Money mules wanted

Reading about people unwittingly becoming money mules for cybercriminals, a lot of people wonder if they would be able to spot if the offer they received or searched for is illegitimate.

F-Secure shows us an example (or three) of a mule recruiting campaign – a website purporting to be the official page of Finha Capital, a Finnish company offering financial services:

The page is a fake but looks pretty credible, and the criminals are taking advantage of the established brand to fool people. Those who might be a little skeptical and might want to do a little background search, following the name will lead them to this entry in the business register:

Reassured that it’s not a company that sprung up a month ago, the potential mule is more likely to decide to apply for the job.

Interestingly enough, the exact same page layout, design and content is also used under two additional company names: Bin Finance and Contant. The only difference is in the company information section, where the address is changed to match that of the legitimate company.

As it turns out, a little probe into IP addresses reveals that two of the domains used are hosted in Russia, and one in Ukraine.

Also, an email claiming to come from a large Nordic bank and offering an “Account Coordinator” position to the recipients was spotted doing rounds of inboxes last week. As it says in the message, the main task of an account coordinator is to collect payments from the bank’s customers in the US.

A quick whois search against the domain (nordea-security.com) demonstrates that the contact email of the registrant is hosted on yahoo.com – a big warning sign that this is a scam.

So, what do you think? Would you fall for it? I must admit that the second example seems fishy right of the bat, but the fake website would not ring any bells at first.