What’s Behind the News—Maybe a 419 Scam?

Scammers based in Nigeria have long been known for using legitimate email formats for spreading infamously fraudulent 419 messages. We have already monitored e-card services, social networking invites, and various other services provided on social networking sites. Yet another example is a calendar service being abused for sending scam messages.

Sadly there is an addition to this list, where the “send link to friend” service is exploited for sending scam messages. Many news websites provide an option to send news links to another person. A text area is also provided to write personalized messages. It is a general tendency of netizens to share important news with friends by forwarding the links along with their comments on the news. In a recent spam attack we monitored a typical 419 scam message injected into the text area of a news article. With this, scammers smartly introduce a scam message in an otherwise very legitimate looking mail.

The “Subject” line of these emails can usually be found in the format below:

Subject: <sender name or email> has forwarded a page to you from <news site name>
Subject: <sender name or email> has sent news to you from <news site name>
Subject: <sender name or email> has sent a link to you from <news site name>

The next example shows how a scam message is disguised in a legitimate message format:
 

When a user comes across this type of message in his or her inbox, it looks as if it is a legitimate news article being forwarded from someone. Even after opening the message, the links in message body redirect the user to a legitimate news article. However, the scam messages suppress the news article and the email looks entirely like a 419 scam message (because it is). We recommend that users ignore emails from unknown senders and unsubscribed sources.

Note: Thanks to Paresh Joshi for contributed content.