ITsecurity
twitter facebook rss

The 419: Mugs and Mugus

Posted by on September 23, 2015.

I was delighted to receive the following invitation recently from someone calling himself Heinz:

… I have an offer worth 23million if interested,
please contact me

I wonder what it’s worth if I’m not interested? (And 23 million of what? If we’re talking about bedbugs or Zimbabwean dollars I’m not at all interested.)

Grammatical pedantry apart, this is an obvious 419 scam email. Fortunately, I stopped believing in Santa Claus and something-for-nothing some years ago.

bull2

A 419? That’s an example of ‘Advance Fee Fraud’ (AFF), a type of scam where the scammer hopes to persuade you to send him money in the expectation that you’ll get goods or services or large sums of money that are never going to arrive. It’s called a 419 because that’s the section of the Nigerian Criminal Code Act that apparently covers:

Any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.

If the thing is of the value of one thousand naira or upwards, he is liable to imprisonment for seven years.

[…]

Any person who by any false pretence or by means of any other fraud obtains credit for himself or any other person-

  1. in incurring any debt or liability; or
  2. by means of an entry in a debtor and creditor account between the person giving and the person receiving credit, is guilty of a felony and is liable to imprisonment for three years.

[…]

419B. Where in any proceedings for an -offence under section 419 or 419A it is proved that the accused-

 (a) obtained or induced the delivery of anything capable of being stolen; or

 (b) obtained credit for himself or any other person, by means of a cheque that, when presented for payment within a reasonable time, was dishonoured on the ground that no funds or insufficient funds were standing to the credit of the drawer of the cheque in the bank on which the cheque was drawn, the thing or its delivery shall be deemed to have been obtained or induced, or the credit shall he deemed to have been obtained, by a false pretence unless the court is satisfied by evidence that when the accused issued the cheque he had reasonable grounds for believing, and did in fact believe, that it would be honoured if presented for payment within a reasonable time after its issue by him.

Even this dry chunk of legalese implies the intention of covering a wide range of scams, and there are certainly many varieties of AFFs and 419-related scams, though they don’t all come from this particular Heinz or from the noted purveyor of baked beans.

For instance:

  • Lottery scams (where you’re supposed to pay a tax and other expenses before you can receive an enormous cheque after you win a lottery you didn’t actually enter and have never heard of).
  • Cheque overpayment fraud, a variation on fake/bouncing cheque fraud.
  • Assassination threats – paying off the assassin
  • Job scams where you pay an agency a fee for getting a job that doesn’t exist.
  • Inheritance fraud.
  • Scams based on transferring funds from people claiming to be bank officials, US troops in the Middle East, even a Nigerian astronaut and the Pope.
  • Business ‘opportunity’ scams.
  • Dating scams.
  • Political refugee appeals: a request for help from a political refugee to get their money out of the country and into yours.
  • Philanthropic/Religious appeals: requests for help with the distribution of money for charitable purposes. Often appears to be from a private individual who is dying, or the representative of a religious or philanthropic organization, including the Vatican.
  • Mule recruitment messages: messages that resemble classic phish-related “jobs” in money-laundering but have a decidedly “419”. Most often, though, these turn out to be another variation on advance fee scams tied to job “opportunities.”
  • Disaster scams: Personal disasters and bereavements are often used as hooks for 419s, but so are armed conflicts, earthquakes and tsunamis. They may be used to supply spurious circumstantial detail to lend credibility to a scam story, but are also frequently used as the basis of false charitable/disaster relief appeals.

Of course, there are many more variations and sub-variations, some of them quasi-personalized.

Believe it or not, this isn’t the tersest 419 I’ve seen. Last year, I wrote:

Footnote. Or Foot in Mouth Note.

And the award for the laziest 419 of the month goes to roselyngrey2, who sent me a message with the subject “I have a project. If interested. Reply”. Yes, that’s how it was punctuated. And there was no message body. I find it hard to imagine that anyone has ever fallen for that one…

You might think that the point of this kind of brief message is that it’s quite difficult to filter using software that looks for phrasing and phraseology that’s characteristic of the elaborate stories that so many 419-scammers concoct. And I’m pretty sure that explains why some 419s are delivered as attachments, especially graphics files such as .JPGs (but also Microsoft Word documents, PDFs and so on). It’s not by any means impossible to read text presented in a graphic using some form of optical character recognition software, but that’s more resource-intensive than a simple text filter.

(It is worth remembering, incidentally, that Microsoft Office documents, PDFs et al are very commonly used to deliver malware via vulnerabilities in document formats. This type of attack is mostly associated with APTs and targeted phishing rather than AFF, but 419-scammers do try new approaches to monetization from time to time.)

All that said, some believe that there is a trend among 419 scammers towards more efficient targeting. The presumption is that most people are likely to be suspicious of any message offering grotesquely large financial rewards from Nigeria or elsewhere in West Africa because of the age of the scam and the fact that some of the messages are so stereotyped. While many scammers have therefore generated elaborate messages intended to avoid sparking recognition of the scam, Microsoft’s Cormac Herley answers his own question Why do Nigerian Scammers Say They are from Nigeria? by suggesting that:

Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

In fact, there’s evidence that some ‘Nigerian’ 419s aren’t from Nigeria at all: certainly we use the blanket term 419 for many types of message, but individual instances of messages in those categories might have been sent from anywhere.

What about these comically, telegraphically short messages? It does seem to me that they might actually fit into this model of increasing Return On Investment by allowing a potential victim to identify himself as what the scammers call a mugu (big fool) simply by responding to a message that makes promises most of us would consider laughable.

I don’t believe that being naïve about scam messages is necessarily foolishness – it’s easy for people who’ve had access to the internet for decades to be condescending towards newbies, but I’ve seen IT professionals fall hard for scams and hoaxes – and I certainly don’t think that gullibility on the part of the victim justifies fraud. Still, it’s probably a good idea not to get into conversations with these guys. (Unless you’re one of those people who enjoys baiting scammers and wasting their time by pretending to be a sucker, in which case why would I disapprove?)

Unknown people who turn up in your mailbox wanting to give you something for nothing (sometimes we call these windfall scams) are not to be trusted. However, even 419s use other forms of social engineering as a lure: threats and humanitarian appeals, for example. Other scams such as phishing also use more than one form of social engineering, and while they are also often stereotyped in format – no personalization, threat of immediate loss of access to funds, and so on, that stereotyping may not be so easy to identify for the man in the street.

To quote a paper from 2007 by myself and Andrew Lee:

There is no absolute, infallible test for discriminating between phishing mails and legitimate mails, either by eye or using automated software. Indeed, part of the problem is that occasionally, bad practice on the part of targeted organizations makes it easy for the scammer to generate mails that look very similar.

There are, however, a number of useful indicators.

  • Email from a bank or other institution concerning an account with them that you don’t actually have is obviously suspicious. It’s almost certainly been sent to a number of email addresses the scammer got hold of, in the hope that in some cases, they’d strike lucky and someone with an account at that institution would get the message.
  • There is, or should be, an obligation for any institution sending email relating to sensitive data to personalize it in some appropriate way so that you can be reasonably sure it comes from where it says it comes from.

But that’s a topic that deserves addressing in its own right.

David Harley


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , , ,