Wednesday, October 31, 2007

Website Owners - The Next Target of 419 Scammers?

By Coenraad De Beer

A couple of weeks ago I did an article on a 419 scammer who used Google to find possible victims. I analysed a very interesting 419-scam e-mail today that made it quite clear that the swindlers are slowly starting to change their tactics. The old methods are not working as well as they should, so scammers are looking for new and improved methods to claim new victims. Believe me, the dumb, idiotic scammers with their hilarious con stories are becoming smarter by the day.

The typical "Dear sir/madam" e-mails may soon be something of the past if all 419 scammers start to operate like Ferdinand Traore from Togo. Ferdinand sent an e-mail to a website owner after pulling his name, surname and e-mail address from the "Contact us" page of his website. Below is a copy of the e-mail that he wrote (The e-mail has not been edited in any way. I only changed the name of the website owner to John and his surname to Doe, to protect his identity).

"Dear John Doe,

Please forgive my using this means to reach you but I cant think of any other way of letting you know the urgent matter at hand. I acted as personal attorney to the (late) Engr. M.A. Doe, who lived and worked here for more than twenty years as a major contractor and businessman.

On the 18th of Novermber 2004 he and his wife and only daughter were involved in an automobile accident while visiting a neighboring country on vacation. They were buried two weeks after and I have exhausted all means of reaching who may have been related to them. This has been made more difficult because no mention was made of any relative while he was alive.

To the best of my knowledge, before his death, he had an investment deposit totalling more than Eighteen Million Five hundred thousand United States Dollars($US18.500.000.00) with the major bank here and now they have asked me to provide a next of kin if there is, or the estate will then revert to the government and so it would be lost.

My proposal is that you allow to be presented for this role so that documentation can be processed and payment made in your favour. This is a project which will see us partner to realise. I would be willing for us to discuss terms of participation in order to protect our various interests.

I want to assure you right away that I have positioned this deal to not last for more that two weeks. I shall be willing to discuss futher on this if write back or send to me your direct telephone number so we can discuss in the type of confidential atmosphere which this matter requires.

Awaiting your immediate response.

Ferdinand Traore (Esq).

Traore Chambers & Associates,
Rue Du Commerce Avenue B.P.120,
Lome-Togo
"

You can easily be drawn into this e-mail because at first glance you may think it is a relative who died. If this happens, the scammer achieved his first goal, to get your attention. If he has your attention he can play with your mind. The plot is simple, a lawyer contacts you in search of a next of kin for a deceased person who has the same last name as yours, very convenient don't you think? The deceased person was loaded with cash, making the proposal very attractive to the unwary victim.

You may argue that there is nothing special to this e-mail, besides the fact that he addressed the victim directly on his name and not via the generic "Dear sir/madam" introduction. Furthermore the spelling and grammar is horrible, so it is easy to spot the scam in this e-mail. It is a classic inheritance scam e-mail, with the promise of a ridiculously large sum of money. Ferdinand sent the e-mail from ferdinandtraore.4to1957@yahoo.co.uk but the victim had to reply to ferdinandtraore.tgo1957@yahoo.co.uk, another common characteristic found in 419-scam e-mails. All the signs are there, so what is so special about this specific e-mail?

It is not the e-mail that's unique, but the methods used by the scammer to collect information about the victim. A closer look at the visitor statistics of this website revealed a visit from Togo, with the same IP address (41.207.162.4) as the one found in the e-mail header. So there was no doubt about the identity of this visitor, it was most definitely our friend Ferdinand Traore (oops did I forget to add the "Esq" suffix after your name? Sorry Ferdinand). The traffic came from a Google search for a specific surname, in this case not the surname of the website owner, but a surname that appeared on one of his web pages.

The scammer appended "co.za" to the search string, which tells me he was looking for South African websites (or South African website owners). He also placed "2007" in front of the surname. Why? Websites contain copyright notices, often followed by the name of the website designer. Most copyright notices contains a year and active websites change this number each year, some web designers do this via a script and others do it by hand. The scammer was probably looking for websites containing a 2007 copyright notice. This would certainly keep the search results fresh and minimise the risk of using outdated contact information.

In the previous article I mentioned a 419 scammer who targeted American citizens using specific e-mail services like Yahoo! and AOL. This scammer searched for the latest contact details of certain South African website owners. I'm sure they expand these searches to other countries as well, but one thing is for certain, they are using specific contact information to send targeted and relevant e-mails to possible victims. Later today someone else reported a scam e-mail, with the exact same plot. Once again the scammer knew the name and surname of the victim and addressed him accordingly. The victim of this e-mail was a job seeker who posted his resume on several online recruitment websites. So the scammers are using several online resources to harvest personal information about their victims.

E-mails addressing you personally are no longer a guarantee that it came from a trustworthy source. The fact that the sender knows your name and last name does not necessarily mean that he legitimately obtained this information or that he has legitimate intentions. People should look deeper into the e-mail for other obvious signs exposing the true nature of the e-mail. I mentioned a couple of common characteristics earlier in this article that will help you to identify other e-mails just like this one. But not all these characteristics are present in every e-mail scam, making it hard to define a single set of rules that will apply to all e-mail scams. Common sense is the only true weapon that's dynamic enough to adapt to the different methods used by e-mail scammers today.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops. Visit our 419 Scams page for more information about 419 scams and different 419 scam examples. Stay up to date with the latest in cyber security, by subscribing to our cyber security related RSS Feeds.

4 comments:

Jason said...

Thanks for the heads up. I got this same email today and thought I check to see if some else got the same email.

Anonymous said...

CJK Thank you it is sites likethis that help stop the scams.

Fred ;) said...

cheers for the info i replied and told hom to go F*!@ himself

C++ Genius said...

Nice one Fred. But remember, it's not always a good idea to reply to these scammers (unless you use a disposable e-mail address). Replying to 419 scammers only result in more spam.