Exploring Cyber-Crime Money Mule Operations

Security experts offer insight into how money mules are recruited, paid and managed by cyber-gangs

Recruiting money mules may not be the sexiest part of a cyber-crime operation, but it is among the most vital tasks — something underscored last year when the FBI arrested mules tied to a gang accused of looting millions from banks around the world.

According to Fortinet, mule recruiters are putting more effort into targeting specific countries in a more orchestrated manner. For example, the company found some of these “localised” campaigns used regional-sounding domain names such as asia-sitezen.com and Australia-resume.com, both of which were registered to the same Russian contact.

“The concept of location-based services has been around for a while for other attacks — i.e., pharmacy sites that dynamically change currencies/country flags, etc., based on [the] geo-IP of visitors — but now this is being applied to mule recruitments,” said Derek Manky, project manager of cyber security and threat research at Fortinet. “By doing so, it’s more targeted. … One of the examples we saw actually listed ‘an established relationship with local banks’ as a prerequisite. This is because mules will typically open several accounts [and] it’s much easier to do so if you are a long-time customer.”

By opening multiple accounts in multiple regions, cyber-criminals are creating a layer of redundancy in their operations, he added.

European cyber-crime market

In most cases, mule recruitment is local or supported by someone targeting specific countries, said Uri Rivner, head of new technologies for Consumer Identity Protection at EMC’s RSA security division. One exception to this, however, is Europe, where the SEPA (Single European Payment Area) initiative makes this less necessary.

“For example, if a fraudster is targeting victims in Germany, they don’t have to recruit mules from Germany anymore because of SEPA,” Rivner said. “They can [move] money from a German bank to a bank in Latvia. By law it is considered a domestic transaction. In the US, this would be like banks handling transactions between states. US banks should be very pleased they don’t operate this way in Europe because in Europe the problem is much more difficult because of SEPA. This makes it easier to recruit mules from anywhere in Europe.

“In many cases we actually know the mule operators are physically located in the US or they have local mule coordinators in specific countries,” he continued. “They field mule phone calls, support questions, etc. Big mule operations have multiple local coordinators that manage local mule support calls.

“One thing that appears to be a new trend is that many more mules nowadays are students who come in knowing they’re part of a criminal organisation — or are simply very stupid. But the mule operators promise them work in the US, and they get a student visa, they fly to the US to study and work part-time as a mule.”

Mule recruitment

This side of the business is kept largely separate from other parts of the cyber-underworld, with the people actually making the malware and stealing the data operating on their own, security experts agreed. According to RSA, the number of mule-recruiting websites jumped from 34 in December 2007 to 591 in December 2009.

Pay can vary, with offers sometimes being exaggerated compared with what mules actually get, Manky said.

Most of the payments, he said, come in the form of commission — typically about 10 percent of every transaction. Due to money laundering laws, most transactions are kept under $10,000 (£6,400), with the average being in the thousands, he added.

“Like any business relationship, an established mule will have more trust with the criminal operators, and will receive larger transactions most often on a more frequent basis; thus they will earn more than others,” Manky said.

Big business

Another way fraudsters turn stolen data into cash is a reshipping operation, which is where a criminal uses a stolen credit card to buy an item online and then ships it to the home of a mule. From there, the mule ships the item on to the fraudster, who sells it for a profit.

“Mule operations [are] big business. … They have to recruit mules, have them ship goods outside the country, sell merchandise on auction websites, etc.,” Rivner said. “Sometimes there are mule operators that recruit and do cash-out together, but they typically won’t do more than that. … It’s a lot of work to control the mules, to recruit them, answer their questions [and] get them set up. It is labour-intensive and is quite unique. Mule operators have to be more like con men than hackers, so it makes sense to separate the operations.”