Over the years, I've been actively researching the money mule recruitment epidemic, providing actionable (real-time/historical) intelligence on their activities, exposing their DNS infrastructure, offering exclusive peek inside the Administration Panels utilized by money mules, emphasizing on current and emerging tactics applied by the individuals orchestrating the final stages of a fraudulent operation - the cash out process through basic risk-forwarding.
Catch up with previous research on the money mule recruitment problem:
- Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
- Keeping Money Mule Recruiters on a Short Leash - Part Eleven
- Keeping Money Mule Recruiters on a Short Leash - Part Ten
- Keeping Money Mule Recruiters on a Short Leash - Part Nine
- Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
- Keeping Money Mule Recruiters on a Short Leash - Part Seven
- Keeping Money Mule Recruiters on a Short Leash - Part Six
- Keeping Money Mule Recruiters on a Short Leash - Part Five
- The DNS Infrastructure of the Money Mule Recruitment Ecosystem
- Keeping Money Mule Recruiters on a Short Leash - Part Four
- Money Mule Recruitment Campaign Serving Client-Side Exploits
- Keeping Money Mule Recruiters on a Short Leash - Part Three
- Money Mule Recruiters on Yahoo!'s Web Hosting
- Dissecting an Ongoing Money Mule Recruitment Campaign
- Keeping Money Mule Recruiters on a Short Leash - Part Two
- Keeping Reshipping Mule Recruiters on a Short Leash
- Keeping Money Mule Recruiters on a Short Leash
- Standardizing the Money Mule Recruitment Process
- Inside a Money Laundering Group's Spamming Operations
- Money Mule Recruiters use ASProx's Fast Fluxing Services
- Money Mules Syndicate Actively Recruiting Since 2002
It all begins with an email coming from a non-existent "environmental enterprise", that in this particular case is abusing Google's brand in an attempt to increase the probability of a successful interaction with the socially engineered business owners:
Environmental enterprise searching for representation internationally
5% commission on 200K cash flow originated from promotion and sales of proprietary research articles
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper execution of all planned undertakings
In case if being interested, please provide:
- Name and Surname - Age - Telephone number (including country code) - City and Country - Email
Please answer to: NAME@googleapp-consult.com
Those who reply are kindly asked to open a merchant bank account using their own company data, and assured that, despite the fact that the Web site which will be selling the bogus 'research articles' will be using their (legitimate) business brand's name and contact details, they will still receive their 5% commission on a 200,000/250,000 EUR in anticipated revenue, which would naturally be coming directly from other mules participating in the fraudulent scheme. Moreover, despite that a business owner will have his company brand, logo, contact information listed at the Web site, he/she will have zero visibility to the non-existent purchasing process of this research, as "all customer service, sales, technical logistics, etc. are to be handled by us."
Why would a potential cybercrime syndicate want a socially engineered business owner to open a merchant bank account using his/her own data? Pretty simple. In my previous research on the standardization of the money mule recruitment process, I emphasized on how money mules are often vetted through online-based surveys, which always ask important from a mule recruiter's perspective question, such as - when did you you first open your bank account, and do you have any limitations on incoming/ongoing monetary transactions on it?
However, an established company would always benefit from the trust it has already established with its financial institution/service of choice, meaning that, it will not only get its merchant account open, but also, will successfully pass the majority of verification protection mechanisms for high volume transactions put into the place by the financial institution/service in place.
Sample reply email:
Thank you for your reply.
We are a company involved in development, branding and launching of several web media and IT projects involved in consulting on green technology, renewables and alternative energy sources. Several of the projects are being currently launched online and each one will need to have a card payment interface. This collaboration refers to opening a merchant account for online credit card acceptance (E-commerce).
We would need your company to open a merchant account for card acceptance and handle the receivables derived from the sales generated by each project. A bank/payment provider will facilitate data needed for website integration with their E-commerce payment gateway. We will handle the technical side of such integration in full.
We will brand the website under your company, therefore the administrative company data listed on the website will be yours, but all customer service, technical logistics and sales are to be handled by us. The products sold will be proprietary research articles and information packages on green technology, renewables and alternative energy sources.
Incoming proceedings from sales will be settled by the bank (or the payment provider) into your business bank account on a time scale defined by the bank (or the payment provider).
These sale proceedings will be transferred to us, minus your commission and expenses incurred. The volume of monthly payments processed through the merchant account will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. The expected rise is roughly 5-6% every month. The commission proposed to you stands at 5% of the mentioned volume.
All the expenses related to the operation including the banking and transactions fees and the merchant account setup and related fees are to be covered by us. If you agree in principle, I will provide the contract draft to define the legal terms of our collaboration.
ECOFIN Projects (Gibraltar)
Tel/Fax: +350 2006 1287
Who are ECOFIN Projects (ecofinservices.net - 22.214.171.124) ? Nothing more than a cybercrime-friendly "marketing agency" at its best.
Ecofin is offering outstanding solutions which are useful in maximizing revenues that are generated through a wide range of investment sectors and global assets. A wide range of services and financial opportunities are being offered for manufacturers, developers, owners as well as financial investors interested in our niche investment portfolios and services.
We are operating as a globally safe company as well as involving risk and integrity management expertise that brings together practical experience along with cutting edge, innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, alternative energy, infrastructure, as well as utility all around the globe.
The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in developing, branding as well as launching exclusive information sales podiums based on alternative, as well as green technological sources along with IT and web media themes. The company is dedicated to providing its clients with the highest levels of quality services and investment returns within the niche industries that we focus upon.
+350 200 67911 (Gibraltar)
+852 5808 2461 (Hong Kong)
+54 11 5984 1154 (Buenos Aires)
+44 20 3051 6249 (London)
Suite 4, 209 Main Street
Gibraltar GBZ 1AA
A potentially socially engineered business owner would then be contacted with a similar email:
Please find the Contract draft attached, review and confirm your agreement with every point of it. The next step would be to provide the proper company data to be put in the contract and produce the final version for the signing.
Please review the showcase website:
This site will be copied into a new domain reflecting your company name and your company data.
As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You would need to open a merchant account for online credit card acceptance (E-commerce).
The customers will be from all over the world. All the issues related to sales, marketing, customer service, supply, logistics, etc. are to be handled by us. You will be required to open a merchant account for online credit card acceptance, receive the funds and transfer us the proceedings, as indicated in the contract draft with detail. No capital or any upfront payments from your side are required. If it is necessary to cover any upfront fees for the merchant account establishment, we will transfer such fees to you beforehand.
Sample Web Site Template offered as an example of how a socially engineered business owner's company branded Web site, would look like (greentechidea.com - 126.96.36.199):
Sample copy of the Contract:
Sample domains from the mule recruitment campaigns spamvertised over email:
Sample name servers involved in the campaign:
NS1.ELCACAREO.NET - 188.8.131.52; 184.108.40.206; 220.127.116.11 - Email: email@example.com
NS2.ELCACAREO.NET - 18.104.22.168
The same email (firstname.lastname@example.org) is also known to have also been used to register the following fraudulent/malicious domains:
"The only green is money".
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.