Categories: Compliance, Microsoft, SMB Security, Social Engineering, Web Security

Comments (11)

  1. Brian Krebs
    1

    With all due respect, arguing that money mules are the victims, and that those robbed with the help of money mules are made whole by their banks, is a laugh. I haven’t yet read the article that forms the basis of this blog post (I will next), but the Microsoft researcher betrays his utter lack of understanding of who these mules and criminals are targeting. It’s not consumers for the most part: It’s small to mid-sized businesses. There are millions of these mom and pop shops in the United States and elsewhere, and many of them are learning the hard way every week that one virus infection can ruin their business. Why? Because in the U.S. at least, banks are not liable for losses on corporate accounts due to cyber fraud. That liability rests with the business. Anyone who wants to learn more about the real situation on the ground with these money mule attacks should spend a few moments reading the stories of more than 75 companies I have profiled over the past two years that have lost tens of millions of dollars at the hands of money mules. They’re available at my site, krebsonsecurity.com and click the Target: Small Business category on the right hand side.

  2. Anonymous
    2

    haven’t read it just yet. any information in the study or from the fbi on threats made to mules’ selves and families if they quit? anything about reasons that busted immigrant mules returning to “muling” a couple weeks later in the US? these incidents are documented, but don’t seem well investigated. that would shed some light on the situation too.

  3. Anonymous
    3

    Regardless of culpability and mitigation, it appears that the mules are key to the whole process.  Stop/inhibit them, and you greatly minimize the harm that can be done to bank accounts of either individuals or small businesses.  In addition, the banks could do a better job on their end via more “intelligent” back-office procedures/software.

    Regards,

  4. David
    4

    I believe there is a substantial difference between being reimbursed the money you may have lost through fraud and being “made whole”.

    Ask anyone who has been through the process of closing accounts, opening new ones, changing automatic transactions and then dealing with the things they never thought of that come up.  Then never quite feeling secure with the daily dealings in life.  Nope, the money is only part of being “made whole”.

    David

  5. Cormac Herley
    5

    The paper is the first link above, free and in the clear.

    Well, you say that I betray a utter lack of understanding for what’s going on and yet you acknowledge not having read what I wrote. That’s pretty half-cocked. My paper explicitly limits its scope to password stealing attacks on the bank accounts of US consumers. Perhaps you don’t find that interesting, but that’s what the article is about. I’m well aware that Reg E protections do not extend to businesses, and stress it several times. However US consumers are covered, and a mule who receives a fraudulent transfer and initiates a good one is left holding the bag if reversal is successful. Not sure I would term that a laugh.

    I don’t quite understand the suggestion that mules are being replaced by prepaid debit cards. At least in the consumer space I don’t think getting a prepaid debit armed only with the account password is easy.  At least I don’t see that as an option when I login to online banking. 

    Anyhow, if you still feel I betray and utter lack of understanding after reading the paper happy to continue the discussion.

     

     

     

     

     

     

     

  6. Anonymous
    6

    While the small to mid-size businesses pay the toll for the fraudster and their mules on business account fraud, it is the banks that pay the considerable toll for the fraudster taking advantage of personal accounts. Regulation E protects the personal/household accounts, so when a fraudster runs amock with the targeted debit cards (and credit cards), the bank makes our customers whole and we sustain the loss.  If we are able to find out who the fraudster is (not that often) we rarely see the funds returned to the bank – the fraudster is long gone and the money mule does not have 2 nickels to rub together, but they may have a huge big screen TV and plenty of bling that they received as part of their bounty, so we all lose.  Due to these sizeable losses the banks sustain, we just get yelled at about the fees that people have to pay.  while we should protect our customers from liability, the money mules working for the fraudsters do not have my sympathy.  What they are doing is illegal.

  7. Anonymous
    7

    Sorry, I don’t agree.  Those mules who know what they are doing and why they are doing it, are engaging in deliberate criminal acts.  They should be prosecuted.  Especially the ones who flout it on FaceBook.

  8. Riddle
    8

    It happens all over and over ,from the dawn of civilization . little beasts get eaten by the bigger ones , we can call that the “crime-chain” . Although the fraudsters didn’t directly harm the mules ,but they used them, for a reason , a good one…

    they aren’t really victims,however, they are just paying for the harm they caused .

    The ulitmate victims are the people who lost the money they hardly worked to earn.

     

  9. Victor Probo
    9

    I think this very blog posting does exactly what the authors wanted. Generalization and splash headlines. The opening paragraphs announce a ‘startling conclusion’ (good headline) without mentioning the the strictly limited conditions where that conclusion applies. In the opening paragraph of the original paper (accessed through the link for free) it specificly qualifies this conclusion to “consumers”. At the end of page 5, Mr. Krebs’ work is discussed, and the applicability of the conclusion is weakend (if not severed) in the case of commercial customers.

    But the authors got what they wanted… a big splashy headline, lots of press, based upon non-critical thinking by this blog.

  10. Cormac Herley
    10

    Paul, thanks for the write-up.

    Brian, I respect your work, but if you take the trouble to read the article I think you’ll find that you went off half-cocked here.

  11. Brian Krebs
    11

    Out of curiosity, why do you say I went off half-cocked? There are misleading and incorrect statements about the reality of these attacks throughout the story. I haven’t read the source article, because it requires subscribing and paying a fee to read the article, so I’m no wiser than I was yesterday about the subject of this piece. But I stand by my comments. I’m curious what exactly you take issue with in my earlier comment.

    Mules *are* the bottleneck, and there is a certain amount of intelligence to be gleaned from the money mule recruitment networks which — if properly monitored — can be invaluable sources of early warning data that give victim companies a chance to lose less than they would otherwise. But increasingly, the mules are being edged out of the game in favor of prepaid debit cards, which can be set up in advance with stolen identity data and funded with hijacked accounts. And, you can even “spend” these cards at Western Union.

Comments are closed.