In February this year the Symantec Intelligence Blog covered how 419 or advance fee fraud scammers were using the unrest in Libya to their advantage. As we've extensively covered in the past on the blog, 419 scammers are skilled at using current events to their advantage. For example, scammers have taken advantage of the devastating March 2011 earthquake in Japan as well as other natural disasters and other current events.
The scam message we found in February claimed to be written by someone connected to Libya's Senussi crown, which was overthrown by Muammar al-Gaddafi in his 1969 coup d'état. Since then, we have seen several more messages, exploiting the unrest in different ways, but still following the general 419 or advance fee fraud pattern of demanding endless upfront fees from victims, with vast promised payouts never materialising.
One scam, where the scammer pleads "please read this carefully", claims to be sent by a wealthy Chinese businessman in Libya desperately looking for help in getting his money out of the country. The message further claims that his business associate has been assassinated, perhaps a poor attempt to seek sympathy:
Another scam claims to be from an official in the government who is against the regime. He claims to want helping in securing a $6m fortune for his children, pointing out that his wife has been attacked. This message contains many examples of the poor spelling, grammar and punctuation that often typify 419 scams - "wife was short" (instead of "shot"), "unending torture and later kill" and so on.
A scam we saw at the start of July took a slightly different angle, claiming to be from a US solider serving in Libya, and alluding to a "very important issue" to be discussed:
The most recent scam message we've seen is probably one of the most sophisticated, seeking to exploit the publicity about the whereabouts of Muammar al-Gaddafi himself. In this, the scammer claims to have been contacted by a close aide to Gaddafi. The aide has apparently been detained by Libyan soldiers at the airport in Benghazi, a rebel stronghold. The scammer as usual wants help in rescuing the aide's consignment of $6.7m to a storage company in Benin:
The ongoing conflict has been exploited by many different scams. As covered on the Symantec Security Response blog recently, another scam claims to be from Muammar al-Gaddafi's daughter, and another claims to be sent from Gaddafi's wife. As usual, these scams want assistance in retrieving money supposedly stashed in Europe or elsewhere.
Analysis of these messages show that most were sent from large webmail providers, often from IP addresses in West Africa.
In the midst of an extreme event like a natural disaster, war or major civil unrest, it can be tempting to try to help those caught up in it, but it's important to remember that these "offers" are scams sent by criminals. If an offer sounds too good to be true, it usually is.
We expect to see scammers continuing to take advantage of current events in their scams. A recent interesting post on the Symantec Security Response blog serves a good reminder that although the Internet has made these scams easier, similar scams have been operating in various guises for many years.