Last Updated: 2008-06-05 17:50:13 UTC
by Lenny Zeltser (Version: 2)
"THOSE PEOPLE YOU ARE DEALING WITH ARE FAKE." So starts the Nigerian-style scam email submitted to us by Daniel Sefton. In such schemes, the sender attempts to swindle the recipient out of money, often by convincing the victim to pay some fee to transfer a prize, an inheritance sum, or money from another unexpected source.
Contents the Fraudulent Email
The message we received offers an interesting twist on the scam by warning the recipient to be careful when receiving such messages. The email claims to come from Susan Walter, a US citizen living in Texas. "Susan" writes, "I am one of those that executed a contract in Nigeria years ago and they refused to pay me, I had paid over $70,000 trying to get my payment all to no avail."
The message explains how "Susan" traveled to Nigeria in an attempt to collect the funds owed to her. There, she met with Barr. Mat Oto, a "member of CONTRACT AWARD COMMITTEE." He then "took me to the paying bank, which is Zenith Bank, and I am the happiest woman on this earth because I have received my contract funds of $4.2Million USD."
"Susan" also explains that she saw documents that listed the recipient of her email as a victim of such a fraud. She advises the recipient to contact Barr. Mat Oto via the supplied contact details. This will allow the recipient to retrieve the money that might be owed to him or her, at the mere cost of $1,200 payable to the Internal Revenue Service (IRS).
A web search revealed that such messages began circulating in late April, 2008. April's message I encountered used a specified a different name for the helpful Nigerian official, "Barrister Afam Richardson Esq," and used the subject "Your happiness is my concern." A message sent in May used "Susan Walter" as a sender. One specified the amount paid to IRS as $980; another as $1,200.
Investigating Fraudulent Messages
If you receive a suspicious message, consider searching for its elements on urgentmessage.org. This website archives and indexes spam messages of fraudulent nature. The most interesting feature of the site is the correlation it performs across contact details specified in the messages, such as names, email addresses, and phone numbers. This helps you find related messages to understand the scope and history of the scam.
Consider the diagram the website generated for "Susan's" message described above:
The diagram on the website is clickable. Clicking on "Susan's" email address brought me to a page that showed a related message and additional elements worth investigating:
ISC reader Peg shared with us a link to FraudWatchers--a website that tracks scams and educates the public about them. The site also has an active discussion forum. Per also pointed to a story on scam-baiters, who respond to fraudulent emails to waste the scammer's time. This can be dangerous, so I don't advise our readers to partake in this guilty pleasure. (The scam-baiting practice reminds me of the La Brea tar-pit for slowing down network worms and scans, except the technique works at the human level.)
To understand the trends bahind Internet fraud, take a look at the 2007 Internet Crime Report, published by FBI's Internet Crime Complaint Center (IC3). According to the report:
"During 2007, Internet auction fraud was by far the most reported offense, comprising 35.7% of referred crime complaints... In addition, during 2007, the non-delivery of merchandise and/or payment represented 24.9% of complaints... Confidence fraud made up an additional 6.7% of complaints.... Credit and debit card fraud, check fraud, and computer fraud complaints represented 17.6% of all referred complaints. Other complaint categories such as identity theft, financial institutions fraud, threats, and Nigerian letter fraud complaints together represented less than 8.3% of all complaints."
Do you have your favorite tools or websites for investigating fraudulent emails? Let us know, and we'll share your tips with our readers.
Security Consulting - SAVVIS, Inc.
Lenny teaches a SANS course on analyzing malware.