August 9, 2010

419 scams go phishing


419 scams have become lame and not a lot of people are falling for them these days. So the scammers have to change their tactics if they want to stay in business.The scam we describe in this blog is quite interesting because it is combines a typical 419 scam with a phishing attack. After the initial communication with the scammer, the victim receives a phishing email claiming to be from PayPal indicating that the scammer "PayPaled" the money to the victim. Here is the long story. 

One of my friends posted an ad on craigslist to sell his HP laptop. Dr. Robinson (a scammer and a physician from Utah) wanted to buy the laptop as a birthday gift for his son David -- who is BTW doing human development research in Nigeria. Dr. Robinson offered to send the payment via PayPal and asked that the laptop be shipped to his son in Nigeria.


From: Donald Robinson [donaldrobinson1001@gmail.com]
Sent: Thursday, August 05, 2010 6:07 AM
To: xxx
Subject: Re: HP   Laptop - $280 

 I am very grateful to hear back from you.I am a Medical Doctor residing in Utah.The (HP Laptop) is for my son's birthday present,due to his brilliant performance,he was currently transferred from US to West Africa with his team on a research on Human development under world Health Organization. I'll be paying you through paypal.I will forward my son's residential address to you for shipping as soon as the payment reaches you.send me your paypal email so that i will do the payment.
 NB: I will be paying you $400 for both the cost price and shipping fee.Please get back to me so that i will proceed with the payment.
Best Regards,
Dr. Robinson.


I created a fake email account and sent Dr. Robinson the following note


Dear Dr Robinson,

Please send me your son's address and I will ship the laptop as soon as I receive the payment through paypal. My paypal email is xxx@gmail.com.
Thank you for your interest.



Couple of hours later I received a phishing email claiming to be from PayPal indicating that I got a new fund from Dr. Robinson. Dr. Robinson was very generous and sent me $400 not $280 as was posted in the craigslist ad. The social engineering part in the email was interesting:

"This PayPal payment has been deducted from the buyer's account and has been "APPROVED"but will not be credited to your account until the shipment reference/tracking number is sent to us for shipment verification and this is done to secure both the buyer and the seller against any fraudulent activities. Below are the necessary information requested before your account will be credited. Send tracking number to  us or email us through  paypalaccountserviceinfo@ovi.com and our customer service care will attend to you. As soon as you send us the shipment's tracking number   the money will be credited to your account and this is done for security purposes and the safety of the buyer and the seller."



Couple of minutes later, I received another phishing email claiming to be from PayPal telling me that PayPal is waiting for my shipment tracking number. Also, they assured me that the order has been confirmed and that I can ship the order now to the buyer, but I have to do so within 48 hours. I googled that transaction ID "8UG760668M701084Y" and found three posts [1,2,3] talking about similar scams.


Couple of minutes later, Dr. Robinson emailed me and told me that he has sent me the money via PayPal. He asked that I ship the laptop first thing in the morning via USPS first class express mail in an insured package. The interesting thing about this address is that all the three posts above share the same city and state in Nigeria "Uwani, Enugu, Nigeria". I looked up the city in google maps, but did not find anything eye-catching, except Enugu prison that was in the neighborhood!


David Robinson: I wish you a very happy birthday and I with you success in your research on human development in Nigeria, but you are not receiving a laptop for your birthday. Brad can send you one if he likes :)


(Acknowledgment: T and R)


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.