Security Experts:

Inside the The Mule Network

While Fraudsters have the Capabilities of Stealing Millions of Credentials, Eventually They Can Cash Out Only as Many Mules as They Have Access to

Every fraud operation can be split into two parts: obtaining credentials and cashout. In the former, fraudsters use various tools and methods, such as Phishing, Vishing and malware to obtain information on their victims. In the latter, fraudsters monetize the stolen data, or in other words – they perform a “cashout”. There are various forms of cashout, depending on the type of credentials that the fraudsters have in their possession (and that, in turn, is derived from the type of tool or method used to obtain them in the former stage). Cashing out credit cards stolen from a hacked online merchant, a “shopadmin” in fraudster terminology, is usually done by ordering items online and later selling them off. Online banking credentials, on the other hand, would be usually cashed out through a money transfer to another account. In both cases, and most other types of cashout, the fraudster would need an online account or a real-world shipping address in his possession. Those are usually obtained through the use of mules.

Money MuleIn the “old days”, fraudsters who controlled mules mostly recruited them in the real-world. Unlike the hackers, who could sit on the other end of the planet, “mule herders” had no such luxury. The mules themselves were often junkies and other accomplices of the mule herder interested in making a quick buck. Today, however, is a whole different story. As in other areas of fraud, fraudsters were able to streamline the process of recruiting and controlling mules with an astounding success rate, while overcoming the biggest barrier of the mule herders – location, location, location. By cracking the formula of recruiting and herding mules online, fraudsters can sit in Russia, Nigeria or any other place on the planet and run a very efficient mule operation anywhere on the planet. A single mule herder can run multiple mule operations, each focusing on a different country and language. If in the past most mules were accomplices, today they’re mostly unwitting mules, regular Joes who get scammed into being mules and are not necessarily less innocent than the actual victims of the fraud.

Just like any other type of scam, mule recruitment can be executed in various levels of sophistication. They all share a common trait – they all approach job searchers with a cover story of being a legitimate company searching for “work-from-home” employees, who came across the recipient’s CV and is interested in recruiting him/her. The least sophisticated type of mule recruitment is done exclusively via E-mail. Similar to a Nigerian scam, individuals receive an E-mail from “company X” describing the usual shtick, without forgetting of course to mention the wage that they offer in an attempt to lure the recipient. The E-mail then simply asks the recipient to reply to the message and send his/her personal information. More sophisticated operations contain a link to a website of the fake company, appearing much more convincing as a legitimate employer. In some operations, long and legitimate-looking employment contracts are sent to the mules during the “recruited process”, again to mask the truth by appearing legitimate. The most sophisticated mule recruitment operations, though, have full-fledged CRM systems used to keep track and manage the “employees” and the status of their work. These incredibly sophisticated systems allow the mule herders to go over the details of individuals who replied back, track items or funds sent to the mules and communicate with them through a messaging service. Operations with this level of sophistication are more common than you’d think. So common, that some underground vendors make their living exclusively by offering this type of platform to their nefarious buyers.

If at the beginning only “traditional” mule roles, accepting items bought with stolen credit cards or money sent through a wire transfer, were recruited online – over time fraudsters learned and still learn how to recruit mules for other ventures. “In-store carding” mules, for example. These mules, who were traditionally accomplices of the fraudster, walk into brick-and-mortar merchants with fake plastic cards encoded with stolen credit card information. They purchase high-value items, re-encode the data of another stolen card and then go “hit” other merchants. Today, unwitting mules are recruited specifically for that task, believing they scored a “mystery shopping” position in a company evaluating retailer employees. They go into retail stores with a fake card that was sent to them by the mule herder and purchase an item they were told in advance to purchase. As “mystery shoppers” don’t get to keep the items they bought for evaluation, they of course must send the merchandise and the credit card back to their employer (the mule herder), with the promise that their expenses will be added to a promised paycheck. To completely pull the wool over the mule’s eyes, he or she is then requested to complete a detailed survey of the shopping experience at the retailer. The charade continues for an entire month, during which time the mule receives different fake cards for every purchase. Then, when it’s time to receive the paycheck for his/her hard work, the boss suddenly stops replying to any E-mails and disappears. The mule herder has already moved on to another mule.

Today, almost all mule jobs have been filled by unwitting victims and it’s only a matter of time that fraudsters learn how to recruit them for the rest. Legitimate sites give us a glimpse for what the future holds. Multiple legitimate service providers offer individuals on their web sites to apply for a job and perform it from home, much like the mule recruitment scams. Some of them offer positions that would fit well into the fraud ecosystem, such as an over-the-phone “mystery shopper” service. These services use independent workers who register online to call businesses and evaluate the level of customer service administered. As fraudsters operate “by-fraudsters for-fraudster” call centers, it’s only a matter of time we’ll see them recruiting mules for these positions as well.

Read Idan's Other Featured Fraud & Cybercrime Columns Here

While recruiting unwitting mules definitely has its benefits, they are still much harder to manage than accomplices. Another mule-related trend is the “J-1 mules” – accomplices of the fraudsters who fly to the United States on a temporary J1 Visa, open bank accounts using fake passports and receive fraudulent money transfers to those accounts. Travelling mules from other countries are not only popular in the United States, but in Europe as well. The proliferation of budget airlines in the continent has made it profitable to send accomplices across the border. We’ve seen cases where mule herders purchased their mules’ flight tickets with stolen credit cards and sent them across the border just to pick up some items bought with a different set of stolen cards.

Mules have been considered to be the “bottleneck” of fraud. While fraudsters have the capabilities of stealing millions of credentials, eventually they can cash out only as many mules as they have access to. Fraudsters are aware of it just as much as security professionals and they invest their efforts, resources, time and ingenuity to open this bottleneck as much as they can. Because of it, we can expect new scams and innovations coming from fraudsters not only in the realm of obtaining credentials or new ways to cash them out, but also in establishing the infrastructure that allows them to do just that.

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.