Averting Mule Attacks

How fraudsters that use mule networks leverage CRM apps and what security pros must know

Security fraud and operations are becoming more organised, and carried out with meticulous strategy. The term mule network comprises the mules, who are often junkies, and other accomplices of the mule herder interested in making a quick buck. However, fraudsters are increasingly able to streamline the process of recruiting and controlling mules with an astounding success rate, while overcoming the biggest barrier of the mule herders, i.e., location.

Fraud Categories

Every fraud operation can be split into two parts: obtaining credentials and cashout. In the former, fraudsters use various tools and methods, such as phishing, vishing and malware, to obtain information about their victims. In the latter, fraudsters monetise the stolen data, or in other words, they perform a cashout. There are various forms of cashout, depending on the type of credentials the fraudsters have in their possession (and that, in turn, is derived from the type of tool or method used to obtain them in the former stage). Cashing out credit cards stolen from a hacked online merchant, a shopadmin in fraudster terminology, is usually done by ordering items online and later selling them off. Online banking credentials, on the other hand, would be usually cashed out through a money transfer to another account. In both cases, and most other types of cashout, the fraudster would need an online account or a real-world shipping address in his possession. These are usually obtained by mules. In the past, fraudsters who controlled mules mostly recruited them in the real world. Unlike the hackers, who could sit on the opposite side of the planet, mule herders had no such luxury. The present-day mule herders have no specific location and are geographically spread, sitting anywhere, and have the capability to crack the formula of recruiting and herding mules online. A single mule-herder can run multiple mule operations, each focussing on a different country and language. If in the past most mules were accomplices, now they are mostly unwitting mules regular Joes who are scammed into being mules and are not necessarily less innocent than the actual victims of the frauds.

Mule Formation

Just like any other type of scam, mule recruitment can be executed with various levels of sophistication. They all share a common trait, however. Recruiters all approach job-seekers with a cover story of being a legitimate company searching for work-from-home employees, who come across the recipients CV and express interest in recruiting the person. The least sophisticated type of mule recruitment is done exclusively via e-mail. Similar to a Nigerian fraud, individuals receive an email from company X describing the usual shtick, without forgetting, of course, to mention the wage that they offer in an attempt to lure the recipient. The email then simply asks the recipient to reply to the message and send his or her personal information. Operations that are more sophisticated contain a link to a website of the fake company, appearing much more convincing as a legitimate employer. In some operations, long, legitimate-looking employment contracts are sent to the mules during the recruitment process.

Leveraging Customer Applications

Interestingly, most sophisticated mule recruitment operations have full-ledged CRM systems used to keep track of and manage employees and the status of their work. These incredibly sophisticated systems allow the mule herders to go over the details of the individuals who replied, track items or funds sent to the mules and communicate with them through a messaging service. Operations with this level of sophistication are more common than you would think -- so common that some underground vendors make their living exclusively by offering this type of platform to their nefarious buyers.

Advanced Mules

If, at the beginning, mule herders recruit only traditional mules online (those who intercept items bought with stolen credit cards or money sent through a wire transfer), over time fraudsters learn how to recruit mules for other ventures. These mules, who were traditionally accomplices of the fraudster, walk into bricks-and-mortar merchants with fake plastic cards encoded with stolen credit card information. They purchase high-value items, re-encode the data of another stolen card and then go hit other merchants. Today, unwitting mules are recruited specifically for that task, believing they scored a mystery shopping position in a company evaluating retailer employees. They go into retail stores with a fake card that was sent to them by the mule herder and purchase an item they were told in advance to buy. These mystery shoppers dont get to keep the items they bought for evaluation, though. They of course must send the merchandise and the credit card back to their employer (the mule herder), with the promise that their expenses will be added to a promised pay-cheque. To completely pull the wool over the mules eyes, he or she is then requested to complete a detailed survey of the shopping experience at the retail outlet. The charade continues or an entire month, during which the mule receives different fake cards for every purchase. Then, when its time to receive the paycheque for his or her hard work, the boss suddenly stops replying to any emails and disappears. The mule herder has already moved on to another mule.

Through their websites, multiple legitimate service providers offer individuals the chance to apply for a job and perform it from home, much like the mule-recruitment frauds. Some of them offer positions that would fit well into the fraud ecosystem, such as an over-the-phone mystery shopper service. These services use independent workers who register online to call businesses and evaluate the level of customer service administered. As fraudsters operate by-fraudsters for-fraudster call centres, it is only a matter of time until we see them recruiting mules for these positions as well.

Safeguarding Against Mules

As quickly as consumers become familiar with the threats they face and change their online behaviour, the criminals who seek to steal personal and financial information also change their tactics. Consumer education and awareness is one of the first lines of defence in the ongoing battle against online crime. The year 2010 marked the beginning of several new threats and an increased level of sophistication in the attacks witnessed around the globe.

Firewalls and anti-virus can keep malware at bay, but how does one safeguard classified corporate data from being siphoned out of the company and falling into the wrong hands? Is there a way to systematically reduce the risk exposure to the insider threat? It is interesting to note that most incidents of sensitive corporate data leaks happen unintentionally, either because of lack of awareness at the employees end, or a careless mistake that the security infrastructure of the organisation was unable to detect and tackle. While organisations lean towards allowing access to social websites etc. within the organisation, they also need to implement a holistic security strategy which is information-centric and which encompasses all aspects of security. If an enterprise can govern the access of information only to the right employees, loss of data from within the organisation or by the attackers getting into the network could be minimised. IT heads across several verticals are today looking for integrated solutions to minimise the window of vulnerability through layered security structures. They are moving towards a built-in approach; allowing each security component to understand what is happening in other areas and giving a consolidated view of each environment, thereby allowing a correlation of activities and events, while also managing compliance.

Courtesy: RSA

Air Jordan XIII 13 Shoes


Add new comment