By Nick Johnston
As seen in the past, 419 or advance-fee fraud scammers (who typically promise large amounts of money, but demand upfront fees or payments first) are quick to react to current events. For example, in the aftermath of Haiti’s devastating earthquake in January 2010, 419 scammers impersonated the Red Cross and requested donations.
Last month, MessageLabs Intelligence saw a number of different 419 scams, including ones that capitalize on the current political turmoil in the Middle East; another on an event in the very distant future; and lastly, one written in an uncommon language.
MessageLabs Intelligence identified a scam message trying to take advantage of the unrest in Libya. It seems that as countries around the world scramble to evacuate their citizens from the deteriorating situation in the country, 419 scammers are also rushing to send out messages.
The scam message claims to be written by someone connected to Libya’s Senussi crown (overthrown by Muammar al-Gaddafi in his 1969 coup d’état). The scam follows a fairly normal form: the scammer claims to want assistance in transferring his money out of the country, and is prepared to pay for help. The scammer alludes to his involvement in the oil business, possibly thinking that this will entice people to reply to get a share of the wealth. Of course, the scammer will demand ever-inventive upfront fees and charges, and never send any money.
Example of 419 seeking to exploit Libyan unrest
Egypt’s former President, Hosni Murabak scam
Only a few days after the resignation of Egypt’s long-standing president, Hosni Mubarak, MessageLabs Intelligence saw a German language 419 scam claiming to be from his lawyer.
The scammer claimed that he needed the recipient’s help to retrieve $2.5 million of the president’s funds, frozen in a Belgian bank account. The scammer further claimed that he’ll pay for assistance.
The recent uncertainty about Mubarak’s whereabouts and health, as well as reports that many jurisdictions are considering seizing his assets, could perhaps lend credibility to this particular 419 scam.
As usual for many 419 scams, the message is poorly constructed and has probably been automatically translated into German. Our advanced monitoring systems alerted us to this scam. Although this type of mail is generally low volume, it can still be a significant nuisance.
2022 World Cup scam
The 2010 FIFA World Cup in South Africa was used by both 419/advance fee fraud scammers and malware authors to lure unsuspecting victims into handing over money or installing malware.
Related story – World Cup-related scams
Last December, MessageLabs Intelligence saw two scams which claimed the recipient had won a lottery supposedly connected with the 2014 World Cup. We were surprised to see scams promoting an event so far in the future, so we were especially surprised to recently see a scam promoting the 2022 World Cup in Qatar. Evidently scammers are not concerned by the fact that the tournament is more than 10 years away.
The scam itself is fairly normal. The mail contains very little content in the body; it simply encourages recipients to open the attached PDF document. The attachment was created with a popular open source office suite and claims that the recipient has won £1.5 million (roughly $2.41 million). The document contains a logo for the tournament as a watermark, and also contains a picture of FIFA president Sepp Blatter with Qatar Football Association president Sheikh Hamad bin Khalifa bin Ahmed al-Thani.
419 Scam: PDF Attachment relating to Qatar World Cup 2022
The message encourages recipients to email the scammer to claim the money, or to phone a forwarding number, which often routes the call to the scammer abroad.
Welsh language scam
While we have seen 419 scam mails constructed in many different languages such as German and French, in February, for the first time, we came across one written in Welsh.
The content of the mail was typical of a 419 scam mail. The scammer poses as a widow of a Kuwaiti ambassador to the Ivory Coast with $2.5 million in a trust fund. The potential victim has to distribute some of the money to orphanages and the less privileged and in return, the scammer promises to make the victim a beneficiary of the fund.
It’s unlikely that the 419 scammer can read and write Welsh so it’s probable the mail was written in English and then translated into Welsh using an automated language translation website. It’s unknown why the scammer would have chosen Welsh when this language is read by a relatively small number of people, but further analysis revealed that the recipient in this case was actually based in Wales.
Moreover, the names of the individuals mentioned in the email have also been tailored to match the name of the recipient, which may be used to catch the recipient off-guard. Even though this email was targeting one of our Welsh-based clients, our advanced monitoring systems were able to identify this scam.
419 scams continue to grow in popularity as ways for cybercriminals to make quick money. Luckily, our advanced monitoring systems were able to detect and identify all four of these scams before the recipients became victims.
Nick Johnston is a seniors software engineer for Symantec.cloud