Tag Archives: 419

The Smiling Assassin (shaken not stirred)

 

I recently saw this article from Mark Stockley for Sophos entitled Ransom email scam from ‘hitman’ demands: pay up or die and assumed – as I suspect many people will – that it was some particularly horrible example of ransomware. In fact, while it is pretty horrible in its way, it turns out that there’s no real malware as such involved, just social engineering of the 419 persuasion, where the scammer claims to be an assassin ordered to kill the person who receives the email. In fact, I’ve written about this particular 419 sub-species several times before.

While the version noted by Mark Stockley rather more polished and up-to-date technologically (it wants payment in Bitcoin!) than most of the 419 scam messages I’ve seen that use a similar approach, it’s not much different, fundamentally. Here’s an extract from a particularly crass example I came across some years ago.

I want you to read this message very carefully, and keep the secret with you till further notice, You have no need of knowing who i am, where am from, till i make out a space for us to see, i have being paid $50,000.00 in advance to terminate you with some reasons listed to me by my employers, its one i believe you call a friend, i have followed you closely for one week and three days now and have seen that you are innocent of the accusation

[…]

You will need to pay $15,000.00 to the account i will provide for you, before we will set our first meeting, after you have make the first advance payment to the account, i will give you the tape that contains his request for me to terminate you, which will be enough evidence for you to take him to court (if you wish to), then the balance will be paid later.

Sometime later, my friend and colleague Urban Schrott drew my attention to a spam campaign that had been causing some hilarity over at ESET Ireland. The message had the subject “YOUR LIFE IS IN DANGER,” and apparently came from someone calling himself Spike Dwaggin, though later he signs himself Dai Teatime. A commenter on one of my earlier blogs pointed out that Spike Dwaggin is a dragon from My Little Pony, that the name Dai features the 4th, 1st, and 9th letters of the alphabet (419 – geddit?), and told me that Dai Teatime is the assassin from Terry Pratchett’s ‘Hogfather’. (In fact, Pratchett’s assassin is Jonathan Teatime, but close enough.)]

While it’s not unusual for purveyors of 419 scams to use noms de plume reminiscent of famous people (real or fictional), this one is notably rich in popular cultural references. The article cited above references a few more, if you’re interested. But here’s the message from Spike/Dai, with some comments from me.

As I sit here sipping a martini it is my regretful duty to inform you that you have been selected for assassination.

[Given the subsequent references to SMERSH, I can only assume that this would be a vodka martini (shaken not stirred).]

I am a professional assassin (I enclose my certificate of assassination as proof) and SMERSH have contracted me to assassinate you and have specifically paid extra for a particularly nasty death which makes it look like you died in a particularly bizarre sex game gone wrong; I had already bought the shire horse stallion (he’s called Henry – picture attached), the lard and the dragon dildo (from Bad Dragon of course, I only use the very best tools) when I found out that you are innocent of the accuse, so I make out this time to contact you. Unfortunately international crime syndicates won’t admit to mistakes and cancel the hit so I will be forced to carry out the assassination on you. Sorry about that old chap but rules are rules…

[Interestingly, the killer’s modus operandi seems to have been influenced by a story relating to the Russian empress Catherine the Great, who was said (quite untruthfully) to have died as a result of being somewhat over-intimate with a horse. And could this particular horse be the Henry who ‘of course dances the waltz’ in the Beatles song ‘Being for the benefit of Mr Kite’?]

There is an option for me to help you in other for you to know who had paid SMERSH for your DEATH and don’t forget my men had been monitoring you for the past few days and daily record of your activities is been sent to me but I have refuse to order your DEATH.

[If your acquaintanceship with James Bond is limited to the movies, you may be unaware that a fictionalized version of SMERSH (a real Russian counter-intelligence agency that was wound up in 1946) plays a significant part in the very early novels.  Oddly enough, a lot of commentary on 419-related forums relating to this particular example misses the fact that SMERSH and SPECTRE (a purely fictional criminal organization) are by no means the same thing, though there seems to be a certain amount of traffic from one to the other in terms of personnel. A bit like the AV industry…]

Get back to me if you value your LIFE with all due speed or else I regret I will have to carry out my original contract to assassinate you and although he is quite charming for a horse I don’t think Henry is the most sensitive of lovers.

Toodle Pip!

Dai Teatime
International Assassin

When I first saw the message on ESET Ireland’s site, I assumed it was some kind of spoof intended to amuse rather than threaten. However, after checking on one or two scam-baiter forums, it seemed that Mr Teatime was probably quite willing to take money from anyone who appeared to have fallen for his shtick. And however funny this particular message may seem to people who are security-savvy, there are others who will find messages from self-described assassins as genuinely frightening. Sadly, I suspect that not all of them will come across articles like Mark Stockley’s (or even this one) to reassure them that it’s just another scam, mailed out more or less at random.

Still, sometimes all you can do with stuff like this is laugh at it.

David Harley

 

Support scam alert from the FBI

Another FBI alert, this time summarizing an increase in reports of tech support scams. While law-enforcement alerts are often behind the curve, there are several points well worth noting here:

  • The addition of two approaches to initial contact that have been particularly noticeable recently:
    • Via BSOD/locked screen
    • Addition of an audio message urging the victim to report the issue to a fake support line
  • An uptick in the variation where the scammer offers a ‘refund’ on ‘services’ previously paid for. This isn’t the technique much favoured by 419 scammers where the scammer takes advantage of the time it can take for a cheque to clear. Instead, the scammer persuades the victim to give the scammer remote access to the victim’s account as well as to his or her PC.

Nepal earthquake scam: out for a duck…

(But there are plenty more where he came from…)

It was, I suppose, inevitable that the earthquake in Nepal would provide an opportunity for scammers to capitalize on the misery of others. I haven’t been tracking this particular subcategory of scamming nastiness, but a pingback on one of my articles written in 2011 for the AVIEN blog about Japanese earthquake-related scams and hoaxes – actually, a link to some of the many articles relating to those scams – drew my attention to a blog by Christopher Boyd for Malwarebytes on Nepal-related scams.

In that article, the Nepal earthquake scam he highlights is a bizarrely-expressed donations scam message claiming to be from the weirdly named ‘Coalition of Help the Displaced People’:

We write to solicits [sic] your support for the up keep [sic] of the displaced people in the recent earth quack [sic] in our Country Nepal.

He also flags an assortment of Nepal themed scam emails listed at Appriver, and a ‘dubious looking donation website’ covered in detail by Dynamoo.

Appriver’s collection includes:

  • A classic 419 claimed to be from one of the earthquake victims (daughter of a deceased politician – stop me if you’ve heard this story before…)
  • Another giving the impression it’s on behalf of the Salvation Army and World Vision: who’d have guessed that big organizations like those would use Gmail accounts? 😉
  • An exercise in guilt tripping from ‘Himalaya Assistance’ whose real purpose seemed to be to distribute a keylogger.

US-CERT also warns of ‘potential email scams’. As well as generic advice about mistrusting links and attachments and keeping security software up to date, the alert very sensibly advises the use of the Federal Trade Commission’s Charity Checklist. The FTC’s page includes sections on:

There are a number of ways of checking the bona fides of a charity, including Charity Navigator (http://www.charitynavigator.org/) and Charity Watch, formerly the American Institute of Philanthropy (http://www.charitywatch.org).

In the UK, GetSafeOnline also has a guide to protecting yourself from charity scams, including resources for checking the status of UK charities:

I’ll leave the last word to Chris Boyd, since I couldn’t agree more and couldn’t have put it any better:

Scammers riding on the coat-tails of disasters are the lowest of the low, and we need to remain vigilant in the face of their antics – every time they clean out a bank account, they’re denying possible aid to the victims of the quake and creating all new misery elsewhere. That’s quite the achievement…

David Harley 

Advance Fee Fraud and Human Frailty

In an interesting blog on a fake Adobe update email, Graham Cluley asks “Is there a patron saint of computer users?” (In an update to that blog, he later noted that there is indeed: one St. Isidore of Seville, who can be seen at http://saints.sqpn.com/saint-isidore-of-seville/ apparently engaged in a little RTFM.)

In my gloomier moments, I sometimes think that the patron saint of computer security must be St. Jude, whose specialty is desperate cases and hopeless causes. Though I think most of that gloom is from despair at the depths to which human beings will sink when it comes to exploiting the frailty of others, whether it’s sheer naivete and gullibility, or the deterioration of the faculties that sometimes comes with age. So they tell me. 😉

I’ve just blogged on a particularly nasty practice (not particularly an infosec issue, though not unrelated) that always makes my blood boil: the targeting of the elderly. While the piece is largely concerned with snailmail exploitation, I suspect we’ll see more of this happening online as the number of silver surfers continues to accelerate. 

My blog is here:
http://www.eset.com/threat-center/blog/2010/01/04/advance-fee-fraud-another-aspect.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com