You’re a money mule and you don’t know it?!

When I hear a news like “40 million credit card details stolen“, I used to wonder how the hackers cash out and get the money on their hands. Since it is traceable, they cannot buy anything or transfer the money. Let’s face it, hacking the accounts might be “easy” but getting the money is a bit challenging. So how do they get the money? Some of the hackers sell the credit card or bank account details to third parties to avoid the risk of getting caught while cashing out. Imagine stolen 40 million credit cards details sold at $20 each; it is still worth it for the hackers. But the story is still not complete. How do the people who bought the details get the money then? Transferring still will not work because it is traceable. Sell it to somebody else? Maybe. Keep reading.

Recently, somebody told me that he found an online job from a credible source. He told me that some people contacted him through e-mail claiming they read his CV on a career search website. And since he recently posted his CV on the website, he thought they are 100% legit. They offered him a very good salary for something that didn’t need much of his time; a 10% commission on each transaction and bonus. They also promised him a raise after the first 1 month of probation period. He was happy about it and filled in some forms and started the job. What does he have to do? Simple, give out his bank details (normally IBAN but they said he will have extra 200 euro bonus if he hands over his username and password for his online banking which obviously is to steal money from his bank account), then they will transfer him some money, then he has to withdraw 90% of the money (10% is his commission) and send it to them via Western Union. Money laundrying made easy!

But what is really going on? OK, here is the deal.  These people have a lot of stolen accounts on their hands. Since they cannot transfer the money to their account, for obvious reasons, they hire somebody (called money mule) to do the risky job. This guy told me he thought he was working with a 20+ years old financial company. Normally, since the person who is hired does not know he is doing a crime, he will go to his bank, withdraw the money and send it to the thieves. In order to avoid being traced, these people might have a fake identity to claim the money from Western Union (or related service). The money is gone. When the person who was stolen reports to the police, the police asks the bank and the bank says there was a transfer to this account. It is only the mule that will be caught while the original thieves are enjoying the money.

After doing a little research I found out that most of the thieves are from Eastern Europe. In fact, the guy told me he was supposed to send the money to Ukraine. I also noticed that most frauds (be it the Nigerian 419 scam) involve Western Union. Couldn’t this problem be minimized if Western Union outlets had asked some questions where the money came from before accepting and sending the money when the destined person resides in these countries? Off the top of my head, it seems a solution to me.

Have you ever been a money mule? Or do you know someone who was a money mule?


Model checking using iSpin on Windows

Ever tried to do model verification using iSpin (on Windows) on a click of a button but couldn’t manage to get it to work? I had the same problem. Apparently, there aren’t good resources that solve this problem. Follow these steps to get it to work. This has been tested to work on Widnows 7 and Windows 8.

I assume you have iSpin and SPIN installed on you system. Now let’s proceed with the necessary components. While doing the command line verification, most probably you used Cygwin’s gcc. or if you haven’t done any model verification so far, please first download and install Cygwin (note that you can also use MinGW instead of Cygwin – but this solution works for both). Then download and install gcc – C, C++ compiler package. When the installation completes, click on the Start menu, then right click on Computer and click on Properties. On the left navigation, click on Advanced system settings — a dialog will appear. On the dialog, click on Environmental Variables. Now a new dialog will open. Under the System variables section, locate the variable Path, select it and click on Edit. At the end of Variable value, add semi-colon (;) and add the path where you installed Cygwin plus Bin folder. That is, if you installed Cygwin in C:\Cygwin, then add the following


If you’re using the MinGW version of gcc rather than Cygwin, use instead the following (assuming MinGW is installed in C:\MinGW\)


and click on OK. Then click on OK on the previous dialogs.

Now, navigate to the path where you installed SPIN. Locate iSpin, then open it in a text editor (I used Notepad++). Now locate the line that reads the following:

set CC      gcc

Add the following line just under it (select the one that applies for you)

set CC      “C:/Cygwin/bin/gcc”          ; for Cygwin users

set CC      “C:/MinGW/bin/gcc”          ; for MinGW users

That’s it. Save the file and close it. Now as a test, open iSpin and then open some model. Then write the LTL properties you want to verify inside the model, save it, and reopen it. Then go to the verification tab and adjust the commands to be used as per your requirements. Then click on the Run button. After some time, you should see the result on the Verification result window (the dark windows on the right bottom).


Installing WebGoat on Windows

Recently, I had to work on WebGoat to study the possible vulnerabilities we can have on a test web application. But since I used to normally work on Windows (Linux now), installing it and having it to start to work was a bit tiresome. After a while, I managed to install everything needed. So here are the steps I followed to get it work.

You need to have Java and Tomcat installed on your system. Assuming Java will be there, you can download Tomcat from here. Install Tomcat in the root folder instead of the Program Files folder to avoid messing with the permission settings. When the installation finishes, go to the installation directory and navigate to the conf folder and open tomcat-users.xml file. Under <tomcat-users> tag, insert the following text

<role rolename=”admin-gui”/>
<role rolename=”manager-gui”/>

<role rolename=”webgoat_admin”/>
<role rolename=”webgoat_user”/>
<role rolename=”webgoat_basic”/>

<user name=”webgoat” password=”webgoat” roles=”webgoat_admin” />
<user name=”guest” password=”guest” roles=”webgoat_user” />
<user name=”basic” password=”basic” roles=”webgoat_basic” />
<user name=”admin” password=”yourpassword” roles=”admin-gui,manager-gui” />

Now download the latest version of WebGoat WAR file from here. At this time, Tomcat should be listening on http://localhost:8080 unless you modified this setting during the installation of Tomcat. Open that address on your browser. Click on Manage App and then insert the username and password you specified at the last line of the above code. Then go down to WAR file to deploy section and locate your installation file from your download folder and click on Deploy.

That’s it. Now you should be able to see the WebGoat app working by navigating to http://localhost:8080/WebGoat/attack.