Security Experts:

Stopping The Next Money Mule: How Banks Can Identify Mule Accounts as They are Opened

Money Mules - Can you stop someone from being a mule?

It’s impossible to talk about the world of fraud without mentioning mules. When it comes to infrastructure, mules are just as important - if not more important - than having a botnet or a phishing attack set up. After all, what use are online banking credentials if you can’t cash them out?

Being such a pivotal part of the fraud process, it’s no surprise that fraudsters go to great lengths to recruit and control mules. If in the past mule recruitment was done mostly in the real world - where potential mule candidates were preyed on due to poverty in most cases - today, fraudsters employ much more sophisticated methods for mule recruitment. Not only do these methods void the need for the fraudster to be physically present in the country, but they also increase the bandwidth of the mule recruitment. In cases where these methods were problematic to implement, the recruiters improved the existing methods and added a new layer of sophistication.

Cybercrime Money Mules

One of the most popular methods of recruiting mules today is through the Internet, using mule recruitment scams. This type of scam is well-known and well-documented by multiple resources online; Bob Bear is one of the most prolific groups exposing these scams. The fraudster would send an e-mail to a mailing list of job searchers, or simply spam a generic mailing list (although that would be less effective), stating that their resume’ or application was reviewed and they were found suitable for a work-from-home position. The candidate, unwilling to pass up on a job opportunity in this troublesome economy, takes the bait. During the course of several e-mail exchanges, in which fake employment forms are signed, the mule receives his instructions and is told to wait for an assignment.

The story and orders for the mule change based on what the mule is intended for – whether it’s accepting fraudulent funds from compromised online banking accounts, reshipping goods bought with stolen credit cards or even receiving money through a balance transfer and going shopping. There’s a similar scam just like this, only where the candidate is not recruited as a mule but is the victim. This type of scams involves the “candidate” accepting fake checks, cashing them into his/her own account and forwarding the money through a money transfer service. However, this is not a mule recruitment scam so I won’t go into it in detail.

What fraudsters soon found was that potential recruits often reiterated the same question: “Does your company have a website?” To overcome this hurdle and keep suspicions at bay, fraudsters went to the trouble of building an actual website to serve as the “front” of the operation. The candidates go in, see the site and go over the vacancies. Naturally, the only open vacancies (or vacancies that don’t require an insane amount of experience) are positions for the role of a mule (although not advertised that way, of course).

To better manage the mule network, fraudsters didn’t just settle at building a website to recruit the mules. In addition to the “front,” they also have a sophisticated back-end, listing all current “employees,” the tasks that they were assigned to (or in other words, the fraudulent transfers or goods that were sent to them) and where the money and items were forwarded. This recruitment method has become so commonplace that services exclusively dealing with mule recruitment have sprung up in the underground. These services range from full mule recruitment operations to specific tools, such as the back-end management system.

The impact of online mule recruitment is great. As I’ve mentioned, fraudsters no longer need to have a physical presence in the country where they seek to recruit mules. A fraudster from Russia or Nigeria can sit in the comfort of his living room while recruiting mules in the U.S. The fact that he’s doing everything online with the help of automated tools also enables him to increase the volume of his recruitment. There are mule operations that have hundreds of candidates applying for a job in hopes of getting that one break they need.

Online mule recruitment also serves as a challenge for law enforcement. Mules recruited in this fashion are unwitting, led to believe they have legitimate jobs. In many cases, they can also suffer a monetary loss when everything is revealed as a scam. They are also victims, just as the owners of the compromised accounts that are being cashed out.

In places where online mule recruitment may be problematic or when fraudsters already have infrastructure in place, fraudsters may still recruit mules the old-fashioned way, in the real world. In such a case, mules could either be unwitting or accomplices. Accomplice mules know they work for fraudsters and are prone to open multiple mule accounts at various banks to facilitate fraud.

A new scheme in recent years is the vacation mules – mules that are flown in to another country by the fraudsters to open accounts in specific banks (not necessarily using their real passport). Such mules are usually flown from poorer countries, arriving to the richer ones on a student visa. And they are not just flown in on low-budget airlines. If a mule herder is required to pay the full fare, it is still lucrative enough to send them abroad to open accounts.

On paper, it seems like nothing can stop a mule from opening an account. In that stage, a mule looks like any other person who walks into the branch requesting to open an account. This is why the focus is on identifying the fraudulent transaction (and consequentially the mule who was supposed to accept it) when it is made, rather than look for mules when they open their accounts before the transaction took place.

The question is – can you even identify mule accounts as they are being opened? Can you stop someone from being a mule? The good news is that the answer isn’t “no.”

So how can you stop a mule who walks into the branch asking to open an account? You have to remember that there are several types of mules. Sure, no one could probably identify an accomplice mule who uses a clean identity and asks to open an account. These people were trained to lie, say the right things and do what it takes to get an account up and running. But don’t forget that there are still unwitting mules, people who were duped into opening an account, while thinking they are doing so for a legitimate company.

In such a case, a simple set of questions by the branch employee could immediately flag the account as a potential mule. Think about security screening at the airport. You get asked a bunch of questions by the security officer whether you packed your bags on your own, if you received any gifts to pass along, etc. If you are knowingly carrying drugs, or a member of a terrorist organization, you could simply lie. But the security questions weren’t designed to pick up on the liars – they were designed to pick up on any legitimate individuals who may have unknowingly been placed into a certain situation.

For example, the branch employee could ask anyone who opens a new account: “Have you been told to open this account by someone else?” If yes, “Was this for a job offer that you received online or in real life?” These simple questions could raise some red flags. The branch employee doesn’t have to act as a risk assessor. They are simply part of a process, inputting information into the system which could alert the security team to further investigate.

There is no need to train branch employees other than informing them of simple additions to existing procedures. There is no need for customer education, although that couldn’t hurt. Putting fliers around the branch that explain the dangers of these scams can go a long way in the long run. As I said, this procedure doesn’t prevent accomplices from opening mule accounts. It would not help if an unwitting mule receives money to his existing account which he has been using for years, something that happens very often. It’s not a silver bullet against mules. However, security isn’t about silver bullet solutions, it’s about putting layers of defense. The fight against mules is no different.

More Expert Columns on Cybercrime - http://www.securityweek.com/cybercrime

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.