When scammers try to gain sympathy from the email readers or to entice them with huge amount of money, they will usually mention a tragedy or, any event that attracted huge public attention. They may also want the users to read additional information, therefore a URL from a well-known news site is also provided. This addition of a link may assure a reader that the email is genuine, and some action needs to be taken in response to the email. Toward the end of the email scam, an appeal to help the victims is made if it is a tragic event. This message will also provide contact information in the form of email addresses, phone or fax numbers.
Anti spam filters will find it easier to block the news URLs in the scam message because, although they are legitimate, these are old news items and should ideally not be in circulation for any reason.
For the sake of curiosity, we went through our active filters to check such news URLs and surprisingly found some of the filters created as early as 2009 still blocking emails. Spam caught for each URL is in the range of 3 million to 9 million messages. For Symantec customers, these are the most abused tragedies or events used inside "419" scam messages with URLs from legitimate news site (indirectly a proof) inserted in the mail body. Most unexpectedly, these filters are still catching spam.
The most abused news links are listed in the descending order of their spam caught:
- Foreign currency worth $200 million found in Baghdad, Iraq in 2003
- Indian Ocean earthquake in 2004
- News on Flight 111 crash in 1998
- News on airline crash in 2003
News link on foreign currency worth $200 million found in Baghdad was used the most and it looks like this was the most convincing story to persuade users. The image below shows an example of the email scam.
Figure 1: Iraq war booty email scam
Be it a tragic event or a find like in Baghdad, scammers will try to make most of it. They will try to convince users to contact them and may extract money from the recipients. Therefore, email users need to be careful when contributing to a charity organization. Type the website name of an organization directly into the Web browser, rather clicking URLs in the message. Also, when entering personal or financial details, ensure the website is encrypted with SSL by looking for the padlock, https or green address bar. Most importantly, users must never use the contacts provided in the email scams - simply do not reply to scams.