Great, another Nigerian prince in your inbox. Instead of deleting it, why not answer for a change. I did and it turned out to be quite interesting.
Last week, I received my first Nigerian prince scam mail (also known as 419-scam) in German. I assume someone put a lot of work into this, so I thought I would answer. Although the message was apparently sent from email@example.com, I was to reply to firstname.lastname@example.org. This email supposedly belonged to Mr. Wong, the banker who was handling the case.
Let us have a look at the message header first, before answering.
Even if I would have answered to email@example.com, the email would have been sent to firstname.lastname@example.org. I assume the email was not actually sent from the @valencia.es domain in the first place and that this was just used to bypass my spam filter. Next up, I wanted to see if I could find any leads to where the email was sent from.
The initial ‘Received’ entry in the message header points to a South African IP-address belonging to a mobile provider. It also appears to have been sent through a Huawei 3G/4G WiFi router.
Next up, I set up a new Gmail account to communicate with this Nigerian (South African) prince. Sure enough, I received an answer within minutes. The reply contained additional information regarding the deal and was clearly a very bad Google translation of an English text. Again, this message was sent from the same IP-address. We emailed back and forth several times until I was asked to provide some ID, an address and a phone number. So I did.
Apparently, Mr. Wong thought this was funny as well. For the first time I actually received a response that was not just copied and pasted from a pretext.
“You dey gather my fmt” – This actually translates to: So, you are one of those guys that collect my pretext. At this point, Mr. Wong also started using a different email to communicate with me: email@example.com. Again, I checked each message header. While several different IPs were used, they all belonged to South African mobile providers.
The conversation went on for quite a while and I was surprised that Mr. Wong kept answering.
The following day I received another scam mail that looked just like to first one. The only difference was that the name of the banker had changed (and thus the reply email) and the promised sum of money was a lot higher than in the first email. It sure looked like this was also the work of my friend Mr. Wong, so I decided to answer to this new email as well.
Unfortunately, Mr. Wong did not answer any more. Looking into all the emails again, I could clearly see a pattern. Each IP-address could be traced to South African mobile providers and all emails were sent through Huawei 3G/4G WiFi routers. The language used also hinted towards Africa in general. Furthermore, over the course of two days I noticed that Mr. Wong began answering around 09:30 (CET), leading to the conclusion that he must have been in the same time zone (or nearby) if this was his 9 to 5 job.
If you ever try this yourself, please make sure to use a clean email address and do not download or open attachments. If you keep this in mind, you might have some fun with a Nigerian prince yourself. As for Mr. Wong:
If you ever read this, feel free to contact me again. I can’t promise I’ll pay the advance fee you requested, but I’m always there for you if you need someone to chat.
MW-OSINT / 19.03.2019