Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Scams from today's mailbag - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scams from today's mailbag

Here are a few scam-related messages we received in the inbox today. A common thread is that the scammers keep thinking creatively about lowering the recepient's guard:

  • In the first example is a VoIP-based phishing (vishing) attack, where the scammer exploits people's tendency to trust the phone more than email.
  • In the next example, the scammer avoids asking for or promising money directly, so as not to arouse suspicions prematurely.
  • In the last example, the scammer acknowledges the dangers of scams, and claims to offer support to people who fell victim to them.

VoIP Phishing

Mike sent us a copy of a message that claimed to come from the City Credit Union, and asked the recipient to call a particular number because the recipient's account was temporarily suspended:

From: City Credit Union [mailto:do-not-reply@citycu.org]
Date: Friday, August 29, 2008
Subject: PLEASE CALL US! Account Temporary Suspended !

Dear Customer,

On August 28 14:28:34 EST 2008 you or someone changed your online password on City Credit Union website.

For security reasons, your account was temporary suspended.
If this request was not performed by you please log in and solve the problem.
To continue please call us at:

(214) 431-4XXX

We replace the last 3 digits with XXX, just in case. According to Mike, when you call, "you get a very old style computer voice asking you to input your debit credit card number." Mike is a customer of City Credit Union.

A very similar scam was reported by the Blog of Scams a few days ago--very similar text, but it referred to APL Federal Credit Union instead. For additional examples of vishing, see an earlier diary.

Baiting the Victim

In the next and unrelated example today's mailbag, we encounter a dying widow looking of an arms dealer, looking to make friends on the Internet:

From: Hilary Whitney [hilaryw.......@gmail....]
Date: Friday, August 29, 2008
Subject: Good day

Beside India House
Aldwvch London WC2B 4NA.
Email; mrsshilarywhitney@yahoo.co.uk

Good day

Am glad to have the opportunity to contact you  with the labtop the nurse brings for me. ...

I am married to late Mr Cosmos Whitney,a licensed arms dealer and a soldier before he died in the year 1998. ... Presently,my doctor told me that i would not last for the next 30 days due to a rare form of cancer of the pancress. ...

Presently,my doctor told me that i would not last for the next 30 days due to a rare form of cancer of the pancress. ... i hoped to find a good person whom i can find trust worthy to stand as a good friend  since i don't have any relatives,friends and children's as well.And also since i have limited time to live.

I want to know if your a honest and caring person,because am not used to internet friends.

Notice that the message implies that the sender is wealthy, and without anyone to receive inheritance when she passes away. This detail is meant to bait the recipient, who might hope to get the money after befriending Mrs. Hilary  Whitney. While this message was submitted via email, a version of it was also distributed via blog spam as early as May 23, 2008.

Scammers Against Scams

Our last example seems to be an outreach email for helping victims of Nigerian-style scams. In reality, it is an attempt to gain the recipients' trust to defraud them. The technique is similar to the example we described in an earlier diary.

From: "Brian Adams" <baantinigeriascams@gmail.com>
Date: Sat, 23 Aug 2008
Subject: Anti Nigeria Scams Ref: 23524326

Attention:

This email is not in any manner directed to you, but its purposely and specifically directed to Nigeria Scam victims. . However, if you have fallen for Nigerian Scams, do not hesitate to contact us or visit our website for more details on how we can help.

We shall be waiting to hearing from you been certain that you were truly scammed by a Nigerian and you have proves to back your claims. Please read the full report at our website:
http://www.nigeria-scamvictims.itgo.com/

Yours faithfully,

Brian Adams
Nigerian Government Reimbursement Committee

Several instances of this scam were observed on the web recently (see 1, 2), and a Google search for "Nigerian Government Reimbursement Committee" shows numerous hits that suggest fraudulent activities.

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

 

Lenny

216 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!