By Dan Bleaken, Malware Data Analyst, Symantec Hosted Services
MessageLabs Intelligence analysts found a 419 scam today that is a little different from the majority of 419s.
The basic premise of a 419 scam (also commonly referred to as an advance fee fraud scam) is that the recipient is entitled to, or has won a large sum of money, and in order to get the money, they need to contact someone (usually a webmail address but sometimes a phone number), or email personal details to a webmail address.
As well as it being highly likely that the recipient’s email address would then be added to the scammers’ list of targets (lining up the recipient for many more scam emails in future), the next stage would almost certainly be for the scammers to phone or email back, to get the victim to send an advance fee, in order to release the supposed money. As is so often the case with advance fee fraud scams or 419s, the initial email is just the beginning, or first stage, of an often quite elaborate scam.
If drawn in the victim would probably be asked repeatedly for advance fees, for any purpose ranging from ‘admin fee’, ‘release fee’, ‘international transfer fee’ and so on, all with the promise of finally transferring the money. Eventually the victim would realise that they had been the victim of a scam and just give up.
Something we often see is requests to ‘please keep this confidential’. Scammers know that the moment a potential victim shares what they have seen with someone else, the chances of the attack being successful are much, much lower. Also generally people like to have a secret - many recipients that have fallen for the prospect of being rich would find it quite exciting that it’s all a big secret.
Traditionally the vast majority of 419 scams are sent from webmail accounts. Sending the scam via a webmail adds legitimacy to the mail, makes the email harder for security vendors to block, and helps to hide the identity of the scammers.
Let’s take a look at some examples.
The bulk of the text in each example is of a style we see frequently in 419 scams. It’s a rambling story designed to raise sympathy from the recipient, and tempt them with the prospect of receiving millions of dollars in inheritance or to offer the recipient the chance to be a ‘foreign partner’ and to help transfer an inheritance. The spelling and grammar are poor and there are a lot of UPPERCASE letters, which is to be expected.
But look closer at the start, and the end of the message. Actually, this scam doesn’t come from a webmail account, it comes from ESPN Soccernet, a perfectly legitimate soccer news website. At the bottom of the mail is a link to an ESPN Soccernet story. The scammers have used a ‘Send this page to a friend’ service provided on the ESPN Soccernet site.
So how does this work?
Well first the scammer chooses a story on ESPN Soccernet (http://soccernet.espn.go.com/columns/story?id=412720 ), and they select ‘Email’ on the top right of the page.
A window pops up, asking for some details. I gave it a try. Imagine I’m a scammer.
First I entered my own email address in the ‘Friends Email’ box. So this is the email address of the recipient/victim.
Next I entered some information in the ‘Your Email’ box. This is just supposed to be the sender’s email address. But the scammers are taking advantage of the fact that in the ‘From:’ email address, you can provide a name. We have all seen this when looking at our emails, for example the mail may be from email@example.com, but when you view the mail, the name ‘Dan Bleaken’ is displayed. The way that this is done, when sending an email, is to put the name in quotes “”, and the email in angle brackets <>. E.g. “Dan Bleaken” <firstname.lastname@example.org>
The ‘Send this page to a friend’ service just picks up whatever is entered in the ‘Your Email’ box, validates it, confirms it as a valid email address, and puts it in the body of the message sent. Well, this format (“Dan Bleaken” <email@example.com>) is perfectly valid for an email address, so what’s to stop me changing the name for an enormous, rambling, 419 scam? Nothing!
I entered “MY 419 SCAM” <firstname.lastname@example.org>
And I sent the mail
A few minutes later I received:
And that’s how the real 419 examples above work. As is the case with webmail, the scammers have been using this technique to add legitimacy to their mails, and hide their identity. It’s likely that spammers are abusing other legitimate websites in a similar way.
Symantec Hosted Services have patented advanced 419 scam detection, which not only detects the suspicious phrases and structures of 419s, but actively hunts for new 419s from a large variety of sources and adds detection in seconds for all of our clients.