Analyzing Reshipping Mule Scams

Interesting paper: "Drops for Stuff: An Analysis of Reshipping Mule Scams. From a blog post:

A cybercriminal (called operator) recruits unsuspecting citizens with the promise of a rewarding work-from-home job. This job involves receiving packages at home and having to re-ship them to a different address, provided by the operator. By accepting the job, people unknowingly become part of a criminal operation: the packages that they receive at their home contain stolen goods, and the shipping destinations are often overseas, typically in Russia. These shipping agents are commonly known as reshipping mules (or drops for stuff in the underground community).

[...]

Studying the management of the mules lead us to some surprising findings. When applying for the job, people are usually required to send the operator copies of their ID cards and passport. After they are hired, mules are promised to be paid at the end of their first month of employment. However, from our data it is clear that mules are usually never paid. After their first month expires, they are never contacted back by the operator, who just moves on and hires new mules. In other words, the mules become victims of this scam themselves, by never seeing a penny. Moreover, because they sent copies of their documents to the criminals, mules can potentially become victims of identity theft.

Posted on November 4, 2015 at 1:54 PM • 33 Comments

Comments

AnuraNovember 4, 2015 2:10 PM

There are services that score ecommerce orders to determine the likelihood of Fraud. If you are buying something with a credit card associated with a Virginia address and the package is shipping to Seattle when your IP address originates from Texas, that will put the order at an elevated risk of being fraud. If you are purchasing from an open proxy and you are shipping to a freight forwarder in Florida then it is a very high fraud risk. Where I worked before, this would result in a phone call to the customer to confirm the order, and almost always this resulted in the card holder learning their credit card was stolen.

It sounds like the fraudsters are adapting, so instead of using known freight forwarders they use individuals that are not going to be detectable by the fraud detection service.

ShaftwayNovember 4, 2015 2:34 PM

I feel like there's opportunity here for the mules to provide fake data and skim product, or ship bricks. Not that I'm suggesting the problem needs to get worse or more complicated, but I'm curious how often this occurs.

HJohnNovember 4, 2015 2:59 PM

Someone tried to scam my wife in a similar way. Of course, an obvious giveaway is it would be cheaper for a legitimate business to directly ship it to the destination, rather than paying someone to ship it again, and therefore paying shipping twice.

One takeaway from my wife's incident is the person pretended to be deaf and used a relay service to talk to her.

They also wanted to pay her $1,000 up front, but "accidentally" cut a check for $4,000 and wanted her to return the difference. At the time (and perhaps still) $3,000 was the wire transfer limit to Nigeria.

We reported them and never heard back.

EvanNovember 4, 2015 3:13 PM

@Shaftway:

Part of me thinks the scammers would have a sense of "turnabout is fair play" in that case, especially since it's not actually their money that gets lost when the reshipper keeps the items. But another part of me knows how vengeful organized crime groups are, even over petty things, and having them know where you live is probably a bad idea.

Also, you're then on the hook for receiving stolen merchandise.

ramriotNovember 4, 2015 3:37 PM

@Shaftway: Et-Al

There is a huge opening here for a Reshipping Mule Scam / Scam.

Buy a bunch of ID's from a carder site.

Rent a buch of postal boxes in diverse rural locations.

Make secure anonymous contact with several of these criminal groups and register ID's Vs Boxes in as many permutations that will not quite raise suspicion.

Sit back and wait from packages to arrive, collect, repeat and when they stop coming burn the ID's.

Rinse Repeat, until no more criminals or caught by Feds.

P.S. Also make prior background deals with credit card companies to return their stuff for a reward.

Harry JohnstonNovember 4, 2015 4:31 PM

@HJohn: there are legitimate services that are at least superficially similar. Some vendors refuse to ship overseas, or only to certain countries, or just charge ridiculous postage fees, so you can get a US address with a service that will reship the products for you.

Of course, the legitimate services will have a building they operate from and actual employees, I'm sure they don't hire random people to work from home.

TatütataNovember 4, 2015 5:28 PM

The mule is also on the hook for the theft perpetrated on the merchant, as the goods will be typically be purchased using stolen credit card details.

Since the ultimate party is out of reach, the intermediary is left holding the bag, and often indicted as an accessory.

Hundreds of cases in Germany involved retirees, welfare recipients, single moms, etc., who were allured by a great deal that appeared to be the solution to their problems. The ultimate destination is typically places like Russia or Belarus.

When they finally wake, they realize that they are even deeper in the doo doo than before.

ianfNovember 4, 2015 6:01 PM


@ Anura, those services of yours that score ecommerce orders to determine the likelihood of fraud are NOT part and parcel(sic!) of ecommerce sites' ordinary SecOps?

I would have imagined that this simple "geo-triangulation" of an incoming order's IP with the card holder's card-connected (by the issuer pre-vetted) address, and the shipping address should be the default threshold for validating a sale. After all, even if they are insured against fraud (or are they?), the ecommerce sites don't need the bother of accepting stolen credit cards, talking to lawyers, etc. So it's prudence and due diligence that ought to rule in the clearance departments there every day!

(Add to that historical record, if the card#, IP#, and ZIP# have previously been used singly or in any combination thereof, and we're already at another security level.)

What surprises me the most, however, is that there even are people (in the USA) who don't automatically smell a rat when asked to supply their photo IDs to wholly unknown, invisible "employers" on the strength of a promise of earning a buck. Presumably wired to the bank account # they also supplied? Have these mules never heard of Skype? (real mules are stubborn but not stupid).

Just as there are Darwin Awards, there also should be Gullibility Sweepstakes… judging by these reshipping mules, I'm sure we'd never run out of nominees.

AnuraNovember 4, 2015 6:39 PM

@ianf

Smaller ecommerce sites often do no fraud checks. A lot of them are ran by people in their living room acting as a middle man - all the fulfillment is handled by a drop shipper; usually these people pay $20-$50 per month for a canned solution. I worked for a company with hundreds of millions of dollars in sales that didn't really do fraud checks either. Order came in, card was charged, order got sent to fulfillment center. Visa and MasterCard eventually started threatening to stop accepting charges unless they got their act together due to the high fraud rate, however, and I recommended one of those fraud detection services but left before anything else happened.

godelNovember 4, 2015 6:45 PM

"A cybercriminal (called operator) recruits unsuspecting citizens..."

I wonder how unsuspecting most of them are, or do they just think that they can get away with it?

GweihirNovember 4, 2015 7:05 PM

There are still people falling for this? And, I assume, for the "financial agent" variant as well? Fascinating.

It may be a good idea to teach about these things in school. Maybe that would cut things back.

Nick PNovember 4, 2015 7:44 PM

@ Gweihir

I've always argued for critical thinking classes to spot fallacies or deception at middle school or earlier. I think the authoritarian nature of the school system (and most parents) is the main obstacle. I know from experience that most don't like kids questioning what they dictate as truth or rules. Thing might be a lot better if people get constant experience with that, though.

Statistics, too. I'm talking easiest way to learn it possible, practical uses for it, use of "How to Lie with Statistics," and practice examples spotting it. Critical given how much is supported by use and abuse of statistical claims.

EvilKiruNovember 4, 2015 8:45 PM

@Nick P: But then the kids might figure out how pointless all those standardized tests are!

Clive RobinsonNovember 4, 2015 9:23 PM

@ Gweihir,

It may be a good idea to teach about these things in school. Maybe that would cut things back.

I doubt it.

As @Nick P notes critical thinking can be taught, but it probably will not get used outside the class room, by those that fall for this.

It is a two stage problem. Firstly "re-shipping" like "Post Office Boxes" etc do have quite legitimate reasons to exist. Secondly as evidenced by people who get into debt via credit cards there is a degree of self deception.

The person sees a goal or reward for activity. That is money or income for what is a fairly menial task, that can be done at a convenient time for them (like Avon and other catalog door to door sales reps).

Because of the existance of legitimate business, they see the goal and then by simple self deception in their mind they see the business as legitimate.

Nearly all scams use the "legitimate" and "self deception" steps, but then so do quite a few businesses, only they call it "marketing" or "gambling".

In the UK a few years back was the "Franchise Scam", somebody realised you could put a "business plan" together give it a fancy name and logo and sell it as a "Franchise". Often it was for leading edge products of the time (such as filling chips in car body work and wind screen glass). One such series of scams was to "sell equipment" to do such work at "value added pricing". Effectively you purchased a couple of container loads of equipment from the Far East stuck your own logos on it and "sold it on" not at a reasonable mark up but at an eye watering mark up because you sold it as part of a "Franchise"... At the end of the day what you were paying for was the self delusion of being your own business man. You had payed up to fifty times the value of the equipment and got a couole of A4 folders of paperwork telling you how to sell yourself.

A similar but more mundane scam are the "self improvment" courses.

At the end of the day selling product is often based on "selling a need" that is you find people and by way of their self deception you make them think your product will solve the problem you told them they have got. Often it's a problem that they did not know beforehand they had (nor did anyone else for that matter)... You see the likes of the high end "Consultancy Firms" do this all the time, they come up with some fancy business plan, give it a fancy name train graduates and the like up in it and then send them out to see any problem a business might have through the "rose tinted glass" of the business plan... The fact that more than half the businesses are back again within a couple of years gives you an idea of just how effective these business plans are in many cases (or how gullible the owners / operators of the business are).

The reason the consultants get away with it is for the same reason "Nobody got fired for buying IBM".

ianfNovember 4, 2015 11:39 PM


@ Tatütata […] “Hundreds of cases in Germany involved retirees, welfare recipients, single moms, etc.,

Are you talking of 100s over time, say a decade, or clustered in place around some particular "business concept," or a get-rich-quick-no-investment-down-idea? (akin to now-and-then emergence of Ponzi pyramid schemes). If the latter, perhaps it even had some "name-gate" to it, that could be searched for. I am not questioning your assessment, have of course heard of various mail frauds & scams afoot in Western Europe, but not in the 100s. So I wonder if Germany and the UK (where most cases I read of took shape) are more affected because of their languages, also spoken by the Russkiye "operators."

OT—scams I've came across

One such repeating every few years involves marketing of a New! Amazing! type of shaving foam and/or laser-edge razor blades. The (usually older) mark who expressed an interest via an ad, or at some market fair, is sent a small can of foam and 2-3 blades to evaluate, not realizing that unless he sends back the accompanying small-print coupon explicitly declining further service VIA REGISTERED MAIL, he has agreed to expensive every-three-weeks delivery of (not worthless but vastly overpriced) product contract, which costs money to oppose in court. So he accepts the first shipment on penalty for non-payment while he tries to wiggle out of the deal not realizing that it will be used against him in court—how was the company to know what the customer wanted when in response to vast demand it already ordered a container ship's worth of said high-value products?

Another scam, which thankfully sank without a trace, was an Irish(?) expat company selling "turf roofs" for garages, car ports, etc., on which a variety of flowers and herbs could be cultivated. Its novelty was that it rested on an airing layer of "wooden pulp foam", and, as it was relatively inexpensive per meter square, people bought it not realizing that it required either replacing the roof substrate, or a permit from their area villa association, which was seldom to be had. Also harvesting of herbs etc @ 2.5m height is not for everyone. Not to mention inability to shovel snow away without destroying the roof garden. So most of it ended up as mark-bound cultivation patches, not a bad thing in itself, but available otherwise at half the price.

tyrNovember 5, 2015 1:11 AM


I keep wondering how this interfaces with online taxing
schemes. If you're receiving the goods do you get taxed
for them under the local tax laws ? If not how do you
prove you didn't have to pay the taxes ? It looks like
you get burned again by your tax authority as well as
not getting paid and become guilty of criminal collusion
for the crime of wanting to do a bit of work.

I always was leary of roof gardening schemes because
wet mud weighs a lot more than dry soil and seemed
like a perfect way to colllapse the building. The
quake death tolls in areas with mud roofs are far too
high for comfort. We've had a few flat roofed places
roofs fall in because the drains got plugged and the
water weighed too much for the structure to hold up.

RobNovember 5, 2015 3:26 AM

Anura, ianf:

I have a UK credit card, am resident in France and have children who live in Australia and Canada.

You've explained why the magnificent eCommerce system causes me teeth-grinding,hair-pulling frustration when I want to buy birthday or Xmas presents from local vendors in Australia and Canada and have the gifts delivered. Or even, come to that, buy ferry tickets to get back to the UK, or a restaurant meal in a town that I visit for the first time.

ArmelioNovember 5, 2015 4:40 AM

@ Clive Robinson "You see the likes of the high end "Consultancy Firms" do this all the time, they come up with some fancy business plan, give it a fancy name train graduates and the like up in it and then send them out to see any problem a business might have through the "rose tinted glass" of the business plan..."

There's a bit more meat to the bones than "rose tinted glass" as much of the push and pull is assisted by legislation requirements. There are mountains of paper work and processes to comply, most of which lack such expertise in house. These consultancy groups has primarily the rogues who settled in then form so called expert networks to provide top dollar tips as the well connected game the system that feeds it and then over again. These types of activities churns both money and products, as in gross domestic products.

The big five or seven are like greese that goes on the nuts and bolts of the economic wheel.

John Galt IVNovember 5, 2015 6:26 AM

this seems to be tangentially related. from the brilliant daily news compendium

http://www.nakedcapitalism.com/2015/11/200pm-water-cooler-1142015.html
...
“How do fraudsters ‘cash out’ stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder” [Krebs and Security]. Amazingly intelligent, especially (I assume) for the non-credentialled.
http://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual-atm/

Slime Mold with MustardNovember 5, 2015 6:37 AM

@ Clive Robinson
"A similar but more mundane scam are the 'self improvment' courses" (spelling is authentication).

Perhaps too early after a hard night, but my mind leapt to a popular American fleece called "University".

JBNovember 5, 2015 7:29 AM

I love the solution mentioned in the article, where the small business has data fields on its order form invisible to humans, and screens out any orders with data inputs in those fields.

That seems quite clever.

AdamNovember 5, 2015 10:21 AM

If someone is gullible enough to apply for a "job" of receiving and sending mysterious packages from their home address then they're gullible enough for other cons including identity theft.

I'm sure the thieves know that. They also know that if the penny drops and the person realises they're handling stolen goods that they're unlikely to complain to the police about it.

ianfNovember 5, 2015 12:44 PM


@ John Galt IV […] “Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.”

My, such a convoluted, multi-level scam to get at the cash… those criminals really have to work for "their" money ;-)) But also quite a financial forensic trail left behind.

Reminds me of those cash-in-hand Starbucks robbers serving coffee caper, now perfecting that craft, hickory latte with spit, in a penitentiary. Hard workers always get hit the hardest!

In related Internet scams news, this just off the newswire: 300 tickets to rapper "50-cent's" coming weekend's concert bought with stolen credit cards (~€33.000 worth, numbered e-tickets sent to several mail addresses for printing out), then presumably resold on social media, have been cancelled by legit ticket sellers. Also a large electronic footprint left behind. The concert organizers had better equip the rapper's crew with some heavy ordnance however to stave off really pissed off they-paid-for-it-innit-customers.

[…] tangentially related from the brilliant daily news compendium

Leave pronouncements of tangentiality to those of us who are Tangent-Certified. Yours was near the very core in this context.

ianfNovember 5, 2015 3:21 PM


@ tyr wonders how do [legit] deliveries interface with online taxing schemes. If you're receiving the goods do you get taxed for them under the local tax laws?

Depends whether you're talking of deliveries within-US-states; within-EU; EU-to-non-EU-but-still-Europe (+ Turkey & Israel); or other combinations thereof. USA has differing local sales taxes, at one time so divergent that there was, probably still is, an Apple reseller in New Jersey that delivered a laptop to this tourist in Manhattan for $50 extra, but with so much lower sales tax, that I still was $150 ahead (I could've bought it for export with paperwork stamped at JFK, then the whole sales tax claimed back from the seller, and waited for refund, but this method WAS simpler). They would not deliver anywhere north of W. 106 St., however ("redlining").

The EU has abolished inside the union customs duties, but kept usually far higher than that VAT charges. One pays it acc. to the seller's national rates, and that's it. Hence any pricy item bought from e.g. Amazon in lower-VAT jurisdiction and shipped to higher-VAT one can end up far cheaper if procured this way.

Things get complicated when getting goods from e.g. non-EU Switzerland to EU. Then they get classified acc. to arcane trade exchange rules which stipulate in advance the target import-export balance between individual state trade partners. The paperwork is considerable (my sole experience of that is >10 years old, however).

Further afield, I bought some stuff from https://brando.com in Hong Kong (<€50). It only cost $3 to ship, no other charges, and the package was posted in the UK, so apparently they first air-freighted it in bulk to the EU.


[…] I always was leary of roof gardening schemes because wet mud weighs a lot more than dry soil and seemed like a perfect way to colllapse the building.

I never bought into it but was given to understand that the somehow bio-(algae?)-impregnated airy wooden, light substrate was supposed to replace the soil layer. Anyway, roof gardens, if done right, can work wonders… know a guy who swears by his outdoor latrine overgrown and surrounded by some thorny smelly bushes that supposedly keep flies at bay.


@ Rob, the grinding of teeth you undertake when engaging in ecommerce from faraway/ unusual places, is nothing compared to that which you'd have to endure had your card been hijacked and abused for large sums. Credit card companies will always first try to pin it on the easiest mark, even if you already reported loss of card, or suspected breach to the police, and they in time confirm that you were the victim of a fraud (usually there are more than one). So don't get mad. There also are ways to mitigate that happening, but think first if you really want to remove such thresholds.

Your CC-issuer may have a reciprocal agreement with specific banks etc in the regions of your interest, thus able to issue you a variant of the same card that'll be good without fail in more than one place. Talk to the issuer's security dept. (sending them a snail mail letter—a novelty these days!—should get their attention to call you back on their dime, and they're always glad to break the daily tedium. You will be the antidote ;-))

    Finally, a tip: when traveling to faraway not-too-friendly places, where you might get robbed of your belongings, ask the issuer for an emergency second, different number card in advance. Learn the cancel-CC telephone numbers by heart. Prime the alt.one first, then glue it into e.g. the sole of a sandal (glue in another placebo plastic into the other one, so they feel the same). Just in case.
ObApocryphalCautionaryTale: a Westerner worried of being held up in border regions of Laos/ Thailand hid credit cards among orange-peel, etc. in personal garbage plastic bags on busses, only to once turn his eye away just when some ticket mama decided to tidy up, and he had to dive into a dumpster to retrieve it—BIG APPLAUSE ROUND EYE CLEVER DEVIL.

OrangeNovember 5, 2015 5:43 PM

@ Armelio
The big five or seven are like greese that goes on the nuts and bolts of the economic wheel.

Consultancy goes beyond that of borders. They're on the forefront of manufacture / service / innovation outsourcing over the past few decades when it was deemed healthy for profits and to our benefit of geological hegemony aka exporting the american dollar. The large firms, more than five or seven, have footprints all over the world, operating and entrenched in not only cross border trade but also in local politics. It isn't just the wheels of our economies that they are trusted custodians. It's the wheels, tires, and the roads that we run on. Thus the tired old cliche in software of 'coding is the easy part' because you gotta get them to use your codes where you want them.

Nostril32November 6, 2015 12:13 AM

@Clive

"At the end of the day selling product is often based on "selling a need" that is you find people and by way of their self deception you make them think your product will solve the problem you told them they have got. Often it's a problem that they did not know beforehand they had (nor did anyone else for that matter)... "

Sounds like the medical profession. Create a disease or make innocuous values "abnormal" and then convince people they need medications for the rest of their life.

ArmelioNovember 6, 2015 12:47 AM

@ Orange, Nostril32 "It isn't just the wheels of our economies that they are trusted custodians. It's the wheels, tires, and the roads that we run on."

If you're talking about rules, I'm sure we all like to play by the rules and expect others to do so, but now the question becomes whose rules do we play by. There is no rules of engagement that isn't liked by the aggressor, provided that it abides by the aggressor. The legal think game is akin to playing a chess game in which your opponent constantly change the rules to suit his likings. If you can overcome that type of game handicap, you will find the gamemanship it takes to win the game, but very few do.

hermanNovember 6, 2015 8:34 AM

'There is a sucker born every minute', is unfortunately true.

However, no matter how corrupt things are, our civilization relies on trust. We trust that the Post Office will deliver a letter. We trust that the energy company will not let our freezers thaw. We trust that the oncoming traffic will stay in their lane. We trust that our water and food aren't poisoned.

The problem with the ubiquitous surveillance, is that it undermines trust in our security services and thereby makes them less effective.

hermanNovember 6, 2015 8:49 AM

@Rob
"I have a UK credit card, am resident in France and have children who live in Australia and Canada."

I can relate to that. The only credit card company that understands my problem is Amex. Any other CC gets cancelled as soon as I try to use it and calling them before I travel doesn't help. Apparently, it is extremely suspicious to be a 'world citizen' who lives on four continents, but there are millions of people who do.

Orange JuiceNovember 6, 2015 4:35 PM

@ herman
"The problem with the ubiquitous surveillance, is that it undermines trust in our security services and thereby makes them less effective."

As the common man knows already, surveillance is most effective when secretly, unknownst, or placed under a false sense of security. Thus the likes of visible camera as deterence while the hidden cams monitor the secrets. Though the psychology of surveilled is useful to shape the subjects behavior, there are almost always a large number who are courageous, or dumb, enough to fall for the visible ones en masse.

This which brings us to the fourth common misconception. those who advocate trust are invariably have an interest in yours. the missing piece to game theory is the that every body has his own agenda, including the game itself. there can be no independent system, third party, nor the scrupulous umpire, because every body is a stake holder.

PeterNovember 7, 2015 8:34 AM

I get offers for these kind of jobs every so often because of posting my resume on sites like dice and careerbuilder.

One recent email with this kind of offer said:

Because of fast-growing market conditions, we would like to offer you a position of Transportation operations Supervisors in our new personalized logistics program.
We are devoted to provide the best-in-business logistics services for our customers outside of the USA.
We deliver correspondence and packages worldwide, directly to specified address.
Our team is a full service transportation company known for providing personalized, end-to-end transportation, logistics, and warehousing services to our clients in Eu and US.

John HardinNovember 9, 2015 5:15 PM

@armelio:

The big five or seven are like greese that goes on the nuts and bolts of the economic wheel.
...so that the wheels come off more easily?

John ClarkFebruary 18, 2017 9:31 AM

Company called US Trading and Logistics Corp out of Miami, Florida is the latest operator of this scam. Someone using the name Marisha Katz, Manager of operations
US Trading and Logistics Corp,
7235 NW 54th St
Miami, FL 33166
305-203-3947
mkatz@ustradinglogistics.com

is just one operator of this scam. Claims company offers reshipping services to clients overseas in order to help save on customs fees. They look legitimate on the outside but everything about her or anyone related with this company is a scam.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.