Thursday, June 17, 2010

Sampling 419 Advance Fee Scams Activity

Lottery Winning Notifications, Western Union payment notifications, dead relatives, advance fee schemes impersonating law enforcement agencies - their arsenal of themes is endless, their IPs, however, aren't, taking into consideration the fact that the majority of 419 scams are not sent using botnets, but manually, and in a targeted fashion.

In fact, some of their spamming techniques (419 scammers using Dilbert.com; 419 scammers using NYTimes.com 'email this feature') are so primitive compared to the financial impact, a successful advance fee has in the long term, that their KISS (Keep it Simple Stupid) mentality reflects the current situation within the cybercrime ecosystem - they all KISS it to a certain extend - "Report: Malicious PDF files comprised 80 percent of all exploits for 2009"; "Reports: SQL injection attacks and malware led to most data breaches".

For the purpose of an experiment, and related reasons. Here's a raw snapshot of some 419-ers that just kept popping up, over and over again.

Persistent 419 advance fee scammers (over the last 7 days), the originating IPs, and the "reply to" email:
- a_chenchen@yahoo.cn - 218.17.239.18
- abdulkadera_maroofomar@hotmail.com - 41.138.180.86
- alfredmorris.m@btinternet.com - 211.101.13.230
- atmdept_serv001@yahoo.cn - 193.252.22.152
- austinalan@wanadoo.co.uk - 193.252.22.190
- avocat_doukoure@yahoo.fr - 78.229.212.4
- barpaulaffum@live.com - 41.210.31.214
- barr.rolandken1@gmail.com - 221.235.112.210
- barristerhenryivanlooconsult02@yahoo.co.jp - 60.48.104.88
- barteddywill01@googlemail.com - 200.13.249.119
- cocacolaofficialprize19@yahoo.com.hk - 194.79.134.37
- courfed@aim.com - 79.123.210.10
- crichardchambers@rediff.com - 212.242.42.50
- curiehenria@yahoo.com, barr09amorisq1@gmail.com - 123.176.96.137
- dr.austenobigwe008@gmail.com - 41.211.228.112
- drabejohn2009@aol.com - 217.72.192.242
- duncan.macdonald@9.cn, barr_duncan_macdonald@yahoo.co.uk - 86.43.60.104
- ecowascounsellordept@gmail.com - 115.242.97.173
- efccantigraft.nigeria077@gmail.com - 24.166.97.40
- Email.jmwilliams66@gmail.com, misteredwin22@gmail.com - 89.144.96.52
- fedex.courerservices1@hotmail.com, richardjohson@live.com - 87.194.255.145
- fedpeters07@aim.com - 81.31.115.2
- henryanthonyloanfirm@gmail.com - 200.40.197.69, 41.219.152.78
- icpcmistrynig@yahoo.com, fedeministrynig@gmail.com - 91.198.227.49
- janefugar2.u@hotmail.com - 82.196.5.120
- jimovia8787@gmail.com - 216.222.201.201
- john_chan3030@yahoo.com.hk - 200.171.215.2
- loannationwide2010@windowslive.com - 222.124.26.155
- mailesq.charlesstanley@gmail.com - 163.20.186.1
- maroofomar_abdulkader@yahoo.com - 62.193.229.238
- martha_ikobopayment@yahoo.com.hk - 41.138.172.81
- microwin2010@hotmail.co.uk - 200.105.120.151
- ministerdeliveryofficer@yahoo.cn - 193.252.22.190
- miss.kajat@googlemail.com - 67.15.16.31
- missblessing@sify.com - 196.28.250.53
- mr.parady700@hotmail.com - 80.200.242.17
- mrabdulhaleem@gmail.com - 66.11.225.183
- MRANNOLDSMITH2010@gmail.com - 82.128.17.211
- mrderekpaulatm405@gmail.com - 86.209.83.68
- Mrperentochaplain@rocketmail.com; Mrperentochalion@gmail.com - 112.110.186.25
- mrsabueke@cantv.net - 200.11.173.131
- niceme1970@yahoo.com - 80.12.242.27
- ntai_jerry7775@yahoo.com.hk - 125.141.17.158
- ochuko_baba1@hotmail.fr - 65.55.111.159
- ochukobaba1@gmail.com - 65.55.111.85
- officereplybackmaill@yahoo.com - 82.128.17.211
- organlotoint39l@yahoo.com.hk - 207.194.87.105
- promoskllotto@rocketmail.com - 90.183.38.130
- realexchanges@aim.com - 212.225.181.101
- rev.sistermaryx31@gmail.com - 41.211.228.112
- robinkelley1967@hotmail.com - 85.214.37.73
- rpatmcard@hotmail.com - 195.83.9.36
- s.leel@yahoo.com, westernunionoffice99@gmail.com - 41.191.85.45
- shopperconsultant@live.co.uk - 195.137.70.240
- talkdelata3@gmail.com, mdelataecobank@gala.net - 116.255.152.124
- thefordfoundation.award0010@yahoo.co.uk - 222.124.9.54
- ubanigeria.nig65@gmail.com - 202.132.123.106
- vex.pressd2009@gmail.com - 66.48.81.131
- waziriefccng@live.com - 193.252.22.191
- worldbpr@9.cn - 41.204.224.19
- www.cn_western_union@w.cn - 41.222.192.82
- zakiawilo101@yahoo.co.uk - 202.132.123.106
- zongo.ben177@gmail.com, mr_hiiu60@msn.com - 212.52.146.118
- bog_officemail@yahoo.co.jp - 82.128.2.78
- atmfinanceibc@web2mail.com - 41.218.237.202
- mrjohnsmith70@hotmail.com - 213.171.218.33
- junhuan9@yahoo.cn - 218.91.39.165

Nothing hurts as much as a decent historical OSINT regarding the activities of any cybercriminal. Moreover, this historical OSINT not only contributes to a more efficient case building, but also, helps to establish some pretty interesting connections within the cybercrime ecosystem. As practice and experience has shown, this very same ecosystem is not necessarily as big as originally assumed.

Consider going through the related fraudulent schemes/malicious campaigns currently taking advantage of FIFA's World Cup - Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment