International Money Mule Recruitment – Part I – The FAQ
Posted by Gunter Ollmann on August 14, 2007 at 8:40 PM EDT.

My suspicion that not many people know what a money mule is has definitely been confirmed these past couple of weeks based upon the number of queries I’ve had about last months posting on the topic.

So, this evening I figured I’d do two things – write up a short FAQ about the money mules, and walk through an example mule recruitment web site (this will go up tomorrow as a separate blog entry).

Money Mule FAQ

How long have these mules been around?

I don’t have any hard figures on this (if you do, drop me an email, I'm interested in knowing more), but I’d assume that mule recruitment became increasingly important to phishers once the main retail banks aggressively started closing down or greatly limiting their online international transfer functions.  Most consumer banking sites that I’m familiar with (or have pentested in the past) no longer allow same-day international transfers.  This would hint to me that money mule recruitment has been around since the turn of the millennium.

How do phishers recruit their mules?

The most common way is through spam-based enticements.  If you do a quick reconnoiter of your own spam caches, you’ll most likely find between two and five percent of it contains “get rich” messages or “work from home” jobs – many of which are in fact mule recruitment posts.  A lot of these spam messages drive you towards commercial looking recruitment sites – carefully disguised to look like legitimate businesses.

Why do people become mules?

I guess it depends upon who they are.  Since these recruitment sites often sound legitimate, with roles such as “online account manager” and “transaction specialist”, many people believe that they are in fact working for a real company – earning a little money on the side to compliment their fulltime job or pension, or for some quick cash while studying.  On the other hand, I also hear that some people (even though they suspect that things aren’t really legitimate) take the risk because they don’t expect to be prosecuted for it – after all, they’re not the ones actually stealing the money right? - naiveté isn't a defense under law.

How long do the mules last?

That really depends on how sophisticated and knowledgeable the phishing crew is, how good the automated fraud detection systems are at the bank, and how quickly any victims raise the alarm on their account.  Most banks have pretty sophisticated fraud detection systems, and it doesn’t take a genius to see that an automatic algorithm that detects lots of intra-bank transfers from accounts that don’t normally do transfers, to other accounts that don’t have a history of receiving intra-bank transfers, is probably going to be a fairly reliable hint to something not being quite right.  Estimates range from a few days to a few weeks before the mule account is detected and deactivated.  From then on it depends on how the bank plans to deal with the money mule – i.e. recover the money and/or prosecute.

Is mule recruitment on the increase?

Given the facts such as spam being on the increase, the percentage of spam that are phishing related, the increased sophistication of automated phishing deployment kits, the percentage of recruitment-based spam, and the way automated fraud detection systems work, the simple answer is YES – it has to be.  Phishing is a professional organized crime.  While the banks have honed their fraud detection systems, the phishers appear to have adopted transfer strategies designed to stay below the banks radar – often necessitating smaller intra-account transfer values (e.g. a few hundred instead of thousands of dollars) and distributing them over many more mule accounts – which has meant that the demand for mules is increasing, which has in turn driven an increase in recruitment sophistication (and bulk solicitation).

What happens when the mule gets caught?

That really depends upon the bank.  I’ve heard many things, but basically the first thing the bank will do is freeze the mule’s bank account and attempt to return the phishing victims money.  If the mule’s account has enough money in it to cover any previously transferred funds (i.e. the mule already had an account with the bank with their own personal money in it), they’ll use that to pay pack the victims (i.e. the mule is now out-of-pocket).  If they can’t or they suspect that mule intentionally/knowingly engaged in the money laundering process, that’s when law enforcement gets brought in (or the bank may have a policy to always engage law enforcement for any kind of customer fraud).  One of the problems though lies with the number of mules being caught, and the (often) low money values of the crime (i.e. the anti-fraud systems are pretty good) – which means it can become increasingly burdensome for the bank and/or law enforcement to prosecute.
In some cases, the bank may keep the account live and continue to monitor the mules activity while working with local and international investigators.  The goal being to identify the next phase of the money laundering process and the people behind the crime.

    Copyright 2001-2007 © Gunter Ollmann