration, marketing and financial specialists, corporate law and anti-monopoly legislation gurus. Address: Cefin consulting & Finance is located at 510 East 80th Street, New York, New York 10021 , United States 786-475-3994; 786-475-3994 (FAX)"
The money mule recruitment domain cefincf .com - 184.108.40.206 - Email: firstname.lastname@example.org remains active. Parked on the same IP are also the following domains, currently hosting live exploit kits:
384756783900 .cn - Email: email@example.com
109438129432 .cn - Email: firstname.lastname@example.org
234273849543 .cn - Email: email@example.com
783456788839 .cn - Email: firstname.lastname@example.org
odnaklasniki .cn - Email: Michell.Gregory2009@yahoo.com - Email profiled in December 2009's "Celebrity-Themed Scareware Campaign Abusing DocStoc" - money mule recruitment connection
mynes-consultings .cn - Email: email@example.com
mynes-consult .cn - Email: firstname.lastname@example.org
Sample live exploit structure, currently active at these domains:
- mynes-consult .cn -> if exploitation is not possible, the user is redirected to the legitimate newegg.com
- mynes-consult .cn/load.php?spl=mdac
- mynes-consult .cn/load.php?spl=buddy
- mynes-consult .cn/load.php?spl=myspace
- mynes-consult .cn/load.php?spl=vml2
- mynes-consult .cn/load.php?spl=ymj
- mynes-consult .cn/load.php?spl=zango1
- mynes-consult .cn/load.php?spl=zango2
All of these exploits drop load.exe - TrojanDownloader:Win32/Cutwail.gen!C - Result: 41/41 (100.00%), which upon execution phones back to 220.127.116.11.
With cybercriminals actively multi-tasking these days, this money mule recruitment gang doesn't make an exception. On one of the domains listed above, a low-profile DIY spamming service known as OS-CORP is offering its services.
"- No child Porno spamming!
- Do not offer me affiliate program (% of sales), I do not care!
- ICQ almost always online, but this does not mean that I always present! If you have not received an answer immediately have patience, I will answer as soon as appearing!
- Mailing lists on bases of certain subjects are more expensive!
- I am not responsible for your campaigns and sites sites that are sometimes nailed in the process of spam! Use anti-abuse hosting!
- I'm not offering anti-abuse hosting services!
- I don't offer recommendations for such services. I give only the services that spam!
- Campaign's size should be UP TO 50 kb!
- Do not always send the same text messages, ideally, to change the text after each mailing, the effect of there!
- Do not use themes in writing (headers) words such as EARN, OFFER, do not put a lot of exclamation marks and other (better do without them), just one!
- For a good response from countries whose native language is not English (eg Sweden, Spain, Denmark, etc.) is highly desirable to use the native language of the text distributed to countries, it gives a wonderful effect, and should not be mistaken, in countries such not everyone knows English, verified repeatedly!
- Do not write too long texts on a number of reasons this does not give a positive effect, but not limited to one sentence worth! Ideally, make the text in a few not particularly bulky paragraphs!"
The deeper your analyze, the more malicious, and most importantly, inter-connected it gets.
Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.