With money mule recruitment continuing to represent the most actively used risk-forwarding tactic within the cybercrime ecosystem for the purpose of securely distribution fraudulently obtained funds, part five of the "Keeping Money Mule Recruiters on a Short Leash" series are here to stay.
What's particularly interesting about the money mule recruitment domain portfolio that I'll expose, is the logical progression from bogus companies offering financial services, to a diverse set of companies occupying multiple markets/covering different market segments.
-Current trends - Localization and standardization/template-tization
A great example of this trend -- largely driven by the standardization and template-zation of money mule recruitment sites as a service- is Schwartz & Brothers LLC (schwartz-brothers.cc).
"Schwartz & Brothers LLC is the first choice for artists and buyers alike! Schwartz & Brothers LLC is an effective tool for the artist and emerging artist to market and promote their art in a professional and inexpensive manner. We will market your art to the international community of art buyers. Whether you are looking to buy or sell original art, Schwartz & Brothers LLC is the premier art site for those seeking to buy or sell original art online."
From financial services to an entirely new market segment, whereas the entire recruitment process remains pretty static, excluding several time quality assurance oriented details. For instance, every potential mule is required to download a entry level job psychological test, which surprisingly asks directly whether the mule is from Australia, next to automatically choosing Australia as a country of origin at a later stage throughout the registration process.
Moreover, in the context of quality assurance, the recruiters also ask the applicant "Are you/were you convicted?" in an attempt to combine the survey results with other details such the opening date of the bank account, as well as the average daily/weekly/monthly amount transferred.
- The Terms of Service
The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to process payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day. He/she will report directly to the senior manager and to any other party designated by the senior manager in connection with the performance of the duties under this Agreement and shall fulfill any other duties reasonably requested by the Company and agreed to by the Contractor.
CONFIDENTIALITY:
The Contractor acknowledges that during the engagement he will have access to and become acquainted with various trade secrets, inventions, innovations, processes, information, records and specifications owned or licensed by the Company and/or used by the Company in connection with the operation of its business including, without limitation, the Company's business and product processes, methods, customer lists, accounts and procedures.
The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or use any of them in any manner, either during the term of this Agreement or at any time thereafter. All files, records, documents, blueprints, specifications, information, letters, notes, media lists, original artwork/creative, notebooks, and similar items relating to the business of the Company, whether prepared by the Contractor or otherwise coming into his possession, shall remain the exclusive property of the Company.
The Contractor shall not retain any copies of the foregoing without the Company's prior written permission. The Contractor further agrees that he will not disclose his retention as an independent contractor or the terms of this Agreement to any person without the prior written consent of the Company and shall at all times preserve the confidential nature of his relationship to the Company and of the services hereunder.
If the Contractor releases any of the above information to any parties outside of this company, such as personal friend, close relatives or other Financial Institutions such as a Bank or other Financial Firms, such could be considered grounds for immediate termination. If the Contractor is ever in doubt of what information can be released and when, the Contractor will contact their superior right away.
TERMS OF ENGAGEMENT:
The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to AUD 2300 per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary to 3000 USD. The Company has the right to cancel this Agreement at any time within the probationary period or refuse to extend it after that, should the Contractor refuse to fulfill his/her obligations under this Agreement or fulfills them not in good faith.The Contractor has the right to terminate the Agreement at any time on condition that he/she has processed all previous payments and has no new instructions.
COMPENSATION:
The Company undertakes to pay taxes accrued in connection with money transfer.The Company shall also reimburse part of expenses which are incurred in connection with money transfer by Western Union or MoneyGram systems (should money transfer charges exceed 3%, i.e. commission for payment processing operation).The above difference will be automatically added to the base salary of the Contractor and paid once per month together with the base salary.
The Company shall have the right to decrease the Contractor's commission in case the payment processing terms were violated by the Contractor. Should the Contractor delays re-sending money accepted to his bank account for the period exceeding one (1) day without any explicit reason, the Company shall have the right to impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur circumstances and to apply to the arbitration and claim for the reimburse of the amount transferred to his account or for compensation for other damage if any, evicted due to the delay.
The Contractor may take days off at any time and at his/her option upon giving five (5) working days advance notice in writing or three (3) working days advance notice via e-mail or fax to the Company in order that the latter may abstain from charging the Contractor with new instructions. However, salary for each day-off is deducted from the Contractor's base salary."
- OSINT data for money mule recruitment sites
The following portfolio of money mule recruitment domains appears to have been registered using automated email registration tools, with the potential for CAPTCHA outsourcing clearly considered by the malicious parties, taking into consideration the even decreasing price for solving CAPTCHA challenges.
4STAR-SOLUTIONS.CC - Email: urge@bz3.ru
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru
ACOONGROUP-LLC.CO - Email: jx@ppmail.ru
AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: aryan@ppmail.ru
AMINA-GROUPCO.CO - Email: beige@ca4.ru
AMINA-GROUPINC.CC - Email: zowie@yourisp.ru
AMINAORG.CC - Email: range@ppmail.ru
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru
AUS-FINANCE.CC - Email: ours@ca4.ru
BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru
CESISGROUP-LLC.CC - Email: flip@free-id.ru
CESIS-GROUPLLC.CO - Email: our@ca4.ru
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru
CORES-GROUP.CC - Email: jaunt@cheapbox.ru
CORESGROUP-INC.CO - Email: yule@cheapbox.ru
CORES-GROUPLTD.CO - Email: liszt@bz3.ru
CRAFT-GROUPNET.CC - Email: room@yourisp.ru
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru
FARLINE-FIN.CO - Email: pecks@free-id.ru
FARLINE-FININC.CC - Email: cynic@free-id.ru
FILEGROUP-LLC.CO - Email: knelt@ca4.ru
FINTEC-LTD.CC - Email: w@yourisp.ru
FINTEC-UK.CO - Email: sons@bz3.ru
GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail.ru
I-COMPASS-GROUP.CO - Email: wolf@ca4.ru
IM-SYSGROUP.CO - Email: truce@free-id.ru
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru
INCOGROUP-USA.CO - Email: beams@free-id.ru
JOURNEY-FINANCIAL.CC - Email: lulu@ca4.ru
LBMGROUPCO.CC - Email: dreamy@ppmail.ru
LBM-GROUPINC.CO - Email: coma@ca4.ru
LCD-FIN.CO - Email: salt@free-id.ru
LCD-FINANCE.CC - Email: fritz@bz3.ru
MACROTECHINC.CC - Email: cv@yourisp.ru
MACROTECH-UK.CO - Email: curl@cheapbox.ru
MALLOW-GROUP.CC - Email: cues@ppmail.ru
MALLOW-GROUPINC.CO - Email: hn@bz3.ru
MONEY-VISUALUK.CC - Email: hn@bz3.ru
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru
MARFYGROUP.CC - Email: thorny@cheapbox.ru
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru
PEGASLTDUNION.cc - Email: prim@bz3.ru
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru
RADIUM-GROUP.CC - Email: spy@yourisp.ru
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru
SANTORINI-FIN.CC - Email: gill@cheapbox.ru
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru
SCHWARTZ-BROTHERS.cc - Email: oozed@bz3.ru
SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru
SOLUTIONSLTD.CC - Email: h2o@ca4.ru
STILE-GROUPLLC.CC - Email: ma@free-id.ru
SUNRISEPR-GROUPLTD.CC - Email: cough@ppmail.ru
TECHADVINC.CC - Email: chance@cheapbox.ru
TECHADV-INC.CC - Email: chance@cheapbox.ru
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru
USGROUP-AMINA.CO - Email: cap@ca4.ru
USGROUP-REIGN.CO - Email: w@ppmail.ru
YESGROUP-LLC.CO - Email: twig@ppmail.ru
Name servers of notice:
NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: ached@yourisp.ru
NS1.NNSQUE.CC - Email: amok@cheapbox.ru
NS1.OLIVAU.CC - Email: bop@cheapbox.ru
NS1.PAGEREDNS.CC - 178.162.152.77 (AS28753) - Email: freer@free-id.ru
NS1.SURPLUSUSA.CC - 209.159.156.162 (AS19318) - Email: skulk@ppmail.ru
NS1.TVSILVAU.CC - Email: fact@ppmail.ru
NS1.UKNSSPACE.CC - 69.10.44.190 (AS19318) - Email: gravy@ca4.ru
ns1.uksource.cc - 69.10.44.189 (AS19318) - Email: liver@cheapbox.ru
NS1.USABONDS.CC - Email: bart@cheapbox.ru
NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: bold@yourisp.ru
NS2.COUKSNS.CC - 122.70.148.179 (AS55462) - Email: preen@ppmail.ru
ns2.gbtrade.cc - 66.199.236.114 (AS15149) - Email: ct@yourisp.ru
NS2.OLIVAU.CC - Email: bop@cheapbox.ru
NS2.RINGTONS.CC - 66.199.236.115 (AS15149) - Email: aaron@cheapbox.ru
NS2.TVSILVAU.CC - Email: fact@ppmail.ru
NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: tile@yourisp.ru
NS2.ZONENSUK.CC - 178.162.181.11 (AS28753) - Email: rooms@ppmail.ru
NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: bold@yourisp.ru
NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email: dyed@bz3.ru
NS3.SDNSAU.CC - Email: level@cheapbox.ru
NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: skulk@ppmail.ru
NS3.TVSILVAU.CC - Email: fact@ppmail.ru
NS3.UKCCONS.CC - 178.162.181.11 (AS28753) - Email: ted@cheapbox.ru
NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: append@free-id.ru
ns3.ukearnings.cc - 178.162.181.11 (AS28753) - Email: bf@free-id.ru
ASs of notice using standart ns1;ns2; ns3 structure:
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
AS19318 - NJIIX-1 NJIIX.net 110B Meadowlands Pkwy Secaucus, NJ 07094 +1.201.605.1425
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
AS15149 - EZZI-101-BGP EZZI
- Long term trends - "from mule inventory to transactions inventory"
With the localization and standardization/template-tization of the entire money mule recruitment process an every day's reality, quality assurance and diversification of the markets/market segments in order to increase the probability of successful social engineering attack, will start taking place. Moreover, the current template driven recruitment ecosystem will inevitably start taking advantage of basic concepts such as geolocation and content cloaking, in order to once again increase the probability for converting a web site visitor into a mule.
At an invite-only conference that I attended in September, 2010, someone from the audience asked me a rather interesting question. Does it really matter how many mules are recruited by a particular syndicate, and most importantly, can we talk about average number of days/weeks/hours by the time the mule gets busted, and can no longer offer his/her services?
In the long term, we're inevitably going to witness the migration from building inventories of mules to transaction-driven mule recruitment model where the capability-driven mentality surpasses the mule inventory building one. The number of possible transactions with success rates based on historical performance, combined with an infinite loop of recruitment is what will drive the entire mule recruitment ecosystem.
Related posts:
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
This post has been reproduced from Dancho Danchev's blog. Continue reading →
RSS Feed