Why blocking Money mule accounts doesn’t work – be aware of modern cash-out vectors 2020

Cash-out is one of the final stages of fraudulent attacks. Traditionally attackers used money mules to perform the dirty job of going into a bank to cash-out money that came from previously made fraudulent transactions. Cybercriminals even use tools to automatize recruiting and other money mule cash-out related processes.

Introduction to Money Mule Frauds.

Banks react to the traditional money mule cash-out schemes by trying to stop them, by trying to block these malicious accounts. The legal situation varies across the globe, but the most common way to block money mule accounts is through the “Anti Money Laundering Act” valid in the given country / region.

What attackers hate most is the frustration of “not being able to perpetuate a fraud”, moreover “not being able to cash-out”. What is the attacker’s next step after his precious money mule accounts are blocked?

Attackers usually avoid using traditional money mules with banking accounts, instead, they focus on alternative cash-out schemes and methods that cannot be so easily dismantled.

The attacker’s choice of cash-out means are in the following areas:

money mule accounts and new money mule identities not previously used
using accounts of legitimate clients or companies to gather funds and to forward them to another party to perform final cash-out
using stolen funds for direct payment of goods at retail points or auctions
using stolen funds for direct payment of services such as:
- buying stocks and other financial instruments
- buying bitcoins at bitcoin exchanges
- buying virtual / prepaid cards for various services or payment methods
- buying services to support the fraudster’s infrastructure
- buying / renting services as investment tools – for example hiring bitcoin mining hardware on an as-a-service basis
each day new “cash-out friendly” business is created, discovered and exploited

These examples clearly illustrate, that “blocking the money mule’s accounts approach” does work but in very limited and narrow scope and with limited potential to stop the fraud.

The reaction time is not quick enough as typical cash-out takes from hours to days, and money mule accounts are not massively reused through distinctive campaigns.

After fraudsters learn that their money mule accounts are blocked, they shift their attention to more robust cash-out strategies. The approach based on blocking of “fraudulent” or “money mule” accounts just doesn’t work.

Life and intelligence are too rich to be translated into a set of simple rules.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.