Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Computer Crime's Unwitting Accomplices

Electronic 'mules' absorb the risks in online money-laundering scams, often without knowing they're doing anything wrong


If you've seen messages like this in your email box, you might recognize them as spam. But you might not recognize that many of them are recruiting posters for one of the fastest-growing segments of the cyber crime economy -- the online mule.

A "mule" is an intermediary who carries goods or money on behalf of a paying criminal. In the drug trade, a mule might help with deliveries or smuggling. In credit card schemes, a mule buys goods with stolen credit cards and shares the proceeds with the card thief. In both cases, mules usually know they are participating in a crime.

But Gunter Ollmann, director of security strategy at IBM Internet Security Systems , says there is a new category of mule that is increasingly -- and sometimes unwittingly -- playing a critical role in the business of phishers and online identity thieves.

"When a phisher steals money from a victim's bank account, he obviously doesn't just route that money to his own account and spend it," Ollmann explains. "If he did that, he'd be caught right away, because the bank can monitor the money's trail. So most phishers need help from mules to help launder the money -- and that's who they're trying to recruit when they send out those 'work from home' spam messages."

The process works like this, according to Ollmann. When a phisher starts a major spam campaign, he also initiates a separate campaign to recruit the mules he'll need to launder the money he's getting from the phishing victims. While he's emptying the bank account of the victim, he's asking other banking customers to accept small fractions of the money into their accounts.

Once the mules have those electronic funds, they may transfer the bulk of them to another country where they can't be traced, or simply write a paper check to buy goods that can be resold for cash. Sometimes the mule simply gets cash and transfers it to another location via Western Union. However the transfer is done, the mules get to keep a portion of the money for themselves.

But while some mules know that what they're doing is illegal, many others do not, Ollmann observes. "Some of these money laundering schemes look very legitimate," he says. "The phisher might say they are a company that is looking to gain a tax advantage by having the user handle the money, or they might say they want the mule to do some purchasing on behalf of their company. Their communications are very professional, and their Websites look very established."

Phishers often take advantage of mules who don't know they can be detected or prosecuted for participating in money-laundering schemes, Ollmann says. "They get a lot of high school or college students who think they won't get prosecuted, even if they are caught."

Banks are constantly on the lookout for suspicious funds transfers, even before a theft occurs. But they can't monitor every transaction, so they usually put a minimum -- say, $1,000 -- on the transfers they monitor. "The goal of the phisher is to make transfers that are smaller than that minimum, so that the bank won't detect them," Ollmann explains.

But as identity theft becomes more common and banks raise their antennas to detect these schemes, that "minimum" transfer is shrinking, Ollmann says. "To continue to operate under the radar, [phishers] need to work in smaller and smaller transaction sizes. Some of the banks have lowered their thresholds to a few hundred dollars."

As a result, phishers now need more mules than ever, and their recruiting campaigns have intensified. "We're seeing more recruiting spam, and it's becoming more sophisticated, so more people are being taken in," Ollmann says.

But users shouldn't have any illusions about making a few extra bucks by playing mule, Ollmann warns. "Mules do get prosecuted -- in fact, they're more likely to get prosecuted than the phishers, because the bank can trace the money to their accounts. The life of a mule is pretty short. They might only operate for two to four weeks before they're caught."

IT and security pros should take care to advise their users about these phishing/spam campaigns and keep them from getting sucked in, Ollmann says. "These offers look pretty attractive, even to people who are already employed and doing well. It can be easy to get fooled."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...