Tales from the Darkside: Another Mule Recruitment Site

Categories: Advanced Security,FirstWatch

By Steven Sipes, Consultant Research Analyst, RSA FirstWatch

The underground economy is a complex world built by criminal organizations.  These criminal organizations specialize in one or more of the individual elements or services that, collectively, work together form the underground economy.  One such service is mule recruitment.  While mule recruitment may just be a portion of this economy, mules are crucial to its success.  Without mules, cybercriminals have no safe way to move money and product.  There are 2 basic types of mules when it comes to cybercrime — money mules, which help to move money, and reshipping mules, which help to move stolen goods.  Mule recruiter specialize in finding individuals or small businesses that will help them move funds or product.  In most cases, these mules are unwitting accomplices to the crime.  Other criminal elements exist in the underground economy that specialize in acquiring illicit funds or products.  They do this by harvesting banking account credentials to move funds electronically or they will use stolen credit cards to purchase items that the reshipping mules will then send overseas.

Mule recruitment operations have a very short lifespan as evidenced by one of our previous blogs from December.  All three of the mule recruitment sites that were featured here have closed shop and their websites have disappeared.  Unfortunately, that doesn’t mean we won’t see them again.  I can almost guarantee that somewhere in the underground, they have already reopened their digital front doors and are looking for more mules.

Below is an example of one of the latest mule recruitment sites to hit our radar.  Introducing…Transnational Logistics (www.transnationallogistics.com)

transnationallogistics

Their website certainly has the look and feel of a legitimate business.  It has a company logo, well worded text, information about the company and their locations.  Heck…they even make the claim to have been in business for over 10 years.

But let’s take a closer look at this supposed large, international logistics company.  All of the images on the website are fairly generic with no images of company-branded trucks or shipping containers.  Another clue is how long the website has been active.  This 10+ year organization has only had a corporate for 2 months.  That’s right…the website was registered in February 2013.  Also, they supposedly have offices in the UK, China, USA, and Turkey, but the website is hosted in the Ukraine.  And what about that Madison Ave. address in New York?  Google maps and the Yellow Pages do not show any company by that name in New York located at that address or any address for that matter.  This all seems rather suspicious doesn’t it?

We had the opportunity to speak with an individual who was actively recruited to work as a Project Manager for the company.  The level of professionalism portrayed by Transnational Logistics is *very* impressive.  They have someone making phone calls to the potential candidates; have a quasi-professional pre-employment questionnaire, employee agreement, and training materials that are provided to each candidate.  Furthermore, the terms of employment are enticing. They are offering a base salary of $75,000, medical insurance, sick leave, 12 paid vacation days, federal holidays, and bonuses.  They even have paid training.  Seems just a little too good to be true, doesn’t it?  But they are piquing interest and have had 14 potential candidates in recent days.


emails
So who is behind this scam?  It’s difficult to say as attribution is always challenging.  The aliases that the criminals are currently using are Christine Felton (646-797-xxxx) and Brandon Jones (646-797-xxxx).  If you punch their numbers into your favorite search engine, you might find that there are already complaints filed against at least one of these numbers and further analysis indicates these may be VOIP numbers belonging to a major US telecommunications company.

If you do a little more digging on Brandon Jones, you’ll find his LinkedIn profile.  He has ZERO connections.  Not exactly what you might expect from the HR Manager at a global logistics company.

linkedin

So are they recruiting money mules or are they looking for reshipping mules?  Honestly, we’re not sure at this point.  Portraying themselves as a logistics company it’s very plausible that they would be looking for reshipping mules.  If you work for a logistics company, it would make sense that you might actually ship something as part of your normal job responsibilities.  Of course, it might also make sense that you would help with the fees/duties/taxes associated with shipments and may have to send a payment somewhere.  We are continuing our investigation and talking regularly with the individuals who were impacted by this scheme.  Until then…just remember…if you get a job offer that seems too good to be true…it probably is.

The good people at State Farm have the right idea…just because you saw it on the Internet doesn’t make it true.

Steven Sipes, MSIA, CISSP, GCIH, GREM, GSEC, GCUX is a Consultant Research Analyst with the RSA FirstWatch team.  Steven has over 15 years of IT security and system administration experience with Fortune 100 companies in the retail, banking, and technology sectors.  He focuses much of his current efforts on exploring and exposing the cyber underground.

Author: