After a few years in the security business, it's easy to get a bit too used to the background noise, and forget that not everyone is familiar with concepts like phishing (see Randy's recent blog at http://www.eset.com/threat-center/blog/2009/11/16/once-upon-a-cybercrime%e2%80%a6), or botnets ("whatever they are", as my brother said to me quite recently), or money mules. I've written about muledriving quite a few times in the past ten years, so it comes as a bit of a shock to realize that according to a survey by GetSafeOnline.org, nine out of ten people don't know what a money mule is. Well, less of a shock now that I've seen the CERC survey that Randy's blog cites.

According to the song by Johnny Burke and Jimmy Van Heusen, a mule is an animal with long funny ears, a brawny back, and a weak brain. In the twilight world of drugs, phishing and money-laundering, the term has more sinister connotations.

A money mule may be a courier, like the mules we hear of in drug-trafficking, but in the phishing world, is likelier to be someone whose bank account is used to launder money. When a phisher steals money from an account in another country, it can be difficult for them to transfer it across international borders. It’s much easier for them to recruit “mules” in the same country (and even using the same bank) as the victim. The money is transferred to the mule’s account, and he in turn forwards the money overseas using a wire transfer service, having deducted his commission. Not only does this make the transfer easier, it can make it harder for police forces to trace the gangs. A mule may also receive goods ordered with a misappropriated credit card and sell them or forward them.

Muledrivers (the guys who recruit and direct money-mules) sometimes go to considerable trouble to make their recruitment emails and sites look genuine, and indeed sometimes go through genuine job-sites, so it's quite likely that some mules aren't aware that they're engaged in criminal activity. Unfortunately for them, when the police come knocking, it's more likely to be on a mule's door than the muledriver's.

None of this is particularly new - it's at least as old as phishing as we now understand it. But that doesn't mean it's not a major problem. According to Get Safe Online (The Blog), "At any given time, there are approximately 100 known mule recruitment sites targeting the UK, each of which may have lured in around 50 active mules. The risk is that by allowing their bank accounts to be used to receive and transfer illegal funds, mules are breaking the law – even if they don’t realise it."

I'm currently revisiting muledriving for a white paper. In the meantime, any recruiter who mails you apparently at random (the way that phishers do) is just using a spammer mailing list. Unpersonalized recruitment mails are bad karma. And anyone who's interested in recruiting you for your bank account is almost certainly a badhat. Impressive job titles like "finance manager" or "shipping manager" notwithstanding.

[1] "Stalkers on your desktop", in AVIEN Malware Defense Guide (ed. Harley, Syngress 2007): http://www.amazon.com/AVIEN-Malware-Defense-Guide-Enterprise/dp/1597491640

[2] "The Spam-ish Inquisition" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Spamish_Inquisition.pdf

[3] "A Pretty Kettle of Phish" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Pretty_Kettle_of_Phish.pdf

David Harley
Director of Malware Intelligence