Money mules are an essential and often overlooked part of financial theft and malware rings. Even after a theft, the hacker still must find a way to get the money back to his account without revealing his true identity or location. This is where the money mule comes in. In short, the mule acts as a middle-man in the transfer of the stolen funds. In a bit of a twist, the money mule is often unaware that they are facilitating a crime. Hackers will go to great lengths to create fake companies for the sole purpose of recruiting unsuspecting money mules.
As part of our ongoing security and malware research we continually track these money mule scams and the so-called fast-flux domains that cybercriminals hide behind.
Previously, we had identified a site used to recruit money mule using the domain DeltaFG.com, which ultimately disappeared in early March of 2011. Recently we found a very similar site using the domain ADYfinance.com. At first glance the site appeared valid. It had a professional design, well-written text and all links worked normally. However, the deeper we dug, the more things looked amiss. First, a search of the company headquarters revealed that the address was actually a gas station in Australia and not a financial company. Secondly, the address for the registrant of the domain simply did not exist at all.
At this point our suspicions were raised, but we had still yet to find the smoking gun to identify the site as a money mule. I began to wonder if ADYfinance.com was related to DeltaFG.com that we had seen during our previous research. During the DeltaFG investigation, we were able to find the employment agreement on the site at http://deltafg.com/FundsTransferAdministrator.pdf. On a hunch, we checked this same URL on the ADYfinance domain, which lo and behold, returned the same employment agreement we had seen earlier. Now we knew that these two sites are connected with ADYfinance being the latest face of the scam.
We quickly updated our URL filtering database to reflect the site as part of a scam, and Palo Alto Networks customers are protected today.