Monday, February 09, 2009

Traveler Scams: Email Phishers Newest Scam

Last Friday I had a phone call that sounded like an opportunity to look at a new scam from end-to-end. A retired school teacher in the Birmingham, Alabama area had received an email from a friend, claiming that she was stranded in London, and needed funds urgently to get home. The friend promised to repay the funds as soon as she arrived home safely.

The school teacher wondered if I was interested in the email from a computer forensics perspective. I asked her if her friend used Yahoo or Hotmail, because these are the main targets I've seen in Traveler Scams so far. She also told me that she had sent an email to her friend asking if she had really sent the strange email.

I told her that unfortunately her friend would not be able to reply, because she was almost certainly not in control of her email box. I laid out the normal course of a Traveler Scam for my new friend and asked her if she had a telephone number for her supposed traveler to see how many of our facts we could confirm.

In a normal Traveler Scam here is the layout:

Step One: The Traveler receives an email claiming that unless they reply to the email with their own email password their account will be closed. This is why we categorize this attack as an Email Phish. Someone sends an email, claiming to be a person in authority over your account, and claiming that unless you reply with a password something bad will happen.

Step Two: The Phisher then logs in to the Travelers account, using their real password. They then CHANGE the password, so that the Traveler can no longer access their email.

Step Three: The Phisher reads all the email in the Traveler's account, looking for people who might be "friends".

Step Four: All of the Traveler's Friends get an email, from the Traveler's normal email address, saying "I'm out of the country suddenly and (something bad has happened) and (I need you to send me money immediately to get home)"

Step Five: Because the email REALLY CAME from the Traveler's REAL EMAIL ADDRESS, the Friends are able to send replies, and receive answers, to convince them that this is a real email.

So, that's the theory. How did it play out in our particular example from last Friday?



Here is the email the Friend received from the Traveler, originating from an @hotmail.com address which the Friend regularly uses to correspond with the Traveler:


Sent: Saturday, February 07, 2009 3:45 AM
Subject: RE: URGENT RESPOND NEEDED‏

Hello,
I am sorry I didn't inform you about my traveling to Europe for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Europe which are Dublin,Scotland and England,I am persently in England,London.

I misplaced my wallet on my way to the hotel where my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $2,800 US Dollars to sort-out my hotel bills and get myself back home.

I will appreciate whatever you can afford to send the money today.i'll pay you back as soon as i return,Let me know if you can assist. please use this information to send the money to me.I wait your quickly respond.




Of course there were many alarms that went off for the Friend. There are clear grammatical mistakes, in addition to the statement that "Dublin" is a "major country in Europe", which set off the alarms. So, what did the Friend do?

She emailed the Traveler to ask if this was really her. After she spoke to me, and then the Traveler, by telephone, she received an additional email reply from the hotmail account:


Sent: Saturday, February 07, 2009 3:45 AM
Subject: RE: URGENT RESPOND NEEDED‏

Please note the Email is legitimate,I am stranded in London now,I will appreciate whatever you can afford,I'll pay you back upon my return. dont deny me this help now, hence this happen to be The Greatest help you can render to me so far as a Friend I will feel honored if you dont ignore this request.


So, what was the experience like for the Traveler?

It was exactly as we had supposed it would be.

The Traveler received an email claiming to be from the Administrator of Hotmail.com, telling her that Hotmail was running out of space and was going to have to close any accounts which were not being used. In order to prove that it was really her using the account, she needed to reply to the email and give her name, email address, and password, so that they would know not to close her account.

The next time she tried to log in to Hotmail, she couldn't get in. Her password had been changed.

Note that this scam is NOT an original, but we have been hearing quite a few recent reports of it. A Google search on some of the phrases in the email will show that its been seen as early as May of 2008, with a big surge in September and October of 2008 as well, and that there is also an Asian version, which was seen as early as August 2008.

In this case, we also looked at the original headers on the email from the Traveler, who lives in Atlanta, Georgia. I wasn't too surprised to find that the Traveler's account was being logged into from Nigeria.

X-Originating-IP: [41.211.226.150]

inetnum: 41.211.192.0 - 41.211.255.255
netname: DOP1-20070404
descr: Wireless Broadband Internet service ,VSAT
descr: DIRECT ON PC LTD
country: NG
address: Direct-on-PC Limited
address: Plot B, Block 1
address: Illupeju Industrial avenue
address: Illupeju
address: Lagos
address: Nigeria
address: NG
phone: +234-1-2701700
fax-no: +234-1-2713554

It seems this scam is surging again . . . perhaps the "Yahoo Boys" have just rediscovered this scam...


I am in hurry writing you this message and am really sorry I didn't inform you about my traveling to Malaysia for a program called "Empowering Youth to Fight Racism, HIV/AIDS, Poverty and Lack of Education. The program is taking place in three major countries in Asia, which are Taiwan, Singapore and Malaysia. It has been a very sad and bad moment for me, the present condition that i found myself is very hard for me to explain.

I am really stranded in Malaysia because I forgot my little bag in the Taxi where my money, passport, documents, cell phone which i have all my contacts and other valuable things were kept on my way to the Hotel am staying, I am facing a hard time here because i have no money on me. I now owe a hotel bill of $1,400 and they wanted me to pay the bill soon or else they will have to seize my bag and hand me over to the Hotel Management. I need this help from you urgently to help me back home, I need you to help me with the hotel bill and i will also need $2,000 to feed and help myself back home. So please can you help me with a sum of $3,400 USD to sort out my problems here?


(the latter email included details on how to send a Western Union payment to their hotel)

Please let me know if you've received a Traveler Scam email. My research team is gathering samples to share with appropriate folks at email providers and law enforcement.

Gary Warner
Director of Research
UAB Computer Forensics
gar@cis.uab.edu

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!