How to Troll a Nigerian Prince

Have you ever received an email from a Nigerian prince? Why not answer for a change and see how things unfold.

Inside an Advance Payment Scam

Boy, am I lucky. Steven Richards, a regional director for the UBS bank just informed me that I am entitled to over 16 million pounds. Steven sent me the information in German from a Hotmail account, as he explained that he was doing this without the knowledge of his employer. It turns out that I am the last of kin of a UBS customer who recently died with his entire family. At first, I was devastated. Losing relatives is always hard and I didn’t even know them. After a brief phase of grief, I decided to claim my inheritance and answer to Steven. Of course, we all know that none of what is stated before is true. It is part of an advance payment scam. I decided to play along and see how far I can get in this scam.

I knew at some point I would have to present identification, so I googled pictures of German IDs until I found a picture that might do the job. Around this ID, I created a fake persona: Thomas, a 65 year old retiree that speaks very bad English. I created a new Protonmail account bearing his name and replied to Steven in German. Not even an hour later did I receive the answer, even though he obviously never sent an email to this account. This time the email was in English. As my alter ego Thomas didn’t understand much of what was written, he decided to call Steven (Steven provided a phone number in the initial email). The phone number was a virtual phone number registered in the UK. This was start of many interesting conversations between my fake persona and the scammer known as Steven. For starters, Steven didn’t sound British at all. He had a thick central or western African accent. I gave Thomas a thick German accent and Steven took the bait. Steven explained that I would need to send a letter to UBS making my claim to the 16 million pounds. While we were still on the phone, Steven sent me a pre-drafted letter that I only needed to sign and send to an UBS email-address he provided as well. I found a signature from the person I modeled my fake persona after on Google, “signed” the letter and sent it. Needless to say, the email address wasn’t really one belonging to UBS.

Afterwards, I called Steven again just to make sure I was doing things right. He told me that I should forward him all emails coming from the bank, so he could process them and give me further instructions. Immediately after our conversation, I received a reply from UBS. Almost, as if Steven had sent it himself 😉

I forwarded this document to Steven and he said he would take care of the first three things on the list, while I was to provide him with my banking details and a copy of my ID. I was also asked to pay about 60,000 pounds to Steven and his lawyer, so they could prepare the death certificate, will and affidavit that I obviously didn’t have. I sent him bank account details for an account that is used in another scam (fake invoices) and a copy of the ID I had based my fake persona on.

By the way: Google could have warned Steven that something wasn’t right with Thomas…

In the next phone call, I told Steven that the money I had wasn’t on my account since it was dirty money. I had obtained it through tax fraud. Clearly, Steven wasn’t amused about this and we had several phone calls and emails regarding the topic.

Eventually, he accepted this money and I told him I could go to the bank and try to transfer the money. For this, he requested a payment receipt as proof that I had sent the money. Steven called multiple times to make sure I was going to the bank. As with the ID card I googled and all the other fake documents I sent Steven, I quickly made a fake payment receipt without putting too much effort into it. To be honest, I was surprised that Steven was still taking me serious after all the obviously fake information I sent him. He didn’t seem to be the smartest person.

Upon sending the fake payment receipt, I called and told him that I could only transfer 10,000 Euros a day and that I would have to go back the next to transfer another batch. Steven seemed very satisfied and called back the following day, asking if I had already made it to the bank again. Again, he showed no signs of suspicion and was eager to receive the money.

Payback Time

So far, I played along and made the scammer think he was receiving money. During this, I unraveled additional email addresses, the bank account he used and received copies of the documents he created for this scam. Steven was happy as can be, assuming lots of money would soon end up on his bank account. It was time to give Steven a little something to think about.

While my alter ego, Thomas, was supposedly on the way to the bank to transfer the next batch of money, I used Emkei’s Fake Mailer to send Steven a fake email from Interpol.

One hour later, I called Steven again. This time posing as a special agent working for Interpol. I told him that Thomas was arrested upon trying to transfer money to a bank account that was linked to African terror groups such as Boko Harram. I could clearly hear the fear in his voice and he demanded to speak to Thomas.

In the next phone call, I switched between fake personas (special agent John and Thomas) and made Steven believe that Thomas had been arrested while visiting the bank a second time. To make things more believable, I used various different background sounds (thanks to Youtube) during all these conversations. Thomas was also crying on the phone when speaking to Steven. All of this really freaked Steven out and he denied having anything to do with this. Eventually he stopped answering phone calls, but he did still answer to emails sent to him. I was having so much fun, I pushed it a little bit to far. However, I finally got to use a phrase I’ve been waiting to use for a long time.

Aftermath

After a while, Steven wouldn’t reply to emails any more. Two days later, I wanted to log on to the Protonmail account I used in the case to go through the mails again before writing this blog article. It turns out my account had been suspended for apperently being part of an advance-fee scam. According to the Protonmail team, someone reported my account and provided them with messages as evidence (since Protonmail can’t see the content of emails).

To be honest, I find this hard to believe. The person that was so stupid and was fooled with cheap photoshopped images, an outrageous story and multiple fake personas (that all sounded alike), then reported my account to Protonmail and provided evidence? To me, it looks like something else triggered this…are we really sure Protonmail can’t read the content?

In any case, I sure did have fun trolling a scammer and while doing so, I did many others a great favor. Spending time interacting with me left less time for Steven to interact with people that might have actually fallen for this scam. And, it sure is a nice story to tell!

MW-OSINT / 26.01.2020

The Nigerian Prince from South Africa

Great, another Nigerian prince in your inbox. Instead of deleting it, why not answer for a change. I did and it turned out to be quite interesting.

Last week, I received my first Nigerian prince scam mail (also known as 419-scam) in German. I assume someone put a lot of work into this, so I thought I would answer. Although the message was apparently sent from jefaturaestudiositurbi@valencia.es, I was to reply to wong.shiu@accountant.com. This email supposedly belonged to Mr. Wong, the banker who was handling the case.

Let us have a look at the message header first, before answering.

Even if I would have answered to jefaturaestudiositurbi@valencia.es, the email would have been sent to wong.shiu@accountant.com. I assume the email was not actually sent from the @valencia.es domain in the first place and that this was just used to bypass my spam filter. Next up, I wanted to see if I could find any leads to where the email was sent from.

The initial ‘Received’ entry in the message header points to a South African IP-address belonging to a mobile provider. It also appears to have been sent through a Huawei 3G/4G WiFi router.

Next up, I set up a new Gmail account to communicate with this Nigerian (South African) prince. Sure enough, I received an answer within minutes. The reply contained additional information regarding the deal and was clearly a very bad Google translation of an English text. Again, this message was sent from the same IP-address. We emailed back and forth several times until I was asked to provide some ID, an address and a phone number. So I did.

Apparently, Mr. Wong thought this was funny as well. For the first time I actually received a response that was not just copied and pasted from a pretext.

3-1

“You dey gather my fmt” – This actually translates to: So, you are one of those guys that collect my pretext. At this point, Mr. Wong also started using a different email to communicate with me: wong.shiu@mail.com. Again, I checked each message header. While several different IPs were used, they all belonged to South African mobile providers.

The conversation went on for quite a while and I was surprised that Mr. Wong kept answering.

The following day I received another scam mail that looked just like to first one. The only difference was that the name of the banker had changed (and thus the reply email) and the promised sum of money was a lot higher than in the first email. It sure looked like this was also the work of my friend Mr. Wong, so I decided to answer to this new email as well.

Unfortunately, Mr. Wong did not answer any more. Looking into all the emails again, I could clearly see a pattern. Each IP-address could be traced to South African mobile providers and all emails were sent through Huawei 3G/4G WiFi routers. The language used also hinted towards Africa in general. Furthermore, over the course of two days I noticed that Mr. Wong began answering around 09:30 (CET), leading to the conclusion that he must have been in the same time zone (or nearby) if this was his 9 to 5 job.

If you ever try this yourself, please make sure to use a clean email address and do not download or open attachments. If you keep this in mind, you might have some fun with a Nigerian prince yourself. As for Mr. Wong:

Mr. Wong,

If you ever read this, feel free to contact me again. I can’t promise I’ll pay the advance fee you requested, but I’m always there for you if you need someone to chat.

Yours sincerely,

MW-OSINT / 19.03.2019

The World’s Best Sock Puppet…Not!

There are lots of great guides on how to create sock puppets. Rather than showing you a good example on how to do so, this post shows a horrible example that has been used in a recent phishing attempt.

I received a request to connect on LinkedIn from what clearly is coming from a badly created sock puppet. This request is actually a cheap phishing attempt, aimed at getting a hold of my phone number. Basically, the perpetrator made every mistake in the book when creating the profile. Let me walk you through the red flags I encountered. Or: How not to create a sock puppet!

Red Flag 1:

Bad English. Have a look at the message I received.

When looking at the vita, it is clear that Liya Lei should have better English skills!

Red Flag 2:

No contacts (blue box). As you can see, the profile has no listed number of contacts. This is an indicator that it was just recently created or that it is not well-tended.

Red Flag 3:

UKTI does not exist anymore (red box). UKTI stands for UK Trade & Investment, a UK government department working with businesses based in the UK. In July 2016, UKTI was replaced by the Department for International Trade. Again, either this is just a bad sock puppet or an account that is not well-tended. In both cases, it does not seem trustworthy enough to hand over my phone number to.

There are some additional steps that can be conducted to verify accounts. The first step is, of course, running the name through Google. In our case, it did not produce any results directly linked to the person shown in the picture. Furthermore, a reverse image search should be performed as well. Forget Google, use Yandex for this. Unfortunately, neither Yandex nor Google were able to find the picture.

Another method to verify LinkedIn accounts, is searching for the person’s email. Assuming the account is real, we should be able to identify a company email address. A quick Google query reveals that the domain ukti-invest.com was among those used by said organization. Next up, run the domain through hunter.io to gain information on the pattern used for their email addresses.

Ukti-invest.com uses “firstname.lastname”, so we can now check if an email address belonging to Liya Lei exists. I checked the email address on verifyemailaddress.org and it clearly shows that while the domain exists, the email address we provided does not.

I also tried a couple variations, including different domains, such as gov.uk, as well as other naming patterns just to be sure.

Following these steps, I have pretty much proven that Liya Lei’s account is a total hoax. A very bad sock puppet set up to phish my phone number. A final note to whomever tried to fool me:

Dear Sir or Madam,

Next time try harder! There are plenty of guides out there on how to build a credible sock puppet. Your cheap attempt is actually quite insulting and did not even push my OSINT skills to a limit.

Yours sincerely

MW-OSINT / 21.01.2018

How Ray Reardon Solved a Blackmail Case

When playing snooker, you sometimes have to rely on your opponent making a mistake to win the game. When conducting investigations, we also have to rely on the suspect to make mistakes, in order to solve the case.

A while back one of our customers, a large German cosmetic company, had received threatening emails from an unknown perpetrator. This person threatened to sabotage the company’s supply chain and thus cause a production fallout. The emails where sent from an anonymous email address and we were not able to find any information on the originator through OSINT. Over the course of the next weeks, the perpetrator continued to send threats and demands in various emails. One of the demands was to transfer a large sum of money to a Bitcoin account.

Again, we went looking for information online, trying to track down this Bitcoin account. Once more, we turned up empty handed. We tried every trick in the book, including trying to lure the perpetrator into a trap using phishing emails, which only resulted in him sending the threats from different email-addresses each time.

The only consistent information was the Bitcoin wallet address and the name he used to sign the emails. This name was ‘Ray Reardon’. Judging from the content of the emails, we had a hunch that this person might actually be an insider. He apparently had extensive knowledge of the company’s supply chain and internal procedures. Knowing this, we sat down with the company’s security officer and discussed the next steps. Our technical approach using OSINT and even phishing was exhausted and we agreed upon covert investigations within the company. In the first step, the security officer identified everyone that could have the knowledge displayed in the emails. We received a list of eight employees and also some written documents from each of these employees. We compared the documents to the emails, hoping we might find specific phrases, terms or spelling mistakes that match. As with the steps before, this proved inconclusive.

The suspects worked in different shifts and the company’s employees had no access to private IT or phones during their worktime. Each employee entered and left the building through doors that only opened with their personally issued RFID tag. We pulled the login data and compared it to the times that the emails had been sent and could rule out five of the suspects, as they were definitely still in the building at their workspaces. Furthermore, we had the IT department check if any company computers had accessed the websites of the email providers used to send the threat emails. So far, we started off with OSINT, then tried social engineering (phishing) and were now down to an internal forensic investigation.

These steps enabled us to narrow down the amount of suspects from eight to three. The remaining three suspects were off duty at the time the emails had been transmitted. We started conducting intensive background checks on all three, including looking at their social media and online footprints. While the checks on two of the suspects did not provide any further leads, one check revealed that the last remaining suspect was really into snooker and competed in regional snooker tournaments. This small and seemingly irrelevant information actually helped solve the case. Remember the name used to sign the threatening emails? It turns out ‘Ray Reardon’ is actually a famous snooker player. Combined with the fact that the suspect wasn’t at work in the relevant time period, the use of the name ‘Ray Reardon’ proved to be a circumstantial piece of evidence that our customer then handed over to the German law enforcement agencies. Subsequently, it was enough to get a search warrant for the suspect’s home.

Our customer later reported that the police had found more evidence on the suspect’s computer and that he was tried and convicted for attempted blackmail.

Our investigation was the frame ball* in this case.

foto by barfisch under license CC-BY-SA 3.0

MW-OSINT / 14.12.2018

*Snooker term: the last difficult shot required to win