Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« January 2012 | Main | March 2012 »

February 23, 2012

419ers vs. Informed Users Permalink

I wonder if the 419 gangs have been running into more informed recipients of their spam — people who are suspicious of being asked for money up front to get their (nonexistent) windfall.

In the past, the crooks would wave millions of [choose your currency] in front of recipients' eyes so they wouldn't mind paying sometimes tens of thousands of dollars over a few weeks or months to pay for (phony) fees, taxes, duties, storage costs, shipping costs, and other nonsense, because that would be a mere pittance compared to the huge payment that (never) arrives. I have even reported earlier that some 419ers have used a ploy to advise recipients that there will be a (not) one-time fee of so many hundred dollars to process the transaction — a kind of refreshing candor (I can't call it "honesty").

Perhaps as a sign of desperation (one can only hope), the price of entry into a 419er's clutches has been lowered to a mere $95.00:


Executive Governor (CBN)
REF: CBN/IRD/CBX/021/012
Call me +234 80322xxxxx


Good news,we have a meeting with the house (Federal government of Nigeria) we informed them that your fund should not cost you any thing because is your money (Your Card). Moreover, we have an agreement with them that you should pay only delivering of your card which is 95 U.S. DOLLARS by FedEx Delivering Company.However, you have only two working days to send this 95 U.S. DOLLARS for the delivering of your card, if we don’t hear from you with the payment the Federal Government will cancel the card.

I want you to read below notice carefully, as the notice stand as caution before it is late. for your consideration, you must be conscious of this project, as I will soon conclude this transaction with you, incase of any e-mails, calls you receives regarding this from any individuals claimed to be me, or e-mails, calls from any organization to you, such must be forwarded at once to me immediately by e-mail.

Also, it might come to you with different proposals with different names including my name asking you to come and claim your estate or even funds belonging to you or to somebody you do not know, I urge you to ignore such e-mails or calls, while you forward it to me. I want you understand that the most important thing for me is your understanding and co-operation, again without this code (555) don’t get back to me.

Moreover, first batch of your card which contains 1,000.000.00 MILLION U.S. DOLLARS has been activated and is the total fund loaded inside the card. Your fund which is in total 10,000.000.00 MILLION U.S. DOLLARS will come in batches of 1,000.000.00 MILLION U.S. DOLLARS and this is the first batch.Your payment would be sent to you via UPS or FedEx, Because we have signed a contract with them which should expired by February 28th. Below are few list of tracking

numbers you can track from UPS website(www.ups.com) to confirm people like you who have received their payment successfully.

JOHNNY ALMANTE ==============1Z2X59394198080570
GARY METZGER ==============1Z2X59394195952759
GLEN PAPANIKAS ==============1Z2X59394198690947
CAROL R BUCZYNSKI ==============1Z2X59394197862530
KARIMA EMELIA TAYLOR ==============1Z2X59394198591527
LISA LAIRD ==============1Z2X59394196641913
POLLY SHAYKIN ==============1Z2X59394198817702

Moreover, this is another people that received their payment through fedEx website (www.FEDEX.com).

EVELYNL MARJA===================871372183148
Devadass Dass====================871359761819
Charlie Love====================871359761727
Thomas Menefee===================871359809324
Patrick Craddock==================871359809313
RICHARD AUTRY ================= 869713119185
OWEN J KAYODE ================== 871363130860
MARK STUBBS =====================871363116168
LEWIS SMITH======================871358164322

You have to reconfirm your full information such as follow:

Full Name: ……………………………………

Home Address or Office: ………………………

Cell Phone and Home Phone number: ……………………

This is the paying information that you will use and send the 95 U.S. DOLLARS only, through money gram or western union money transfer for the shipment fee


Receiver’s Name:Nwanorue Chijindu
Text Question:In God
Text Answer:We Trust
Address Lagos-Nigeria

I wait the payment information to enable us proceed for the delivering of your card.And you are advice to call me with this number +234 80322xxxxx


Dr.George Gana
Call me +234 80322xxxxx

Of course, if you think that the $95.00 payment will be all you'd have to make, you are dreaming. It's like a retailer's loss leader to drive you into the door. The salesman takes over from there and steps you up to higher-priced goods. And believe me when I say that these Nigerian guys have well-proven track records in gaining the confidence and big dollars from their victims once on the hook.

By the way, the tracking numbers in the above message are all dead. But that wasn't the case a few weeks ago, when I saw another 419 message use a similar tactic to trick recipients into believing such payments were being made. There were real FedEx bills of lading from Nigeria to various addresses in the U.S. that were trackable at fedex.com. That really unnerved me because I knew recipients might easily believe that those shipments contained giant payments like the ones being promised in the email message. Of course, an empty FedEx envelope is just as trackable. The investment to send a couple envelopes from Africa to the States probably paid off handsomely in attracting victims.

Posted on February 23, 2012 at 10:51 AM
Malware via SendSpace Permalink

For the past few days, the malware crooks have been trying to deliver their packages via SendSpace, a service normally used to transfer unusually large files between folks. Here is one example of the email message:

From: Fedex Express Delivery
Subject: Re: Alert: Parcel Notification ... Contact Us


Please Visit Send Space to secure your parcel

Google.com and Send Space Factory are giving donations to enlisted
emails in diffrent continent of the world recently for development of
Millenium Development Goals and Green Energy.
Please Visit the link of sendspace.com and secure your scanned copy
of the tracking to track your cheque from Google.com Team.

I hope this helps and please do contact me for further instructions
and how to secure the tracking number if yours is no longer available
for download via http://www.sendspace.com/file/ebopf1

Agent Victor Wong Lee
( Google Claims Agent )

To its credit, SendSpace has been taking down the offending files (various Trojan loaders) quickly — although not the one I "x"ed out above.

The stories offered in the email messages are getting pretty far afield, if not utterly incomprehensible. But that won't stop most recipients from trying to investigate the files — to their peril on unprotected Windows machines in this case.

While I'm on the subject of tricking email recipients with malware, here is another turdlet that I saw this day:

Subject: Attention! Changes in the bank reports!

Dear client! According to the new rules of the Ministry of Finance, we have to change the procedure of record keeping on your bank account. We ask you to familiarize yourself with the said regulations. To confirm your agreement, print out the last sheet, sign it and send it back to us.
new rules.doc 45kb
With Best Regards
Wanetta Reilly
MD5 check sum: c468c41c410af294107d1c463807d107

I wonder how many recipients in the U.S. don't know that we don't have ministries. Clearly the sending crook didn't know that, and it could hurt his or her success rate. Well, one can dream.

As dumb and stupid these email messages sound to those of us who regularly track such activity, always remember that there are enough everyday users out there falling for them. If the crooks weren't successful at enlarging their bot networks and identity theft bankrolls, they'd look for other, easier ways to make a dishonest buck.

Posted on February 23, 2012 at 10:20 AM

February 09, 2012

Phish or Foul? Permalink

As I started to read the following spam, I quickly categorized it as yet another atrociously spelled and constructed Bank of America phishing scam.

But then came the last sentence before the link:

From: Bank of America
Subject: Important Security Issue

Your Online Banking is Blocked

Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account.

So we have decided to put an extra verification process to ensure your identity and your account security.

Please click on continue to the verification process and ensure your account security. It is all about your security.
Thank you. Open In Internet Explorer Only.

Continue To Online Banking

The actual link URL is to a hijacked Indian web site, where the page uses the ancient meta-refresh tag to send visitors to a different hijacked Indian web site, where a phony BofA page awaits. Whether this email is simply to attract phishing victims or load some malware through Internet Explorer (there are some suspicious external JavaScript files loaded into the destination page) should not concern typical users. But avoiding even clicking on the link in the first place should be Issue Number One.

If you ever receive (and read) an email claiming that your account (of whatever kind) has been blocked, use your trusty bookmark to that site and log in the normal way. There you'll find that your account is just fine.

Posted on February 09, 2012 at 10:08 AM

February 02, 2012

Your Telephone Account Number Permalink

As frequent readers of this blog know, my primary concern is educating everyday users about avoiding tricks that criminals use to capture private data. An article at Trusteer warns of a recent attack technique that takes treachery to a new level. The underpinnings are a little complicated, but a user heading for trouble probably wouldn't notice what's going on. In fact, warning systems built into detecting bank account or credit card fraud essentially become disabled for the user, leading to incredible difficulty after the fact.

The problem begins — as if often the case — with a PC infected by a particular piece of malware. Now, before you say "But I have antivirus software installed on my PC!", there may be times when you find it necessary to use another person's computer, or a computer in a publicly accessible location to perform even a quick transaction (e.g., check your balance) with one of your financial institutions. You can't possibly know if that PC is clean, even when its owner or administrator swears on a stack of AV CDs that everything is OK (oh, well maybe the profiles haven't been updated this week...oops). These days, the same goes for using someone else's smartphone to access your accounts — a very risky proposition for numerous reasons.

So, this infected PC constantly monitors activity, looking especially for access to financial sites. At that point, it's easy for the malware to capture login credentials, which can then allow its masters to get inside your account. Rather than bleed your credit card or bank account dry for a quick shopping spree, the crook sends you a fraudulent email that tries to trick you into handing over your telephone number and account details. Why? So he can screw with your call forwarding such that telephone verifications from the institution are sent to established criminal call centers who provide all necessary verification data you've allowed to be phished or stolen. Your account stays alive longer for the crooks to bleed you even drier.

Because the institution has performed its job of verifying a transaction against information that only you, the customer, should know, you will have one helluva time getting things fixed.

How can you best protect yourself? You should be suspicious of any unsolicited email or telephone call you receive that asks for personal information of any kind. The more dire-sounding the reasoning behind the call, the more cautious you should be. If there is a genuine problem with your account, then you should be able to log into the account online the normal way (i.e., by following a pre-existing bookmark to the site) or call the institution by the telephone number on your most recent bill or statement. Just as you should not trust a link in an email, so should you mistrust a phone number given to you by an unsolicited telephone call.

If you're not paranoid about criminals coming after your valuables, you're crazy.

Posted on February 02, 2012 at 10:05 AM