The Christmas holidays have been busy for scammers luring random users to apply for a job as a money mule.
These campaigns have previously been tied to a Crime as a Service network running the Citadel crimekit. This means that any applicant receiving funds through these jobs are likely to be unautorized banking transactions which will bring the person in trouble with the law.
We have observed the following subjects used by this group:
Job opportunity – hurry to apply!
Career opportunity inside
Employment you’ve been searching!
Position opening in your area
New job vacancy – see details
Take a spare three-hour work week in our clinic and get 580 Eur.
We will advise you for free how to increase your income by 2,000 Eur per month.
You can earn an additional 200 Eur per day helping your community
We invite you to a remote job 100 euro per hour helping sick people
We will advise you for free how to increase your income by 2,000 Eur per month.
We offer you a personal decision as to earn more without investment.
Learn how people in your profession can earn a 30% increase!
We are looking for assistants in your town on a well paid remote job
You do not have much money? We offer a solution to – work in your spare time in our company
Take a spare three-hour work week in our clinic and get 580 Eur.
–
All of these unwanted e-mails requires the applicant to reply back to an e-mail adress hosted at “new-eurojob.com” currently translating to 69.169.90.27. This server also has a history of other similar scams:
americancardealers-staff.com
amricancarsglobal-positions.com
hollandjobnl.com
The latter is directly related to an on going money mule campaign running in Holland:
https://www.security.nl/artikel/44461/1/Nederlandse_katvanger_moet_’dokter’_helpen.html
The domain is supported by two nameservers:
ns1.ariparts.net
ns2.ariparts.net
Both of these nameservers are tied to a lot of malicious activity and not surprisingly Citadel C&Cs.