The Latest in IT Security

A Shady “Recruitment” Network


Here are a couple of interesting sites:

screenshot of site number one


screenshot of site number two

(There are also some variants on the "TJL" initials — mixing their order — but these all resolve to the site. No variants for the domain have shown up, but we'll keep our eyes open.)

Besides looking identical, there are more similarities:

  • Both live on the same server, currently at, which is an IP address in Russia.
  • Although both claim to have been in business since 2001, and have copyrights for 2011, the domains are actually very young: one was registered about a month ago, the other is a bit over a week old.
  • A lot of the URL path and page names are identical.

(As we sometimes say in America, "Beauty is only skin deep, but ugly goes all the way to the bone.")

Unfortunately, there isn't a lot of context to decide what they're up to, but my guess is that they're set up to recruit "money mules" (people who think they're working for a legitimate business, but are simply being used by a criminal gang to facilitate money transfers from compromised bank accounts).

Money mules are normally recruited via spam, and none of the traffic in the WebPulse logs to these domains shows a referring site, which is consistent with clicks within an e-mail client.

And although money mule sites are not malicious (at least, normally), of course we'll continue tracking and blocking this network.


Leave a reply


MONDAY, MAY 17, 2021

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments