As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).
An MDL user pointed me to a few sites running the ever so popular money mule scams. These sites are used purely to recruit the mules, and to manage them (there's a members area once accepted, where the mule is permitted to upload files such as ID scans and whatnot).
There is however, a little difference - the presence of a download;
The "download" runs the potential mule through a set of questions, to which they must provide the "correct" questions to be accepted. Once accepted, they're then sent to an acceptance page on the scammers website.
You're also sent an e-mail telling you your registration request has been received;
This particular e-mail had the following headers;
However, this download also has a little sting in it's tail - it modifies the mules HOSTS file to include;
The sites they've chosen to block, isn't particularly surprising (sorry Brian, they really don't like you), with a few exceptions - why for example, block DomainTools, when there's a plethora of alternatives? Why block delphifaq.com? Why block SiteAdvisor when there's alternatives such as Web of Trust, and alternatives from security vendors such as Norton? Indeed, why aren't they blocking any security vendors? (that in itself is surprising).
Some of the sites identified thus far include;
And the malicious files housed there;
The IP ranges they're hosted at seem to be focused on two particularly well known players in the criminal world;
AS42708 220.127.116.11/24 PORTLANE Portlane Network
AS39743 18.104.22.168/21 VOXILITY-AS Voxility SRL
Quite why Portlane still haven't been shut down is beyond me, especially given there isn't a single legit website housed over there, and to my knowledge, there never has been. Needless to say, Portlane are also heavily involved in the fake AV arena, having housed malicious goodness on virtually every single IP on the aforementioned /24, so feel free to blackhole their entire AS.
As for those of you considering a new job as a mule - is it really worth the risk of your being imprisoned away from your family, for money laundering etc?.
Few more for you ;o)
/edit 26-02-2011 19:44
The servers are extremely slow at present, so struggling to grab samples, but I've been advised of 3 more of these. The URLs are in the same format as previously;