Money mule scam offers CAPTCHA-protected malware
Small biz owners targeted by 2in1 scam
Fraudsters are seeking to hoodwink small business owners into signing up as money mules.
The splendidly named Megatech Service Ltd is seeking "Tier 2" payment processing agents from the ranks of small business owners, their partners, or anyone who otherwise has access to a small business banking account. Would-be marks are promised they will be handling larger transactions, and therefore have much higher weekly earnings, than run-of-mill
mules processing agents.
Earning an extra $1,500 or more per month might seem like a useful source of secondary income to hard-pressed businesses. Unfortunately the work on offer would be illegal, namely funneling money from compromised bank accounts in the US to fraudsters overseas, probably somewhere in Eastern Europe.
And, as net security firm Bluecoat notes, those who respond to the ad expose themselves to both fraud and malware.
Would-be applicants are asked to complete an online psychometric test, which actually offers Windows-based malware. Before marks can get their hands on this malicious software they are confronted with what would appear to be a CAPTCHA. However the challenge is not a genuine Turing test, because the download is then initiated irrespective of whether the surfer correctly responds to the supposed test or types in any old garbage, Blue Coat reports. The security company adds that in reality the supposed-CAPTCHA is purely there to add a veneer of legitimacy to the scam site.
Even if you don't encounter malware (Mac users are taken via a different sign-up route and not targeted for infection) having anything to do with Megatech Service Ltd – especially if this involves handing over business bank account details – is a very bad idea, Blue Coat warns.
"Needless to say, giving an external entity like this access to your business/corporate bank account is a very unwise thing to do," the security company warns, "especially since business bank accounts typically do not have the same fraud protections associated with traditional consumer accounts." ®
Unfortunately, stuff which seems like a good idea, is probably legally sketchy, and thus require some degree of grey hat involvement. That sort of thing tends to be a non-starter for financial institutions.
re:why no honeypots
I sincerely doubt that any business who wishes to engage in this type of criminal activity wishes for a "clear trail" of the transactions.
why no honeypots?
why don't banks create a set of honeypot accounts which can be used by legit customers for this sort of transaction (a unique honeypot account number given to a customer on request), that way a very clear trail of where the money came from and went to or even just holding any money transferred into those accounts until it can be returned to its rightful owners