The following post was written by PhishTank member funchords, a very active member of the community, and currently the top submitter to PhishTank.

Submission 22779 is such a professional-looking employment ad, one might even wonder why it was submitted as a suspected phish site. Most likely, redpriest realized that the ad was looking for a Money Mule — a person who launders phishy money through their personal accounts and moves it overseas.

It’s both illegal and risky — and most Money Mules end up getting burned as soon as the phish-site victims realize that their credit cards or identities have been compromised. In addition to possible trouble with the police, the Money Mule gets to pay back the banks and institutions that were involved in the fraud. Money Mules take all the heat while the real crooks disappear into anonymity.

So why was Submission 22779 marked “Verified: Is NOT a phish?” Because, even though it probably is related to phishing, it really is not a phish. It isn’t masquerading as an institution one already trusts in order to obtain financial information.

While PhishTank endeavors to quickly and accurately identify Phish, our friends at CastleCops.com specialize in working with government and internet concerns to shut these criminals down. CastleCops has an e-mail address to report suspected Money Mule advertisements: mules@castlecops.com.

Got a phish? As always, throw it in the PhishTank. But if the crooks are “fishing” for a Money Mule, then report it to mules@castlecops.com.

At PhishTank, we focus on phish and phishing, and we leave other bad areas (viruses, malware, spam, botnets) to other communities, like Project Honey Pot (anti-spam) for instance.

But some of the folks on the dark side of the Internet defy such categorization. They don’t limit themselves to phishing. So, we’ve had a few submissions of phish URLs which also try to infect the visitor with a virus.

In the past, we’ve deleted these submissions out of hand, but we don’t want to give phishers an easy way to avoid identification by compounding their crimes.

How we deal with these submissions now, thanks to miked:

1. All submissions are scanned for viruses.
2. We never display the actual suspected phishing site by default. (Always been the case.)
3. If our scan indicates a possible virus in the submission, then when you click the “View site in frame” tab, you will be warned. You will be able to continue, but you should be even more careful than usual.
4. Same general experience holds for the “View site in new window” link: a warning, with an option to continue.

No virus scanning is perfect, and phishing sites change, so please make sure that if you venture over to the site itself, that you always do so in a very-up-to-date browser, with security settings at their highest levels. We hope the technical information tab also limits the need to visit the site itself.

If you want to see this in action, then take a look at 19880, which is online still as I write this.

To cite Hill Street Blues (long-gone TV show), let’s be careful out there.