Tuesday, September 02, 2008

How To Verify Whether a Suspicious E-Mail is a 419 Scam

In my last article I explained how to spot a 419 scam by paying attention to the common characteristics of 419 scams. In this article I will explain how to identify a 419 scam by looking at the cold hard facts.

The majority of 419 scammers conform to standard procedures (not standards) and send scam e-mails that can be identified quite easily by analysing these e-mails against a set if common 419 scam characteristics. However, you will always get the case where a scammer sends an e-mail that's out of the ordinary, one that contains absolutely no common characteristics of a 419 scam. It is in cases like these when you need to follow your gut feeling, which is quite easy if you analyse 419 scam e-mails on a daily basis, because you know how a 419 scammer's head works, but it is a problem for people who don't understand how these scammers operate. If you can't spot any common characteristics of a 419 scam in a suspicious e-mail, you will need cold hard facts to prove its fraudulent intent.

It is surprising to see how many people resort to the lazy way of verifying a 419 scam. What do I exactly mean by "the lazy way"? The lazy way is the quick "IS THIS A SCAM?" post on a discussion board or a social community website like Yahoo! Answers, while the answer is readily available through a search engine like Google or Yahoo. Always remember there are only a handful of people (mostly volunteers) who devote their time to battle online crime, so it is a waste of valuable resources if people simply resort to a quick and comfortable e-mail or forum post, to have the answer presented to them by someone else, if they could have found the answer themselves. Don't get me wrong, people should always ask around before acting on a suspicious e-mail, but you should only resort to assistance from someone else, if you are still unsure after looking for the answers yourself.

But there is another problem in asking for help without looking for the answers yourself. If you ask for help in the wrong places you can easily get the wrong answers. Only ask questions in places where you are sure you will get answers from experts in their fields. I can recall an incident in February 2008 where someone asked a question on Yahoo! Answers about a the legitimacy of a website called dhl-postit.com. At this stage there were a couple of Romanian scammers who pretended to sell mobile phones to their victims and used fake courier websites to defraud people from their hard earned money. The website was initially reported to Cyber Top Cops by a victim(1) of this scam and I discovered the post on Yahoo! Answers while doing some research about the fraudulent website. I was shocked by the response to this question. A contributor called Gerry(2) told the original poster that the website was safe and that he dealt with them all the time. Gerry's profile is no longer active any more, he most likely got kicked from Yahoo! Answers because there is no doubt in my mind that this guy was the scammer himself. What kind of victim will vouch for a website that only defrauds people? The sad thing however is that the original poster believed him and found the response very helpful. The poster asked the same question in a different section of Yahoo! Answers and even on the second attempt, the poster still received a misleading and inaccurate answer. What lesson can be learned from this example? You should never act on the information found on one site only, you should always look for a second and third, yes even a fourth opinion, just to make 100% sure all the facts add up. If you are still not 100% sure about the e-mail or website, look for expert help.

The sad reality is that many people still doesn't know how to use a search engine, not even to speak of researching an e-mail scam on the Internet, so I will try to explain both in this article, but with the emphasis on finding scam related information on the Internet. I will be using information from a real 419 scam e-mail in my instructions below. For simplicity I will provide instructions from Mozilla Thunderbird as the e-mail client and Mozilla Firefox as the web browser. For the more advanced readers of my articles, please bear with me for a couple of moments, I know this is already common sense to most people, but believe me there are people out there who don't even know how to do a simple search on Google and I'm trying to reach out to them. Chances are good that most of my subscribers already know how to search for scam related information on Google, so if you know someone who has trouble finding stuff on the Internet, please refer him/her to this article, you might just save someone from falling victim to a 419 scam.

Lets say you received an e-mail from contactfbihq016@earthlink.net. To search for this e-mail address in Google, do the following:
  1. Copy the e-mail address from the e-mail itself: Right-click on the "From:" e-mail address and select "Copy Email Address" from the drop-down menu.

  2. Go to Google.com: Open your browser (Internet Explorer, Firefox, Opera, or whatever you use for browsing the web), type www.google.com in the address bar and press the Enter key on your keyboard.

  3. Wait for Google to open and paste the e-mail address in the search box: Right-click inside the search box and choose "Paste" from the drop-down menu.

  4. Now click on "Google Search" and wait for the search results to appear.

It is very unlikely that you will find anything for this e-mail address (at this moment), so lets repeat the process for the "Reply-To" e-mail address, fbiwashingtonfield@fedbureau-ofinvestigation.org. Once again, a search for this e-mail address will most likely deliver no results (except a link to this article perhaps, once a search engine has crawled and indexed this page).

The scam e-mail also contains an instruction to contact someone that goes by the name of Prof. Charles Chukwuma Soludo, so lets do a Google search for "Prof. Charles Chukwuma Soludo".

  1. Copy the text from the e-mail: Select the text "Prof. Charles Chukwuma Soludo" from the e-mail, right-click on the highlighted text and select "Copy" from the drop-down menu.

  2. Repeat steps 2, 3 and 4 above.

Among the search results you will find links to websites like 419.bittenus.com, 419scam.org, 419baiter.com and even Wikipedia. You are basically looking proof that the name of Prof. Charles Chukwuma Soludo is being used in 419 scam e-mails. All four of the websites mentioned earlier will contain this kind of information. Remember this does not mean that the real Prof. Charles Soludo is involved in any 419 scams, it merely proves that 419 scammers are abusing his name to add credibility to their fraudulent e-mails. If you can't find any useful information on a specific web page, simply hit the "Back" button of your browser to return to the search engine results page and choose another link from the results.

Scam e-mails also contain telephone numbers and secondary e-mail addresses, so can you do a Google search for them just like you did with the name of Prof. Charles Soludo. To test yourself, do a search with Google or Yahoo and see if you can find any information about +234-8054740218 and p.charles.soludo@centbnkingonlineng.org.

But how do you identify a fraudulent or fake website? If you want to analyse a suspicious website you need to do the following:

  1. Look for common 419 characteristics. Funny names and e-mail addresses, spelling errors, bad grammar, silly web design mistakes, etc. You will find more details about this operation in my article, How To Spot a 419 Scam.

  2. Do a Google search for the website address and analyse the search results, just like you would do for a suspicious e-mail address (as already explained).

  3. Copy a phrase from the website and do a literal Google search for this phrase (in other words enclose the search phrase in double quotes).

  4. Do a WHOIS lookup on the domain name for more information about the owners, the creation and alteration dates of the domain.

I already discussed points 1 and 2, so I will explain points 3 and 4 in greater detail below:

Do a Literal Search For a Phrase From the Suspicious Website
Why do a literal search for a piece of text from a suspicious website? The idea here is to find another website with the exact same phrase. This will help you to identify other websites containing the exact same content as the suspicious one. 419 scammers often scrape website content from legitimate and trustworthy organisations and pose as legitimate organisations to add credibility to their schemes. But they don't copy the content alone, they copy the layout and graphics as well, in other words they create a complete replica of the original site and only change key elements like the the contact details and sometimes the name of the organisation. But it is important that you search for a phrase that is unlikely to be published or syndicated elsewhere on the web. The phrase has to be a unique piece of text that contains no names, e-mail addresses or anything that has the likelihood of being changed by the scammers.

I know this is easier said than done and most people won't have a clue what to search for or how to analyse the search results. So to make things easy, just copy a piece of text from the home page of the suspicious site, paste it into a Google search box, enclose the phrase with double quotes and click on Google Search. Now look for websites with the same content, layout, graphics and overall design. Several websites with the exact same content and layout is often a sign of a 419 scammer at work. If you can find only one other website with the same content and layout, you probably stumbled across the original website (but this is never a guarantee, you will soon see why).

These search results are not always a clear-cut case and you should always to keep the following in mind:

  1. You may find the original website among the search results as well, so don't just assume that all of them are fraudulent.

  2. The fact that you have found several copies of the same site, does not necessarily mean that they are copies of a legitimate or trustworthy site. 419 scammers can easily design a website from scratch.

  3. The website ranked in the number one spot of the search engine results, is not necessarily the original website. 419 scammers can always use black hat search engine optimization techniques to outrank the original website.

  4. You should never judge a website just because it has been copied on another domain. Content scrapers and plagiarists are all over the web and there are way to many variables to consider when it comes to content syndication. This method only forms a small part of the overall process of identifying fake and fraudulent websites and is never the deciding factor.

Do a WHOIS Domain Name Lookup
You may use any WHOIS service you prefer, but I suggest DNSStuff.com. Simply visit this site and enter the domain name in the WHOIS lookup box and click on the search button. You will be taken to a results page where you can view more information about the domain. There may be a lot of technical information for some users, but in most cases you only need to pay attention to the following:

  1. The creation date of the website. If the website is relatively new, be on high alert. What do I regard as new? Fraudulent websites do not have a very long lifespan (on average, but this is not always the case). I normally use a safety margin of 3 months, but this is no guarantee at all, because a suspended website can always be reactivated after 3 months. The age of the website is merely a sign and is in no way a deciding factor.

  2. Recent changes to the WHOIS records. This goes hand-in-hand with the creation date of the domain, so there is no need to explain this any further.

  3. The owners of the domain. If it is owned by someone who live in one of the 419 scam hotspots, it is most likely a fraudulent website. I discussed these hotspots in my previous article, How To Spot a 419 Scam. Scammers often provide fake personal information, so this is never a reliable source of information. Fortunately you get certain scammers who are stupid enough to tell the public where they live.

  4. Do the owners use a privacy protection service like privacyprotect.org or myprivateregistration.com? You can determine this by looking at the contact e-mail addresses. It is normally a bunch of crooks who use these services, so it is yet another sign of a fraudulent website. (I'm not saying that you are a crook if you use these services, I'm merely referring to the fact that scammers prefer to use these services, because this enables them to hide their true identity. It remains a joke no matter how you look at it, because they provide false information anyway, so what is the use of hiding it?).

Another way to verify whether a suspicious e-mail is a 419 scam, is to do a trace on the sender's IP address. This works a lot like a domain name lookup, it's only called an IP-WHOIS (or IP Info) lookup and DNSStuff.com also provides this service. An IP-WHOIS lookup provides geographical information among other technical information about the IP address, so you basically do an IP-WHOIS lookup to determine the geographical location of the sender. If you have the geographical location of the sender you can easily tell whether the e-mail originated from a 419 scam hotspot. I'm not going into the details of doing an IP lookup because it involves the analysis of the e-mail header and many people don't even know where to look for them. So I will leave this for another article perhaps. I want to keep the methods in this article as simple as possible and I feel that I already overstepped this boundary a couple of times.

If you have any questions about the methods discussed in this article, feel free to ask them in the comments section of my blog and I will do my best to explain.

(1) The person who reported the website to us, never responded to our follow-up e-mails, so I am not sure if this is the same person who asked the questions on Yahoo! Answers, but the fact that the report to Cyber Top Cops came on the same day as the question posted on Yahoo! Answers, makes me confident that this is the same person.

(2) It remains a mystery why Yahoo! never removed this question and the misleading responses from Yahoo! Answers, even after we reported Gerry to Yahoo! Answers. Perhaps he got suspended due to another contravention of the Yahoo! Answers Terms of Service.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about internet fraud and malicious software.

No comments: