Deep Inside a Reshipping Scam: Mules Victimized by "Air Parcel Express"

by RSA FraudAction Research Lab on 11/12/2009

Since last fall the RSA FraudAction Research Lab has tracked several different reshipping scams engineered by online fraudsters to “Cash Out” merchandise purchased using stolen payment cards through the involvement of mules. We will profile one such scam in-depth – Air Parcel Express –that was discovered by RSA. First we will outline who is involved in a reshipping scam and how they generally operate.

The Cast of Characters Involved in a Reshipping Scam:

1. Scammers are fraudsters who run a reshipping operation. They recruit unsuspecting individuals who work as Mules, also known as Reshippers and impersonal terms like Drops or Item Drops.
2. Scammers sell merchandise that has been purchased online by their Customers (other fraudsters) with stolen payment cards. The stolen payment cards are collected via scams such as phishing, Trojan attacks, and hacked merchant databases. The action of buying good online using stolen card details is called “carding”.
3. Scammers resell the items within their home country. The profits are split through between them and their Customers. The Customers are the original carders who bought the goods online.

How a Reshipping Scam Generally Operates:

1. Mules are hired by Scammers through legitimate channels like popular employment websites and search engines. The deceiving jobs can be enticing – especially in this economy – through promises of flexible work-at-home jobs with good pay. Scammers employ websites which are typically designed to look like a legitimate import/export firm looking for new hires (See Figure 1). In many cases mules have no idea who they are working with, or that what they are doing is illegal.
2. Fraudsters, the Customers of the reshipping service, go online and purchase expensive merchandise. The carded merchandise is shipped to a specific mule’s home address. These mules are assigned to each Customer.
3. The hired mule reships the goods to the native country of their “employer” where that fraudster or his accomplice lives. While mules are supposed to receive a small commission from each shipment, they often do not.
4. Reshipping is the process of unpacking the delivery with a merchant’s brand on it, repacking it into a new, plain box, and shipping it to their “employer” in another country. Reshipped merchandise includes popular laptops, smartphones and other valuable items that are in high demand and, thus, easier to sell.
5. Once the Scammer receives the merchandise from the mule, they sell it or auction it off for cash. Proceeds are then split between the Scammers and their Customers. 

E-commerce Fraud and the Need for Mules
In order to successfully purchase (“card”) expensive merchandise with stolen payment cards and later sell for cash, fraudsters have to ensure that the mailing address matches the billing address. This obstacle is usually easily overcome by changing the billing address of compromised cards to the addresses of their hired, pre-assigned mules.

Another challenge for fraudsters in managing a successful reshipping operation is obtaining a seemingly innocuous “drop” address where mules dwell. The most effective way to overcome this challenge is to recruit and hire mules that live in the United States. The United States is a strategic location for fraudsters in which to base their reshipping scams as many major online merchants who sell popular high-value goods do not ship their items outside of that country.

Air Parcel Express: Deep Inside a Reshipping Scam

The RSA FraudAction Research Lab uncovered the true inner-workings of Air Parcel Express – a large scale, centralized, reshipping service operated by criminals. The Lab researched and gathered information regarding its operation, the details of which are revealed here for the first time. We hope this information will help Internet users and the security community better understand this threat and the mechanisms behind it.

The reshipping scam used a legitimate looking website to recruit drops. As shown in Figure 1, the website designed by the criminals behind the operation was meant to lend credibility to a fictitious shipping company, Air Parcel Express, Inc. The website featured in Figure 1 is no longer active. This was never a legitimate firm.

Please note: There is a legitimate, accredited shipping firm based in Miami, Florida named Air Parcel Express or “APX”. APX is in no way associated with the fraudster’s fake company profiled in this blog that used the same name for the handful of months in which it was operational.

Figure 1: AirParcelExpress.net 's Homepage (Image provided by RSA FraudAction Research Lab)

Click to view figure 1

The job opening that was designed to hire mules appeared in the “Careers” section of the site and was listed under “Correspondence Manager”. That listing (see Figure 2) included Core Responsibilities, Personal Qualities, Requirements and Working Conditions.

Figure 2: The “Correspondence Manager” Job Description on AirParcelExpress.net (Image provided by RSA FraudAction Research Lab)

Click to view figure 2

Candidates who applied for this job were requested to send their personal details to the Scammers behind the Air Parcel Express reshipping operation. RSA’s data shows that more than 1,900 people sent their applications to the Scammers, out of which only thirty-three people were ‘hired’ for the job. “Job” applications first appeared in September 2008 and the scamming service rolled out in mid-November. New mules were still being hired at the end of 2008.

Why would so many people apply for the Air Parcel Express “job”? Many Internet users are not well aware of scams like these, and just see them as an opportunity for relatively easy money. For example, there are some telltale signs on the fraudster-designed Air Parcel Express homepage that may not be obvious to some people. This includes:

• The copy written in English is not very good, and there is too much of it
• A new warehouse is noted in Latvia, a country where fraudsters often dwell
• Key words like “residential delivery”, “intermediary”, “EBay” and “create an illusion”

There are some murky details around how mules are paid (or not paid) for their efforts. Mules may be told by their Scammers that they will be paid after a full month’s work. In this case they agree to reship during that time but eventually their “boss” stops answering their emails. Some mules may receive some money from time to time, but it is much more likely that most of them never get paid at all. RSA’s data has shown that many people realize they are involved in a scam after reshipping only a few packages.

The Air Parcel Express Management Tool and its Day-to-Day Operations
While “AirParcelExpress.net” was the front-end to what is meant to look like a legitimate business, a management tool located on another website served as its back-end operation. The management tool enabled the Scammers to manage the mules they recruited and also provide their Customers with the ability to track the merchandise they had previously carded as well as the mules they are assigned to carry out the rest of their operation.

After a Customer signed up for the reshipping service, he could log in to the management tool using a username and password. RSA is aware of at least twenty-five Customers that registered for the service. After registration, every Customer is assigned one or more mules – in some cases up to twenty mules at a time. At the time of the analysis of this particular reshipping scam, 20 mules (drops) appeared to be active. (See Figure 3)

Figure 3: The Database of Active Mules “working” for Air Parcel Express (Image provided by RSA FraudAction Research Lab)

Click to view figure 3

Reshipped Merchandise
The reshipped items listed in the Scammer’s management tool included:

• Laptops from leading manufacturers
• Apple iPhones and Nokia smartphones
• Cameras made by Canon, Nikon, and Kodak
• Sony PlayStation 3
• Pioneer and Technics DJ mixers and equipment
• Apple iPods
• Other items outside the realm of electronics

We could not exactly ascertain the value of the reshipped merchandise through Air Parcel Express but we can make some rough estimates:

• If most of the Customers follow the classic 30/70 split of the profits offered by the Scammers, about USD$ 6,000 was paid to nine fraudster Customers.
• This represents approximately one-third of the total merchandise value; just over USD$18,000.
• Since it can take up to two weeks to card an item to a U.S. address and then have it reshipped to another country, RSA estimates that over USD$36,000 worth of merchandise was cashed out every month during its operation.

The mules recruited by the Scammers behind Air Parcel Express reshipped the merchandise they received to addresses in Russia and Belarus. The recipients were either the Scammers themselves or accomplices who received packages on behalf of the Scammers. Again, after the packages reach their destinations, the merchandise they contain was likely resold on auction websites like eBay and through other means and the Scammers forward a pre-determined share of the proceeds to their Customers.

The RSA FraudAction Research Lab based at the RSA Anti-Fraud Command Center openly shared all data related to the discovery of the Air Parcel Express reshipping operation to the proper law authorities in the U.S.

Reshipping Services Offered to “Customers” Through a Fraudster Forum

So how do Customers of such re-shipping services learn about them? These services are advertised through fraudster underground forums where they cannot be seen by legitimate Internet users. The “underground advertisement” (See Figure 4) discovered by RSA is one of the most comprehensive and detailed we have seen to date. It reveals how the scamming service works and details terms and conditions. 

Figure 4: English Translation of the Scammer’s Advertisement to Potential Customers (Translated image provided by RSA FraudAction Research Lab)

Click to view figure 4

How Proceeds are Split
In this advertisement, the Scammers have stated that an item’s value is determined by the lowest listed price of the item as it appears at the time of payment. To accomplish this, they reference a handful of websites such as pricegrabber.com and bizrate.com. The Scammers then determine their Customers’ share of the proceeds. The Customer's share is based on several payment schemes, depending upon the value of the merchandise and other characteristics.

Rules and Disclaimers
Disclaimers in this advertisement are quite striking when compared to those from the legitimate world of business. The scammers disclaim liability in the following cases:

• The customer / carder cannot be reached for more than seven days.
• The items are bought from an online auction site (such as eBay).
• The service cannot be used with seven specific websites, including those belonging to Dell and Best Buy. What makes this rule most striking is this: “if not complied with, the package is confiscated”.

How to Identify a Job Fraud Scam; Why Some People are Especially Vulnerable
Several organizations including Privacy Rights Clearinghouse, the U.S. Federal Trade Commission (FTC) and Monster.com have provided helpful information on how to avoid job fraud. In addition to employment websites, fraudsters have also enhanced their abilities to fool potential victims by placing advertisements on major news websites and Google.

It is possible that due to the instable economy, the resulting high rates of unemployment, and need for immediate income from those out of work, applicants to Air Parcel Express were looking for jobs outside of their professions or were simply less selective than usual. What makes these scams even more attractive is that they offer “easy money” while working from home. While these jobs may sound alluring, they can oftentimes be completely illegal.

In addition to being unwittingly recruited to participate in a chain of crime, the applicants are also in danger of identity theft and other fraud committed by their “employer” against them. The fraudsters behind Air Parcel Express and others like them collect a wealth of personal data from both applicants and those who are hired. As a result, mules face the risk of being victimized:

1. They can be completely unaware they are involved in criminal activity
2. They can be the target of identity theft perpetrated by those they had trusted to give them a job

Reshipping scams are simply one of a multitude of services that constitute the online fraud supply chain. In the case illustrated here, fraudsters introduced a form of “Fraud-as-a-Service” that facilitates the cashout stage following e-commerce fraud. This scam is very similar to other ones that seek out the recruitment of money mules.

We hope that by demonstrating a specific reshipping scam like Air Parcel Express and providing external resources will help more people avoid falling into these criminal traps.