Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Computer Crime's Unwitting Accomplices

Electronic 'mules' absorb the risks in online money-laundering scams, often without knowing they're doing anything wrong


If you've seen messages like this in your email box, you might recognize them as spam. But you might not recognize that many of them are recruiting posters for one of the fastest-growing segments of the cyber crime economy -- the online mule.

A "mule" is an intermediary who carries goods or money on behalf of a paying criminal. In the drug trade, a mule might help with deliveries or smuggling. In credit card schemes, a mule buys goods with stolen credit cards and shares the proceeds with the card thief. In both cases, mules usually know they are participating in a crime.

But Gunter Ollmann, director of security strategy at IBM Internet Security Systems , says there is a new category of mule that is increasingly -- and sometimes unwittingly -- playing a critical role in the business of phishers and online identity thieves.

"When a phisher steals money from a victim's bank account, he obviously doesn't just route that money to his own account and spend it," Ollmann explains. "If he did that, he'd be caught right away, because the bank can monitor the money's trail. So most phishers need help from mules to help launder the money -- and that's who they're trying to recruit when they send out those 'work from home' spam messages."

The process works like this, according to Ollmann. When a phisher starts a major spam campaign, he also initiates a separate campaign to recruit the mules he'll need to launder the money he's getting from the phishing victims. While he's emptying the bank account of the victim, he's asking other banking customers to accept small fractions of the money into their accounts.

Once the mules have those electronic funds, they may transfer the bulk of them to another country where they can't be traced, or simply write a paper check to buy goods that can be resold for cash. Sometimes the mule simply gets cash and transfers it to another location via Western Union. However the transfer is done, the mules get to keep a portion of the money for themselves.

But while some mules know that what they're doing is illegal, many others do not, Ollmann observes. "Some of these money laundering schemes look very legitimate," he says. "The phisher might say they are a company that is looking to gain a tax advantage by having the user handle the money, or they might say they want the mule to do some purchasing on behalf of their company. Their communications are very professional, and their Websites look very established."

Phishers often take advantage of mules who don't know they can be detected or prosecuted for participating in money-laundering schemes, Ollmann says. "They get a lot of high school or college students who think they won't get prosecuted, even if they are caught."

Banks are constantly on the lookout for suspicious funds transfers, even before a theft occurs. But they can't monitor every transaction, so they usually put a minimum -- say, $1,000 -- on the transfers they monitor. "The goal of the phisher is to make transfers that are smaller than that minimum, so that the bank won't detect them," Ollmann explains.

But as identity theft becomes more common and banks raise their antennas to detect these schemes, that "minimum" transfer is shrinking, Ollmann says. "To continue to operate under the radar, [phishers] need to work in smaller and smaller transaction sizes. Some of the banks have lowered their thresholds to a few hundred dollars."

As a result, phishers now need more mules than ever, and their recruiting campaigns have intensified. "We're seeing more recruiting spam, and it's becoming more sophisticated, so more people are being taken in," Ollmann says.

But users shouldn't have any illusions about making a few extra bucks by playing mule, Ollmann warns. "Mules do get prosecuted -- in fact, they're more likely to get prosecuted than the phishers, because the bank can trace the money to their accounts. The life of a mule is pretty short. They might only operate for two to four weeks before they're caught."

IT and security pros should take care to advise their users about these phishing/spam campaigns and keep them from getting sucked in, Ollmann says. "These offers look pretty attractive, even to people who are already employed and doing well. It can be easy to get fooled."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.