NEWS FROM THE LAB - Monday, May 3, 2010

Corporate Identity Theft Posted by Mikko @ 08:39 GMT

For online criminals, it's easy to gain access to stolen bank accounts and credit cards. What's much harder is to empty those accounts without getting caught.

For this, criminals need money mules: individuals who are recruited to move the money. In many cases these individuals have no idea they are working for organized crime. When phishing and banking trojan victims realize they've lost their money, the tracks will lead to the money mules — not the real criminals.

Here's an example of an active money mule recruiting campaign. This one is done in the name of a company called Finha Capital.


The website looks fairly credible and quick web search shows that indeed, there is a real company with this name, and it has been operating for decades.


The problem is, finha-capital.com has nothing to do with Finha Capital Oy. The site is completely fake.

The only reason the website finha-capital.com has been created is to use it as a front end to hire gullible end users to do online payments and to move money for the criminals. These guys are using the reputable brand of an existing company to fool people into their scam.

And it's not just Finha Capital. Take a look at these:


Exactly the same website operates under (at least) two other names: Bin Finance and Contant.

And just like with Finha Capital, there are real companies called Bin Finance and Contant as well, and the addresses listed on the website are the mailing addresses of these real companies. Again, these companies have nothing to do with the illegal activity.


Domains finha-capital.com and contant-finance.com are hosted in St. Petersburg, Russia and bin-finance.com is hosted in Kiev, Ukraine.

And just last week, there was a similar scam running at domain nordea-securities.com. Nordea is a large Nordic bank, serving more than 10 million customers.

We spotted this message that was spammed via e-mail:

   From: info@nordea-securities.com
   Subject: Career opportunity
   Our firm have reviewed your resume from Career Builder resume base,
   reviewed it and sure that you to be a great applicant for the position which we suggest.
   We are now looking for a individuals for a vacant position ´┐ŻAccount Coordinator´┐Ż.
   The main task of this position is to collect payments from our customers in US.
   Basic Requirements:
   - Computer skills (MS Word), personal e-mail address
   - Ability to work at home
   - Responsibility
   - Age: 21+
   If you are interested, please, register here: http://nordea-securities.com/rim/?link=getjob&rnd=34753525

The whois data for this site is misleading and tries to portray that domain nordea-securities.com would be owned by Nordea Bank. It isn't. Note the yahoo.com e-mail address.

nordea-securities alexis perkus poelsevierali@yahoo.com

Lessons to be learned?

  •  Realize that identity theft happens to companies as well as to individuals.
  •  If somebody offers you a work-for-home position that's too good to be true, it probably is.
  •  Do not move money for others.
  •  Check that you're really speaking with who you think you're speaking.