With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

On the surface, the Web site for the Vasty Health Care Foundation certainly looks legitimate. It includes various sections on funding relief efforts around the globe, explaining that it “connects nonprofits, donors, and companies in nearly every country around the world.” The site says it’s a nonprofit with offices based in Nebraska and Quebec, Canada.

The “Vasty Health Care Foundation” is one of several fraudulent Web sites that recruit money mules in the name of helping Coronavirus victims. The content on Vasty’s site was lifted almost entirely from globalgiving.org, a legitimate charity that actually is trying to help people affected by the pandemic.

“We have been contacted by job seekers asking if we are related to some of these job opportunities they’ve been finding on Indeed.com and Monster.com,” said Kevin Conroy, chief product officer at GlobalGiving. “And we always tell them no that’s not from us, and not to cash any checks someone may be giving them in relation to those offers.”

The Vasty domain — vastyhealthcarefoundation[.]com — was registered just weeks ago, although the site claims its organization has been around for years.

The crooks behind this scheme also seem to have submitted the Vasty name in custom links at vetting sites like The Better Business Bureau and Guidestar that ultimately take one to a summary of data on GlobalGiving. No doubt this is part of an effort to lend legitimacy to the Vasty name (hovering over the links above reveals the trickery).

What proof is there that Vasty isn’t a legitimate charity? None of the dozens of Canadian mules contacted by this author responded to requests for comment. But KrebsOnSecurity received copious amounts of information about this scam from Milwaukee, Wisc. based Hold Security, which managed to intercept key file exchanges between threat actors through public file sharing services.

Among those files were a set of form letters and boilerplate email messages that describe the ideal candidate for the job at Vasty and welcome new recruits to the Vasty payroll. Here’s a look at part of the job description, which includes (not pictured) a description of the healthcare plans and other benefits allegedly offered to Vasty employees.

After congratulating applicants (everyone who applies is “hired”) on their new positions, Vasty asks the recruits to do some busy work. In this case, new hires are sent to local pharmacies on some bogus errand, such as to inspect the pricing of face masks and hand sanitizer products for price-gouging.

“Now we have the first task for you. You will have to perform a trip within your city. So that we can compensate for transportation costs along with your hourly rate, I ask you to keep receipts confirming your expenses. LOCATION: Sam’s Geneva Street Pharmacy ADDRESS: 284 Geneva St, St. Catharines, ON L2N 2E8 I ask you to go to the pharmacy at the specified address. We are increasingly receiving reports of private sellers violating the pricing policy for products such as: aspirin, face masks are loose surgical masks with elastic loops that go around the ears, hand sanitizers.”

New recruits are then asked to assemble and submit a written report of their observations at the store in question.

These types of menial, meaningless tasks are a typical tactic of money mule recruitment schemes and they serve two main purposes: They separate out slackers from people who really need and want a job, and they help the employee feel like he’s doing something useful and legitimate (aside from just moving money around, which if brought up too soon might make him question whether the job is legit).

Eventually, after successfully completing one or more of these busy work tasks, the new hire is asked to process a “donation” from someone who wants to help fight the Coronavirus outbreak:

“Please read the instructions carefully. One donor wants to make donations to help fight the coronavirus. As you know, this is a big problem for most countries of the world. Every day we receive information from the World Health Organization that more and more people are sick. Quite a lot of people died from this virus. Some people simply don’t have enough funds to provide themselves with standard face masks and disinfectants to fight the virus.” “The donor requests that Bitcoins be bought with his funds. For this task, you need to create your Bitcoin wallet, or use the QR code that we send you in this letter. You will receive from the donor up to 3000 CAD. Your commission up to 150 CAD will be included in this amount to cover your expenses. I remind you that you do not need to use your funds to buy bitcoins. The funds will be sent to you. You will need to receive cash atm or at your bank branch.”

What happens next is the employee then receives an electronic transfer of money into his bank account, is asked to withdraw the cash, and to keep 150 Canadian dollars for himself. He’s then instructed to take the remainder of the funds to a Bitcoin ATM and scan an emailed QR code with his mobile phone. This causes the cash he deposits into the Bitcoin ATM to be sent in an irreversible transaction to a Bitcoin wallet controlled by the scammers.

What’s going on behind the scenes is the funds that get deposited in the employee’s account are invariably stolen from other hacked bank accounts, and the employee is merely helping the crooks launder the stolen money into a form of payment that can’t be reversed.

Another boilerplate email intercepted by Hold Security shows Vasty’s new hires manager offering advice to employees who are asked by nosey bank employees about the nature of the funds withdrawal.

“Important: If you receive any questions from the bank regarding the purpose of the payment, you can open part of the instructions if necessary and inform that these funds are intended for payment of medicines. In any case, it is a personal payment and it will not be taxed. However, I strongly recommend that you not divulge the rest of the instructions for paying for medicines against coronavirus so as not to aggravate panic among the population.”

Americans shouldn’t feel left out of the scam: Hold Security founder Alex Holden says his analysts also intercepted a nearly identical set of scam templates targeting job seekers in the United States.

Money mule scammers specialize in hacking employer accounts at job recruitment Web sites like Monster.com, Hotjobs.com and other popular employment search services. Armed with the employer accounts, the crooks are free to search through millions of resumes and reach out to people who are currently between jobs or seeking part-time employment.

If you receive a job solicitation via email that sounds too-good-to-be-true, it probably is related in some way to one of these money-laundering schemes. Even if you can’t see the downside to you, someone is likely getting ripped off. Also, know that money mules — however unwitting — may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.

Overall, Holden said, established cybercriminals who specialize in recruiting and grooming money mules for financial crimes have been cooing of late over the potential glut of new mules. One mule vendor on a popular Russian-language crime forum posted Tuesday that his “drops” — the hacker slang term for money mules — weren’t scared of Coronavirus concerns.

“We got drops in masks!,” one vendor proclaimed.

“We continue to work despite the Coronavirus,” declared another drops vendor.

Any readers interested in helping others affected by the Coronavirus outbreak should consider giving through the organization Vasty is impersonating here; Global Giving. Alternatively, these two stories link to a number of other reputable organizations facilitating Coronavirus relief efforts.

Tags: alex holden, bitcoin ATM scam, Coronavirus scam, GlobalGiving, Hold Security, Holdsecurity.com, Kevin Conroy, Vasty Health Care Foundation, vastyhealthcarefoundation.com