« E-mail spam and scam roundup for June 3 - 9, 2013. | Blog Home | Summer specials at Dotster, Domain.com and MyDomain »

Bookmark and Share

Beware of email job offers from Money Mule recruiters

June 12, 2013

I have written about spam issues for many years now, covering junk email selling illicit prescription drugs, bogus weight loss substances, E.D. pills, counterfeit watches, purses and shoes, malware link/attachment threats, as well as financial scams like Nigerian advance fee/overpayment (419), pump and dump penny stocks, work at home ripoffs and fake job offers. Today's article is about the last item.

Some types of spam are always present, like the illicit E.D. pills and Nigerian 419 scams. Every now and then something new comes along and gets spammed out heavily for a while, like the current green coffee weight loss scam. But, these new items tend to disappear when the spammers renting the use of botnets lose money promoting things that their recipients aren't interested in trying. That is why we see different spam topics every few weeks.

Most spam, from the 1978 ARPANET DEC email blast to present, has been to take some of your money for some item or substance. 419 scams get you to pay advance fee money in the false expectation of receiving a fortune in return.

Malware delivered by email is usually meant to steal money from online banking users, or valuable website login credentials (Phishing scams), bank card numbers, and even your identity. Or, it might demand a payment to restore the use of your "locked" computer, or to fix non-existent system problems it claims to have found. This malware is either delivered via an email attachment, or by hyperlinks to a hostile website that exploits vulnerable software that may be installed on your computer or smart device.

Fake employment offers, on the other hand, are meant to get YOU to participate in stealing other people's money, as the middle-man who receives, then remits stolen funds to cybercriminals pretending to be employers. The people who enter into these schemes are known as Money Mules.

Read on to find out how this scam works and what the consequences could be for those who get involved

What is a Money Mule?

A Money Mule is a person who either knowingly or unknowingly becomes involved in a criminal money laundering scheme. The Money Mules I am going to describe are unknowingly recruited into transferring stolen funds, thinking it is part of a legitimate job with a multinational company. This job came to them via an unsolicited email, offering employment, possibly with a subject similar to this one that is currently making the rounds.

Subject: Environmental organization is expanding and currently recruiting worldwide reps

Think back to my prior paragraph describing malware threats that are meant to steal money from computer users who do online banking. These victims are tricked into opening a hostile attachment, or clicking on what appears to be an important link to view an invoice, read a complaint, get details about a failed transaction, etc. Once they have taken these actions, an exploit kit runs active JavaScript codes to find out if the computer contains vulnerable software for which an exploit can be downloaded. These vulnerabilities are usually found in outdated versions of Java, Adobe Flash and Adobe Reader. Once a single vulnerable entry point is found, the appropriate package is delivered and installed on that computer. In the case of bank account stealing malware, this is usually the ZeuS (Zbot), or Citidal Trojan.

These Trojans will scan the infected computer for links to certain financial institutions, or PayPal, etc. When the user goes to log into their online bank, the malware will either intercept the user name, password and challenge question, or present a fake replacement login page, then send these credentials back home to a server controlled by the criminals running that particular Trojan campaign. Some time later, money will be transferred out of the victim's bank account, usually in amounts that "fly below the Radar" of most bank fraud detection monitors. This is usually just under $5000 or $10,000, depending on how much money is in that account. If a company business account is attacked, hundreds of thousands of dollars might be transferred before alarms go off.

Bank account cybercriminals will do everything in their power to avoid being identified, while still getting a hold of the stolen money. So, they spam out fake job offers to rope in as many Money Mules as they need to launder these stolen funds as quickly as possible. If the average amount that can be transferred to a typical private bank account is $$9,999, this amount will be sent to each recent recruit, by direct deposit. Read that again! The money stolen by a banking Trojan is sent directly to the bank account of a recently hired job seeker, who is acting as a Money Mule.

The Mules are put under contract to report all money received as soon as possible, then to await instructions. They may be told that a direct deposit of say $7500 is going to be made at 8 AM the next morning, their time. They are then told to check their bank account, online, until the money is deposited. They will then receive instructions to issue a wire transfer in that amount to another bank, using routing and account numbers.

Stolen money may be transferred several times, between various Mules, some of whom are in foreign countries. The payout to the criminals behind this job scam is often accomplished by having local Mules take out cash (direct at bank or via ATM card), and converting it into prepaid money cards, or wired by Western Union to recipients who cannot be traced. Many, if not most of these cybercriminals live in the former Soviet Union.

How Money Mules (don't) get paid

Payment for their (money laundering) services is usually promised to be at the completion of each job, or at the end of two weeks, or the calendar month. What most Mules don't know in advance, but soon find out, is that their commission payment is usually never issued. Exceptions might happen when the controller tells the Mule to keep a very small commission before sending out the bulk of the money. Very few Money Mules are retained for a second job. They are "cut loose" and all communication with the so-called company that hired them is terminated. Emails bounce and any phone numbers used to communicate with the Mules are disconnected.

Some time after this, the victim discovers that their bank account has been emptied, or seriously reduced, through fraud. They report it to their bank, who launch a follow the money investigation. Since the pilfered funds went by direct deposit to somebody in the same country, the bank will contact your bank to demand full repayment of illegally transferred funds. Your bank will attempt to comply and take that amount out of your accounts, to satisfy the return order. If your account lacks sufficient funds, the Police will be called, along with your State, or County Attorney General. You will be interviewed and possibly arrested for participating in a money laundering scheme.

Not only will the mules be out the money they transferred, they will also have to pay for a good attorney to defend them in Federal Court. Bank account theft across State lines is a Federal offense. Some of the consequences are listed below (see this document).


  • Inaccessible bank accounts - During an investigation, law enforcement officials may freeze a money mule‟s bank accounts. Being unable to access funds may create a significant financial burden. These activities may also have a long-term impact on credit scores.

  • Prosecution - Money mules may be prosecuted for their participation in these schemes. Severe penalties may be meted out to those convicted of money laundering.

  • Accountability for charges - In some cases, money mules are found personally responsible for repaying the losses suffered by the other victims.

  • Vulnerability of personal information - As described in the typical process, criminals often collect personal information from the money mules. It is possible that the criminals may use this information for other malicious purposes, including extortion.

Bookmark and Share  

Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

We are hosted on Bluehost and couldn't be happier!

Fight website spammers