There are plenty of scams effective enough to rate a warning or three, in the hope of alerting potential victims to the kind of gambit they use. And so, even though much of ESET’s business is focused on the bits and bytes of malicious software, I’ve spent a lot of time writing on WeLiveSecurity and elsewhere about tech support scams, phishing emails, 419s and so on. (A shorter version of this article appeared in ESET’s End of Year Threat Radar report for 2013.)

After all, while we see hundreds of thousands of samples of malware every day, a great deal of that (often very sophisticated) malicious code wouldn’t get very far if it weren’t for the sort of social engineering that persuades a victim to give away his credit card details, or visit a shady web site, or click on a malicious program. While not all of the scams described here are directly associated with malware, many of them are indeed often intended to persuade the victim to click on a link that will result in the execution of malicious software such as a Trojan downloader: others link to a service like AMMYY which is itself legitimate but is misused by scammers to gain access to the victims system, a fake bank site or form designed to trick you into giving away your login credentials.

Domain Name Scams

Back in 2012, Aryeh Goretsky blogged about domain registration scams in .ASIA domain name scams still going strong (and referred to several earlier related blogs –). While we haven’t blogged again on the topic recently, a stream of comments throughout 2013 indicates a corresponding, ongoing stream of scam messages. Rather like this one, fresh from my ESET mailbox.

(Mail to the brand holder, thanks)

Dear CEO,

Sorry to bother you inexplicably. We are a China's domain name registration supplier, and there is one thing we would like to confirm with your company. On December 4, 2013,  we received an application form online from a company called "XinHua Trading Co.,Ltd"  who wants to apply for some domain names and brand name related to "eset". In order to avoid confusion and  adverse impact on your company, we need to verify whether this company is a subsidiary of you or did you authorize them to register the related brand name and domain names? Currently, we have not formally accepted the application of that company, we need to get your company's confirmation. Please give us a timely response within 7 work days. So that we can better deal with this case. Thank you.

Best regards,

Well, some will find it ‘inexplicable’ that this kind of scam is so successful: at least, we assume that it works often enough to make it worth the scammer’s time. The social engineering in scams like this is two-fold. First of all, we don’t know how often a company in China tries to usurp the branding of a Western company, but it’s unlikely that every message like this is really based on such an attempt. In fact the similar scams I first came back in 2004 were aimed specifically at clinical/healthcare organizations in the public sector in the UK, and there seems little scope for companies in the Far East to pass themselves off as hospitals or medical practices in the UK.

Secondly, the scammer is not really asking “is it OK if we accept this application?” Further down the line, he’s going to suggest that if you don’t want them to accept the application from someone who doesn’t have a right to the branding, you’re going to have to buy the domain yourself. At this point, you’d expect a CEO (or whoever), even if they didn’t recognize the scam as such, to refer it to the legal department or an outside lawyer, who would probably identify it as at best unnecessary. Does this happen? We don’t really know: we only hear from people who know it’s a scam, perhaps because they happen to read our blogs.

PC Tech Support Scams

I sometimes think I’ve been writing about tech support scams forever, though actually I first stepped into that particular mire in 2010. But there’s still plenty of scammer action there, as evidenced by a further stream of comments on blogs such as Support desk scams: CLSID not unique, and some more recent blogs like this, which demonstrated some newer techniques and even a Mac-specific attack. Though it surprises me to get a call like the one I got (also) today from someone in an Indian call centre who was so busy talking to one of his mates that he couldn’t even be bothered to deliver his spiel properly. After all, most examples of this kind of scam rely on the victim being taken in by the seriously improbable assertion that the scammer somehow has detailed knowledge of the victim’s PC. The scammers would, you would think, be discouraged by having to keep ringing round the same diminishing circle of people who still haven’t learned to recognize the scam. Yet somehow they keep going, and sometimes manage to find a halfway-convincing new angle (or two). Jerome Segura also came across some interesting approaches that I mentioned here, as well as back-linking to a very relevant article by Jean-Ian Boutin.

Darwin Awards for Scammers

It’s not surprising that clever deception makes illegal, immoral profits, and the scam above is, from some of the comments we read, convincing enough to get an initial response from many potential victims. But sometimes it’s reassuring to see that not every scammer displays the sort of IQ that makes fools of university professors and quiz kings. (Admittedly, Darwin notwithstanding, very few of them manage to precipitate their own permanent removal from the gene-pool, though it’s not unknown for a criminal to end up in a holding cell due to indiscreet use of the Internet, as related in this story from 2009, where a burglar took time out to check his Facebook account on the victim’s laptop: Hold the jemmy a second, I need to check Facebook.)

Here are three of my favourite more recent examples. For some reason, all three of them appear to come from westnet.com.au addresses, though they actually have a sort of minimalist 419 feel.

The first two are remarkable for the fact that they don’t have a subject. Well, that’ll grab your attention, won’t it? Well, maybe not…

mibarberralphg2@westnet.com.au has a very straightforward request (or maybe he’s just thinking aloud?)

I need a partner for biz

Minimalist, or what? I’m sure that most recipients will be desperate to find out what it’s about. Sadly, I wasn’t.

Mr. Leslie [schm.michh@westnet.com.au] is a little more talkative, once you get into the text body.

Please contact me, we need to talk about Niclas.

Leslie Mcintyre.

Sorry Les, I don’t think we do. Perhaps if I actually knew you, or someone called Niclas. But I’m pretty sure you’re just trying to catch my attention, and the scam will turn out to be another disappointing Advance Fee Fraud.

seaad1@westnet.com.au, however, goes the extra mile and tells us in the subject field that “I am waiting for your response”. Sadly, the effort seems to have exhausted him or her. The body text tells us that:

I am waiting for your response                                                                                                                                  I am waiting for your response

 Yes, that's pretty much how it was formatted. And yes, I think I get the message. Sadly, you won’t be getting one: at least, not from me.

Money Mules and Job Scams

chuoo@hotmail.com, however, is positively chatty. In a message with the subject “F.S.A” invites us enthusiastically to:

Work with us to start your stable future.
You're close to join a unique place and see inspirational things.

If you are seeking for a challenging opening with a bright future, come work with us.

We would like to offer you a new career of FSA which is untaken for now. Your CV was provided and reviewed by a recruitment agency. An opening that may fit your experience is being offered.

Earnings:
Your salary scale during the probationary period will be 1500 Pounds per month plus 8% commission from each transaction completed. Your total income could easily be about 2500.00 pounds. After the probationary period, your base wage will be 1800.00 Pounds per month, plus 8% commission.

Employee Reimbursements (only after probationary period) Contain:

- Wage plus bonus
- Includes health and dental insurance
- Paid Leave

To apply for the F.S.A. position, please respond to hrdepartment.test@gmail.com.

Thanks,
Bobbi Power
HR Manager

A stable future? Very Christmassy…. I wonder if there are any mules in that stable? Hold that thought.

But the FSA? We’ll need to do a little guesswork here, since we aren’t told which organization with the initials F, S and A is recruiting, which agency is acting on its behalf, or where or what the job is. Presumably in the UK, since the salary is in pounds, though in fact sterling is not the only pound currency. Oddly enough, Syria uses a Syrian Pound, though I suspect that we’re not looking at recruitment by the Free Syrian Army. Or indeed the Football Supporters Association, since that was amalgamated into the Football Supporters Federation in 2002. The Financial Services Authority went the other way quite recently, its functions being split between the Financial Conduct Authority and the Prudential Regulation Authority, which is part of the Bank of England. So what does that leave us with? The Food Standards Agency? That doesn’t seem likely, looking at the Agency’s jobs page. And in general, HR departments for government agencies don’t use Gmail as their email provider.

The real clue is in the job description, such as it is: the references to ‘transactions’ and ‘commission’, and the lack of other detail about what these transactions consist of, strongly suggest that if there was a job title, it would be money mule. Around ten years ago, email messages offering what was – to all intents and purposes – payment for money-laundering were very common and often quite innovative, with carefully-constructed backlinks to sites closely resembling those of real companies. In a paper Andrew Lee and myself wrote a few years ago, we pointed out the close relationship between phishing and money-laundering.

Phishing gangs are part of a complex “black economy” similar to other commercial models … This “economy” entails a number of roles and functions …

…The victim’s credentials are converted to cash. The buyer uses the stolen credentials, for instance to buy goods for sale on the black market, or to negotiate loans and mortgages…

…Important to the phishing economy are mule recruitment solicitations, offering “financial management” or “financial agent” jobs that boil down to receiving money and passing it further up the chain after taking a cut as commission. For example (original formatting preserved where possible):

YARD SCRAPER, INC. SOUTH AFRICA
Head Office: 131 Braamfontein,
Midran-Johannesburg
2050 South Africa

Good Day

I am Mr. Kelvin Powell, President/CEO of Yard Scraper, Inc. South Africa (a company based in the South Africa). A Company that is specialized in import and export of industrial and domestic machinery & equipment,
communication accessories and household appliances.

We also deal on mechanical equipment, hardware and minerals, electrical products, medical & chemicals, light industrial products and office equipment, and export into America, Asia and Europe, therefore being a General Mercantile Company.

We currently run our business from America, Asia and Europe but I will be communicating with you from our South Africa
Office where I am currently located for now. We are searching for representatives who can help us establish a medium of getting to our customers in America, Asia and Europe as well as making payments through you to us. Please if you are interested in transacting business with us we will be most glad to be your partners.

My company is willing to offer you 10% of every payment that comes in
through you to us. If you are interested, kindly forward to us the
following information through my private email (infoyardscrapercompany@jmail.co.za):

Full Names
Company Name
Telephone & Fax Numbers
Full contact addresses
Age
Sex

Please note that your area of specialization or occupation is of no relevance to resolve to assist us.

Thanks in advance.

Sincerely.
Kelvin Powell
President/CEO of Yard Scraper, Inc.

Funds transfer/money-laundering scams don’t generally purport to come from the same type of institution that phishing scams do, and aren’t aimed at cleaning out the victim’s accounts: they are more concerned with using the target as a “money mule.” They advertise “jobs” via email and recruitment web sites to people prepared to act as their local agents. The mule is often required to open new legitimate accounts with specific financial institutions so as to facilitate moving funds from a phished account with the same institution. The scammer may go to extreme lengths to make the mail look like a serious job offer, backed up by a large and complex web site.

(Don’t you love the company name ‘Yard Scraper, Inc’?)

However, these things haven’t dried up. In an article on Irish unemployed baited by online scammers, Urban Schrott of ESET Ireland, published a blog post on those cold-hearted individuals who prey on jobseekers. (No, I mean scammers, not the government.)

It’s all too common for job offers to turn out to be some form of 419 or other Advance Fee Fraud (AFF) or a poorly paid work-from-home job. However, Urban also quoted an email that looks like a particularly unpleasant variation, where the job offered consists of participating in money laundering as a money mule. Unpleasant, because it’s possible for a naive victim to believe they’re working for a legitimate company and not realize that they’re breaking the law until the police come a-knocking.

A lot of mule recruitment is intentionally deceptive, at least in the initial stages. At any rate, the recruiting messages I see don't usually openly declare that they're illegal, but pass themselves off as legitimate account/transaction management. It may be that there is more overt criminal recruitment on underground forums, but in my experience that tends to be at the next level up - recruiters rather than the mules themselves, who are usually regarded as drones, and essentially disposable. What we do see at forum level is sales of the sort of recruiter's package (email/correspondence templates, website templates, backend server administation components) that resembles the sort of partnerka/affiliate packages that fuel other segments of the criminal economy.

Of course, it's highly likely that some money mules are to a greater or lesser extent aware that what they're doing is illegal, though not necessarily right from the start. One of the iniquitous aspects of mule recruitment is that it's often aimed very specifically at the most vulnerable victims of a depressed - or at any rate unstable - global economy. This isn't restricted to money mules, though. For every free-spending bank-fraud entrepreneur or support scam call-centre CEO, there's an army of low-paid drones and unpaid victims of computer compromise providing buffering between the bosses and the law-enforcement agencies.

Plenty More Phish in the Sea

I won’t be discussing phishing scams further in this article, as that’s an area I’ve covered quite comprehensively in 2013 over two blog series – here and here – and some individual articles such as this one, about a paper that aims to profile the victims most likely to fall for a phishing attack. (It’s less clear how you develop a profile while avoiding the pitfalls of stereotyping.) However, I couldn't resist looking at one more phish message that exemplifies the approach that might be defined as 'if you want to get access to your bank account back, you have to click on this dodgy link here': Phurther Phish.

Mugs, Muggings, and False Friends

My colleague Urban Schrott at ESET Ireland reported this year that an all-too-familiar scam was currently hitting Irish mailboxes. I’ve talked about ‘Londoning’ at some length here previously – for instance here and here – but here’s a quick summary abstracted from a longer account.

Someone, apparently someone you know (a friend or a family member) contacts you to tell you that they’ve been stranded without money abroad somewhere, usually after being mugged at gunpoint. At one time, Americans were frequently being contacted in this way by friends or relatives apparently in London, which is why the scam is sometimes referred to as Londoning or The London Scam, though potential victims in the UK were more likely to hear that the mugging victim was somewhere more exotic, like Lagos. And, of course, they need you to send you some money.

Here’s a more recent example, mailed with the subject “Unbelievable...Urgent Help!”

I hope you get this on time, I made a trip to Manila(Philippines) and had my bag stolen from me with my passport and personal effects therein. The embassy has just issued me a temporary passport but I have to pay for a ticket and settle my hotel bills with the Manager.

I have made contact with my bank but it would take me 3-5 working days to access funds in my account, the bad news is my flight will be leaving very soon but i am having problems settling the hotel bills and the hotel manager won't let me leave until i settle the bills, I need your help/LOAN financially and I promise to make the refund once i get back home, you are my last resort and hope, Please let me know if i can count on you and i need you to keep checking your email because it's the only way i can reach you

Regards,

Farrell

Well, ‘unbelievable’ it certainly is. Not only because of the logical flaws in the story and the inconsistent textual tone, but because this particular example was sent to everyone on a security list. Nice targeting, Farrell. :)

Dial 419 for more Misinformation

So-called ‘Londoning’ or ‘Stranded in London’ scams (of course, they aren’t by any means associated only with London) are often assumed to be an offshoot of the 419 (Advance Fee Fraud) school of scamming particularly associated with West Africa, especially Nigeria. 419s have featured in my articles for ESET and elsewhere for many years (and not a few in 2013) but as I plan to return to that theme in the very near future in another blog, I won’t discuss it at length now. However, there are some ESET papers you might find of use and/or interest:

Other Scammer Snapshots

It would be perfectly feasible to spend the year blogging on scams and scamming, and still miss quite a lot of interesting examples. Since my work and interests go far beyond scamming (fascinating though I find the topic, in terms of both the criminal psychology and the victimology), I can’t claim to done much more than scratch the surface. Still, a few interesting examples of other scams did catch my attention.

And here are my two favourite end-of-the-year spams. The first is from g3jbxyo8zk{at}myway.com. (Lovely name. Is that Welsh?)

The subject consists of the word “Diploma?” The body text consists of the same word (and question mark) plus a shortened URL. Thank you, g3, but I have all the diplomas I need at this point, thank you. (Actually, I plan on shedding some in the near future, but that’s for a completely different article.)

And here’s a delightful phishing message apparently from my friends at what we used to call the Inland Revenue (including a genuine-looking logo).

Tax Refund Confirmation

You are eligible to receive a tax refund of 868.50 GBP.
Please submit the tax refund request and click here by having your tax refund sent to your Credit Card Account in due time.

Please continue here to have your tax refund sent to your Credit Card Account,

Note : A refund can be delayed for varieties of reasons, for example submitting invalid records or applying after deadline.

Best Regards
HM Revenue & Customs

I’d like to think that most people in the UK would find this slightly suspicious.

  • Not just because it comes from the not-very-authentic sounding official email address info@hm.mobi, rather than a more convincing hmrc.gov.uk address. (Of course, a message like this could have the headers spoofed to look as if it came from the real HMRC, so such an address doesn’t prove the mail is genuine: see below.)
  • Not just because it doesn’t seem logical for Her Majesty’s tax-collectors to be asking for credit card details: it’s not as though people are likely to pay their income tax by credit card. Of course you don’t have to hand over your login credentials in order to allow someone to pay money to your bank account, so your barebones bank account details are less useful to a scammer.
  • Not just because the English is slightly off.
  • And despite the quite authentic-looking HMRC logo at the top of the message.

But the idea of Her Majesty’s professional cheeseparers and official bloodsuckers offering an unprompted tax rebate is just so unlikely, that I think many people would already be laughing at the subject line ‘Tax Refund Security Confirmation’.

And here’s another which proves the point about spoofed but legitimate-looking addresses:

HM Revenue & Customs <refund-tax@hmrc.gov.uk>
to UK321712

Dear Applicant:

Following an upgrade of our computer systems and  review of our records we have investigated your payments and latest tax  returns over the last seven years
our calculations show you have made over payments of GBP 323.56
Due  to the high volume of refunds due you must complete the online application, the telephone help line is unable to assist with this  application.
In order to process your refund you will need to complete the attached application form.
Your refund may take up to 3 weeks to process please make sure you complete the form correctly.

To access your tax refund, please follow the steps below:

- download the Tax Refund Form attached to this email
- open it in a browser
- follow the instructions on your screen

Regards,
HM Revenue & Customs

A couple of ‘nice’ touches here:

  • As usual, the scammer doesn’t – unlike the real HMRC – know your name because he just blasts out the message to as many email addresses as he can find. However the meaningless case number – which is no doubt the same on many or all of this wave of messages – gives some spurious impression of ‘officialness’ and personalization.
  • You might think that a ‘high volume of refunds’ sounds unlikely. After all, I don’t think I’ve had an unexpected tax rebate since the 1980s, in spite of a fairly diverse range of career changes over that period. But telling you not to use the telephone help line is obviously intended to prevent you from talking to someone who might recognize this as a scam.
  • Similarly, the scammer makes sure you give him three weeks grace before you start wondering what he’s done with any information you’ve given him.

Unfortunately, by the time I got this far in the article, I’d managed to lose the original message, so was unable to look at the attachment to see if it was really a form (i.e. intended to harvest information by social engineering) or was in fact some form of malware: both approaches are commonly reported with HMRC scams, but at the time of writing, Peter Kruse of CSIS was able to confirm that similar scam messages are currently being used to deliver a payload that gets Zeus P2P over SSL.

I don’t suppose this will be the last time I write about scams in the next year. Nevertheless, I wish you a happy, prosperous and scam-free New Year.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow