RSA reveals details behind re-shipping scam

Desperate during the downturn, people are taking "jobs" as re-shippers, not realizing they're helping criminals move goods purchased with stolen credit cards, RSA says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas.

The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.

Laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before the scam ended earlier this year.

The operation masqueraded as a company called "Air Parcel Express," and it had an authentic-looking Web site, RSA said. However, there is a legitimate shipping firm with the same name that is completely unassociated with the scam.

The use of unwitting accomplices to re-ship items purchased fraudulently in the U.S. to other countries is not new. However, the degree to which the scammers went in creating the illusion of legitimacy is noteworthy, RSA said.

"They had a really professional, highly executed effort in recruiting the re-shippers, which is fairly novel," said Sean Brady, senior manager of identity protection and verification at RSA. "The average re-shipping campaign is based on e-mail or ads that direct people to a crude location" on the Web, he added.

Here's how the scams work. Criminals get credit card numbers through phishing, Trojan attacks, and hacking databases, like that of Heartland Payment Systems and RBS WorldPay. They use the information to make online purchases of items, typically electronics goods that they can resell at a high profit and typically purchased in the U.S., where they are cheaper.

The criminals recruit U.S. residents to receive and re-ship the goods out. Re-shippers are asked to unpack the item from the merchant's box and put it in a plain box, probably so the boxes face less scrutiny at customs, Brady said.

To find the mules, the criminals advertise on legitimate employment Web sites and on search engines. Usually, the re-shippers don't get paid as promised, RSA said.

"What's interesting is that criminals in Eastern Europe can orchestrate the campaign, recruit in the U.S., and ship to Europe without ever needing to have any level of personal contact" with the re-shippers, Brady said.

More information on how job seekers can detect scams is available from the Privacy Rights Clearinghouse, as well as Monster.com and the U.S. Federal Trade Commission.

The Web site for the re-shipping operation (shown here) looked legitimate, RSA says. RSA