Why blocking Money mule accounts doesn’t work – be aware of modern cash-out vectors 2020

23.6.2016 Research

Cash-out is one of the final stages of fraudulent attacks. Traditionally attackers used money mules to perform the dirty job of going into a bank to cash-out money that came from previously made fraudulent transactions.  Cybercriminals even use tools to automatize recruiting and other money mule cash-out related processes.

Introduction to Money Mule Frauds.

Banks react to the traditional money mule cash-out schemes by trying to stop them, by trying to block these malicious accounts. The legal situation varies across the globe, but the most common way to block money mule accounts is through the “Anti Money Laundering Act” valid in the given country / region.

What attackers hate most is the frustration of “not being able to perpetuate a fraud”, moreover “not being able to cash-out”.  What is the attacker’s next step after his precious money mule accounts are blocked?

Attackers usually avoid using traditional money mules with banking accounts, instead, they focus on alternative cash-out schemes and methods that cannot be so easily dismantled.

The attacker’s choice of cash-out means are in the following areas:

  • money mule accounts and new money mule identities not previously used
  • using accounts of legitimate clients or companies to gather funds and to forward them to another party to perform final cash-out
  • using stolen funds for direct payment of goods at retail points or auctions
  • using stolen funds for direct payment of services such as:
    • buying stocks and other financial instruments
    • buying bitcoins at bitcoin exchanges
    • buying virtual / prepaid cards for various services or payment methods
    • buying services to support the fraudster’s infrastructure
    • buying / renting services as investment tools – for example hiring bitcoin mining hardware on an as-a-service basis
  • each day new “cash-out friendly” business is created, discovered and exploited

These examples clearly illustrate, that “blocking the money mule’s accounts approach” does work but in very limited and narrow scope and with limited potential to stop the fraud.

The reaction time is not quick enough as typical cash-out takes from hours to days, and money mule accounts are not massively reused through distinctive campaigns.

After fraudsters learn that their money mule accounts are blocked, they shift their attention to more robust cash-out strategies. The approach based on blocking of “fraudulent” or “money mule” accounts just doesn’t work.

Life and intelligence are too rich to be translated into a set of simple rules.