We first reported a similar 419 scam email back in the July 2008 State of Spam report. Let’s first understand what a 419 scam is. 419 spam is named after the section of the Nigerian Criminal Code dealing with fraud, and refers to spam email that typically alerts end users that they are entitled to a sum of money, by way of lottery or a new job or by being nominated as beneficiaries to the fortune of a retired government official or a wealthy person. This is also sometimes referred to as an advance fee fraud.
Symantec recently observed another 419-type spam attack where the spammer obtained a user’s credentials and sent out email to the contacts in the victim’s address book, seeking help in the form of money—obviously with a cooked-up story. Here is a spam message sample:
From: "Xxx Xxxx" <email@example.com>
Subject: Please l need your help
Hope you get this email on time, Please I really don't feel like disturbing you with my problem but I don't have any other choice rather then seeking for help from you, please try and understand my situation right now as it needs an urgent attention. I'm presently in UK and am having some difficulties here because i misplaced my wallet on my way to the hotel where my money and other valuable things were kept.
I can't even think straight now,I will like you to assist me with a loan of 1200£ to sort-out my hotel bills and to get myself back home. Even if you don't have up to the amount, you can assist me with any amount you can raise. I promise to pay you back the money as soon as I return back home. I am so confused right now. I would have called you to explain the situation to you but my mobile phone does not work here and the hotel phone line has been disconnected because of the bills I am owing the hotel management, I only have access only to email. You can have the money sent to me through [Brand Name removed] money transfer as It is more safer and faster.
Here is the details where you would send the money to:
Name: Xxxxxh Xxxx
Address: [Address details removed] , England, United Kingdom.
So please kindly locate a [Brand Name removed] office and send the money if possible today so that I can get out of here as soon as possible. Immediately you send the money, get back to me with the payment details after you sent the money. I am almost impatiently waiting for your reply.
Hope to hear from you very soon.
Awaiting your reply,
The originating IP address of the above spam email was found to be 184.108.40.206, which is a dial-up IP that was traced back to Lagos, Nigeria, although similar messages get sent from other countries as well. Unlike the majority of spam attacks that are sent by automated bots, 419 emails are written manually and sent via legitimate email servers, either through purpose-created webmail accounts or through obtaining legitimate email users’ credentials.
Giving this an interesting twist is the fact that the spammer didn’t just send the above email message waiting for a response, but also began chatting with other intended victims via instant messenger. Imagine how hard it could be for the end user to figure out the legitimacy of the communication in such a scenario with that level of personalization.
Scammers favor wire transfer services because payments are irreversible, untraceable, and require minimal identity checks. Interestingly, although it is almost two years since we first reported this type of 419 scam, where scammers pose as a friend in need, the fraud warnings on the website of the wire transfer payment service mentioned in this email only warn about sending money to people that you do not know.
This type of approach could soon become a trend, since people would be more likely to trust communication from a trusted source. Secondly, ISPs are increasingly employing reputation systems for new webmail accounts; an older account may have higher email sending limits in place. Once the scammer has access to the account, they are likely to maximize the opportunity and use it to send as much as spam as possible.
In another 419 spam sample analyzed by Symantec, it was found that the spammer had accidently attached the SMTP server credentials (that were potentially being used to send spam) in an Adobe Style Layer (.asl) file. The file contents show the level of detail 419 spammers are able to obtain regarding sending limits.
Spam message header:
From: "MOHD MARIAM SAEEED"<firstname.lastname@example.org>
Subject: Call To Confirm: +6010<removed>213
Contents of the attached .asl file:
In this case, the password was simply an extract of the username with a number, so it’s possible it could have been guessed through trial and error. Another method that 419 spammers use to obtain user credentials is to send out a fake “helpdesk” type of email that requests a user’s email username and password in order to fix some problem with the account.
To minimize online risk, Symantec recommends the following:
• Choose a secure and unique password for each system.
• Always be suspicious of emails or links in email asking for your username and password.
• Never send money via wire transfer unless you’re 100% sure a person you know and trust is the one you are sending the money to.
• Use the latest messaging security solutions from vendors such as Symantec that fight unique spam and scam attacks such as these.
Note: My thanks to co-author Amanda Grady and to Paresh Joshi for contributed content.