Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Money Mules and Honey Mules

One common form of spam that we see across all sorts of platforms is work from home scams. As well as traditional email, this can also be found on most social networks, and more recently in SMS.

She made it big doing this from her home. Check it out www.[redacted].com

The spammers often link to what appears to be a legitimate news web site. This SMS message, which addresses the recipient with the correct first name

Andrew – I’m in the news! Look: www.[redacted].com

takes you to a fake news web site that looks like this

Fake news web site

There are three ways that this spam can be monetized. First it can be used for collection of personal details for identity theft. Secondly it can be used as an advanced fee scam – in order to earn money you first have to buy materials from the ’employer’ that turn out to be worthless. Finally it can be used to recruit money mules for bank fraud.

Money mules are a vital step in a common form of bank robbery. It works like this. The controller of a small business receives an email addressed to them and opens an attachment. This contains a trojan, which takes over their computer. The trojan installs software which collects the credentials used to access the company bank account. This is usually more successful when the company banks with a smaller regional bank that does not have the same sort of fraud prevention in place as a major bank.

Meanwhile, the criminals have recruited a number of money mules who have been doing pointless make work tasks for a month or so, and have provided their bank account details to the hackers to receive payment. On the day of the theft, the hackers access the company bank account and start transferring money out to the money mules. They are limited to under $10,000 or $5,000 per mule, depending on the institution they bank with, so in order to steal $1,000,000 they will need at least a hundred mules. The mules are instructed to withdraw the money in cash, collect a small commission themselves and transfer the rest via Western Union or MoneyGram to an offshore recipient, often in Eastern Europe. In most cases the money mule has no idea they are participating in anything illegal.

As far as the criminals are concerned, money mules are a limited resource, as they are hard to recruit and can only be used for one fraudulent money transfer. Brian Krebs reported on a theft last month where he speculates that the hackers could not take more than a million dollars out of the account because they ran out of mules. Shortly after this theft we saw a spike in the volume of SMS work from home spam. For the two weeks after the attack, we saw 280% more work from home SMS spam than the two weeks before. Was this the criminal gang looking for new mules after they had burned up their entire gang in a particularly profitable heist?

Work from home SMS spam

One technique used in spam detection is setting up large numbers of email addresses that have no real user. They are just exposed on the web somewhere, and then anything that is sent to them must be spam. These are called honeypots. Perhaps something similar would work to detect this sort of bank fraud? Set up some fake identities, (let’s call them honey mules) sign them up for work from home schemes, and have a bank account that is flagged with the financial institution so that any transfer into the account is immediately regarded as fraudulent. That way the sending institution can be notified that the sending account has been compromised and can block further transfers and even reverse many of those those that have already taken place before the other money mules can remove the money from the accounts. Of course, this would require close cooperation of the banks, law enforcement, and whoever is operating the fake identities.

Unfortunately, nobody has an economic incentive to do this. Business bank accounts do not have the same legal protection as consumer accounts, and when there are losses due to unauthorized transactions in most cases the business eats the loss, and not the bank. Even when the bank can be proved in court to have provided inadequate security, the losses are usually taken by small regional banks rather than the big institutions that have the resources to investigate cyber threats.

Still, the million dollars heist last month is getting to be serious money. If there is anyone out there who is interested in the honey mule scheme, give us a call and we’ll be happy to provide you with all the latest work from home spam in email and SMS.

More resources:


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2018 Cloudmark, Inc.