RSA reveals details behind re-shipping scam

RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas.

The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.

Laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before the scam ended earlier this year.

The operation masqueraded as a company called "Air Parcel Express," and it had an authentic-looking Web site, RSA said. However, there is a legitimate shipping firm with the same name that is completely unassociated with the scam.

The use of unwitting accomplices to re-ship items purchased fraudulently in the U.S. to other countries is not new. However, the degree to which the scammers went in creating the illusion of legitimacy is noteworthy, RSA said.

"They had a really professional, highly executed effort in recruiting the re-shippers, which is fairly novel," said Sean Brady, senior manager of identity protection and verification at RSA. "The average re-shipping campaign is based on e-mail or ads that direct people to a crude location" on the Web, he added.

Here's how the scams work. Criminals get credit card numbers through phishing, Trojan attacks, and hacking databases, like that of Heartland Payment Systems and RBS WorldPay. They use the information to make online purchases of items, typically electronics goods that they can resell at a high profit and typically purchased in the U.S., where they are cheaper.

The criminals recruit U.S. residents to receive and re-ship the goods out. Re-shippers are asked to unpack the item from the merchant's box and put it in a plain box, probably so the boxes face less scrutiny at customs, Brady said.

To find the mules, the criminals advertise on legitimate employment Web sites and on search engines. Usually, the re-shippers don't get paid as promised, RSA said.

"What's interesting is that criminals in Eastern Europe can orchestrate the campaign, recruit in the U.S., and ship to Europe without ever needing to have any level of personal contact" with the re-shippers, Brady said.

More information on how job seekers can detect scams is available from the Privacy Rights Clearinghouse, as well as Monster.com and the U.S. Federal Trade Commission.

The Web site for the re-shipping operation (shown here) looked legitimate, RSA says.

(Credit: RSA)

[Random_Walk]

Odd question: what would keep someone from setting up a PO box, pretend to be a 'reshipper', then simply keep all the goodies that come through? Sure, the crims would discover it eventually, but if you rig the PO Box (or even the address of an abandoned property) in another town/county/state/whatever, they'd have an impossible time finding you, and you;d have a metric ton of free goodies before they found out they were being ripped off... *shrug*.

[SergeM256]

But if they find you ... Trying to out-crook professional crooks may be not a very good idea.

[Random_Walk]

Agreed - though they'd have to go through the trouble, then hope they can figure out who you are/were. In a big metropolitan area (say, New York City), that would be one tall order.

[BigGuns149]

Eventually if they didn't get anything out of you they would just send their junk to a different mule.

[mariakola]

They probably wouldn't think to do this at first, since apparently the applicants believed this was a legitimate site. Doing this now wouldn't make sense -- you had just read in the news about how they were busted, so they wouldn't be available online for business any more. And if you saw a similar reshipper job in the future, would you actually want to try to scam a scammer? I suppose if you think the risk is worth it, go ahead and try..

[JiMiZnHB]

SO, YOUR SUGGESTION is to JOIN the CRIMINALS...
WHAT A FREAKIN LOSER YOU ARE!!!

[wangbang]

It wouldn't be "a metric ton of free goodies", it would be a metric ton of stolen goodies.

[Random_Walk]

Agreed - though if you're going to fence stolen goods in the first place, I doubt you'd consider it as such for too long :/

[catbutt5]

They should start putting BIG signs at places like Western Union, the Post Office or UPS drop-off locations that say "If you're sending packages or money to places like Russia or Nigeria, be sure you know who you're sending it to because if it's later discovered to be part of a crime, and it will, YOU will be held responsible."

[pjk0]

Western Union has been an integral part of foreign financial scams for years. You would think that if they really cared, these warnings would have been around for a long time.

The fact that they aren't tells me that Western Union probably has more concern for the revenue they make on such fraudulent transactions then they have of the general welfare of the populace.

[doniel]

Why would anyone want to do this without being paid?

[elinormills]

They are promised payment but then the money never comes. Sorry for the confusion.