1. Scam with text and image

Usually, the scam emails do not contain images because they are just too expensive to be sent. This is why most of the filters have a kind of whitelisting system in place which reduces the spam score if they encounter large pictures (for example >= 200KB) attached to a message.

In the plain text part they still make use of some known words, like “Dear sir”, “seek your assistance”, “business opportunity”, etc. So, this text is easier to detect as a scam but not trivial. Still even so, there is no “story”, which makes the email useless. The real story behind the scam is attached in a JPG picture with the size of exactly 200KB. Did the scammers know about this limit? Of course they knew because there are a lot of antispam tools which can be downloaded and they can test with them.

Fig. 1: The scam mails try to circumvent email filters by using image attachments with the "hole story".

The text in the picture is a typical scam-text with references to real facts and so on. The email is sent via Gmail. Again, it is very unfortunate that Google doesn’t scan outgoing emails against spam, as they do for malware.

2. Bilingual Scam

This email is a 3K plain text message using the UTF-8 character set. Because of this, it comes encoded in base64. There are two text paragraphs in the body, the first one written in French and the second in English. They are different formulated, but basically they express the same idea: transfer of money to your account. There are some important differences between the two texts.

The English text is

• making use of the word “millions” while the French one is writing the sum in numbers
• not telling the story of the money, specifying a simple “lying dormant for eight years” when the French one is specifying that the money belongs to a dead relative of a customer of the bank.
• using the first name of the women when the French one is using the formal addressing with the full name.

The subject of the email is written only in French. I assume that the reason for this is the fact that the email has been sent from a free email provider from France (ifrance.com).

Fig. 2: Another twist is sending bilingual scam mails.

Both messages show a very clear trend in the Nigerian scam business: They are adapting to the fast changing rules of the game. They have to do this because we are in a deep economic crisis and now is the perfect moment for them to recruit new “customers”. In such hard economic times people are more susceptible to this kind of methods of gaining easy money.

Never respond to such requests no matter if they are written in your language or not, how credible and how well documented they are presented.

Sorin Mustaca
Manager International Software Development

Fig. 1: Nigerian scam mails seem to get better adopted to the target audience.

I got really excited when I’ve seen that he is not “Mr.”, “Doctor” or “Barister”, his email address is not mr.something@host.com, he wants to invest Euros and not US dollars, and so on. But, this was only at the first sight.

A closer look reveals that it is the same old scam:

• Bad English language
• The country prefix of the telephone number is from Ivory Coast (I don’t know if the number exists)
• The headers show that the email was sent through a bot residing in Germany (see also our “Phishing and Malware Statistics” for Germany)
• They start the email with “Dear Sir” and any decent filter will penalize them for this
• The subject of the email is written with capital letters
• It mentions something about “account” and money “transfer”

An interesting thing showing how different our cultures are, is the fact that all these scams have something in common: They write the contact email address in the body of the email, even if they use the same address in either “From” or “Reply-To” field.

Would you write your email address in the body of the email if you expect the recipient of your email to get back to you?

Avira Antispam from the Premium Security Suite detects this message as Spam without even making use of the RBLs. As usual, we recommend that you never contact these guys and never believe offers which are too good to be true.

Sorin Mustaca
Manager International Software Development

Fig. 1: The Japanese scam

This is a very fancy scam: We usually see the same old story about very rich men who were killed by the government and the poor relatives trying to get the money out of the 3rd world country with your help. But this one is different.

First of all, it thinks big. Very big… really, I have never seen such an idea before: “I made this money through a contract awarded to me by the ministry during the relocation of OSAKA AIRPORT”. And it gets even better: “I am not safe if I go back to Japan because I did not finish the contract“. So now the Osaka airport should be somewhere… on the road? This is really nice, isn’t it?

If you have a look at the main header, you see the From, Reply-To and Sender fields. The sender field isn’t seen in an email very often because it is somehow in a gray area. According to RFC 822, this field should be used only when the person submitting the message to the network is different than shown by the “From” header field. Because of this, it should be authenticated, but what kind of authentication is not clear. Some mail clients expect that the email address used in this field can be used to reach the sender, others do not. Because of this uncertainty, most email clients prefer either to remove this field completely or to add a hidden field in the headers with the name “X-Sender”.

So, is our “Japanese contractor” using deprecated mass mailing software?
Note that there is no “To:” field. Of course, any decent anti spam product will penalize this email when it detects something like this.

According to the other headers, the email is supposed to have been sent though Gmail. There are even the DKIM headers and a new header called “X-Google-Sender-Auth”. Google doesn’t add something like this though. All these indications show that the spammer has used a special software to send mass mailing though the Gmail. It is really sad to see that Google doesn’t enforce a clear email sending policy though its servers.

But, because of these twists in the email, I assume that the spammers thought it wouldn’t be so bad to have an escape route. This is why the Reply-To email address points to yahoo.com.hk (Yahoo! Hong Kong).

Unfortunately for the spammer, after all this trouble just to send the email, it made the same mistakes which all the Fee Fraud emails make: It uses known keywords like “million dollars”, “Att: My name is”, it tries not to add the formal way of addressing in the From text (“Mr. ”) but then uses an email address called mr.otoya22@gmail.com and the formal addressing in the Subject. These are also other important hints which can help an automated system for spam detection to safely mark this email as a scam.

Avira Antispam detects this email with a “Very High” spam probability without even calling any Realtime Blacklists – no wonder since we see so many spam indicators. As usual, Avira advices to never respond to such emails and never trust such persons who promise huge amounts of money.

Sorin Mustaca
Manager International Software Development

Fig. 1: Spam mail for Advance Fee Fraud.

This kind of fraud is not new at all. It started years ago with Eastern European girls (remember the already famous “Russian bride” trick). The deal is that the “partner” must send some amount of money to the “poor” girl in order to arrange for her arrival in his country. But, after some time, the girl is reporting that she has problems with the passport or with her sick relatives and needs some money. And then she asks for more and more money for various problems.

When the money “partner” figures out that there is something phishy going on and stops sending money, it is too late. The girl just disappears and the “partner” never hears from her again and the money are also gone.

Sorin Mustaca
Manager International Software Development