Mules are the “last mile” in many online fraud operations: the unwitting dupes, or witting co-conspirators who lend their legitimate bank account (and reputation) to fraudsters who are looking for a way to cash out funds from a compromised account. Mules – often lured with promises of “work-from-home” riches receive fraudulent transactions, then immediately withdraw the funds and wire them to the fraudsters, minus a healthy “commission.”
In recent years, there has been ample coverage in the media of cyber crime and fraud and the role of money mules in scams. (I note Brian Krebs excellent reporting on the mule problem on his blog.) And yet, the supply of mules seems to be endless. Or is it? According to researchers at the security firm RSA, bank account cash-out attacks are becoming less common online, and a sharp increase in busts on money mules may be the cause.
Writing on Tuesday, Idan Aharoni, RSA’s Head of Cyber Intelligence, said that his team has seen a sharp (90%) reduction in offers for fraudulent “cash out services” in criminal forums. The problem isn’t a lack of money mules. Rather “mule accounts have become much more volatile” because banks are doing a much better job identifying and shutting down mule accounts. That, in turn, has forced mule “herders,” who recruit the accomplices who will carry out fraudulent transfers, to become more picky about who they work with, in an attempt to avoid burning a good money mule in a scheme that is likely to get broken up.
And, with no mules to turn fraudulent transfers into quick cash, cash-out and account takeover scams hit a brick wall. The downstream effect of the decrease in the numbers of cash out services is large, RSA explains.
“A lack of money mule supply means hardship in turning compromised data into money. If you can’t make money from the data, there’s no appetite to steal it,” Aharoni wrote.
Mind you, he’s not predicting the end of cyber crime or even online bank fraud. Large scale mule herders still have plenty of active mules to process transactions, so the supply is still there – it’s just feeling the pressure from better fraud detection technologies and policies.
Money mules have attracted the attention of law enforcement in the U.S. and abroad in recent years. In 2010, the U.S. Department of Justice filed charges against more than three dozen mules for abetting global bank fraud schemes that allegedly used hundreds of false-name bank accounts to steal over $3 million from dozens of U.S. While many claim to have no knowledge of the criminal nature of the schemes they are involved in, interviews by reporters like Mr. Krebs suggest that many may be too financially stretched (or dim) to ask questions about the instructions they are given by their handlers. In some cases, mule herders have advertised the services of what they describe as “foreign agents” – US based actors who will knowingly act as mules in criminal conspiracies.
Writing for RSA, Aharoni said that improved techniques for spotting mule account owners won’t end cyber crime. But it may raise the bar for unsophisticated criminals to dabble in fraud.
“Newbies wishing to dabble in online banking fraud may find out that they need to build a much bigger and more sophisticated operation, including money mule recruitment, or be forced to go and target someone or something else,” he wrote. And that may succeed in making bank account cash out schemes less common.