Security researcher shows money mules know exactly what they are doing

The research from Brian Krebs of the Krebs on Security newswire, flies in the face of the widely-held industry view that money mules are lured by the attraction of commissions on legitimate online transactions.

In June of this year, Krebs says he was investigating an online banking heist against Jackson Properties, during which the cybercriminals added several money mules to the company’s payroll account, using mules they’d acquired from a gang known as the Back Office Group.

“This mule gang uses multiple bogus corporate names, and the Back Office front company that supplied the mules in this attack was called AMR Company”, he explained.

“Reginald, a 45-year-old Texas resident, was among the mules hired by AMR Company. Brown communicated with the mule recruiters by logging into a web site set up by the fake company, and checking for new messages. A source who had figured out how to view the administrator’s account - and hence, all messages on the server - sent me some choice screen shots from several mule communications”, says Krebs.

On June 7, he adds, the mule recruiters sent Reginald a transfer of $4,910, claiming that Jackson Properties was its client. Reginald was told to withdraw the money in cash and wire it overseas, minus a small commission.

The payment, however, never landed in Reginald's bank account, as it was blocked when Jackson Properties detected the fraudulent transactions and worked with its bank to get them reversed.

“But that apparently did not deter our Reginald, who told his recruiter and manager at AMR Company that he understood the whole thing was a scam, and that he had done this sort of thing before. He said he was ready and willing to open additional bank accounts to help with future fraud schemes”, notes Krebs.

In an email sent to his manager with AMR, Reginald reportedly said:

“Let me say from the start. I knew what this was about. I’ve had success working with others like yourself in the past, especially comrades from Russia. I know this game well. If you want to have an ally in the US, I’m your guy. I have more accounts. I’d like us to try again, with another account…Listen Sarah, I am all for making some money. I couldn’t care less about our banking system, anything we can get out [sic] it. Lets [sic] do it. I can't do this without you. I can open up accounts in different names, that’s easy for me. But I have no way of funding them like you do.”

“Think it over and see if there’s a way we can make some money. Even if we only succeed one time…we will still succeeded. I have another account ready to go. Respond to me and I will send you the name, routing, account num[bers], etc.”

Reginald's comments indicate that he was well aware of the nature of the fraud, Infosecurity notes, and his manager then replied asking what percentage commission he was looking for. He replied he was looking for the same percentage that a Russian firm had previously paid, namely 40%.

Krebs says he could not reach Reginald at the number he gave to AMR Company as the phone line was disconnected.

“But a search on his email address revealed more information about his current activities. He is currently the registered contact for a shady-looking enterprise that has all of the hallmarks of a multi-level marketing or pyramid scheme”, he noted.

What’s Hot on Infosecurity Magazine?