In recent weeks, we have seen several mass-mailings in French, Italian and English, imitating messages from Amazon’s online shops. In all the mailings, the recipients were offered a voucher, a gift certificate or some other prize.

The enticing offers were mostly sent from Italy or France. However, the email addresses from which they were sent immediately raised suspicions: the culprits didn’t even try to imitate Amazon’s official email addresses, and merely used Amazon in the sender’s name.

Each message contains links that supposedly lead to the Amazon website. The recipients have to click the links to claim their “prize”. Analysis of the links shows that users from different countries are redirected to different web pages. For instance, users with a European IP address are asked to fill in a form in English, and are offered the chance to enter a draw for an iPhone 6S as a reward.

The winner is promised a new smartphone for just 1 euro, but first has to enter their bank card details on the video streaming site myflixhd[.]com.

The website offers a 5-day trial period, but requires the user’s bank card details, and then deducts a subscription fee of 50 euros per month if the user fails to cancel the subscription on time.

Naturally, Amazon has nothing to do with this “draw” or any other similar scams, and the chances of winning an iPhone 6S are very slim, to say the least. There is a good chance, however, that the bank card details entered on this advertising web page will be used by third parties for their own ends.

Spammers use all types of tricks to bypass spam filters: adding ‘noise’ to texts, inserting redirects to advertised sites, replacing text with pictures – anything to stop the automatic filter from reading the keywords and blocking the message. Recently, we’ve been seeing a trend to replace Latin characters with similar-looking symbols from other alphabets. This “font kink” is especially typical of phishing messages written in Italian.

Non-Latin characters are inserted in place of similar-looking Latin characters both in the “Subject” field and in the body of the message. Here is an example of what headers obscured with ‘foreign’ symbols look like:

And here is an example of a phishing message using the name of the PayPal payment system and using the same trick. Words containing non-Latin characters are underlined in the first lines; the reader can take a magnifying glass and search for more in the remainder of the text:

Thanks to the UTF-8 coding system, characters from many types of writing systems can be combined within the same email. In the above examples, we saw Cyrillic and Greek characters as well as phonetic (IPA) symbols. Spammers use this as a trick to bypass spam filters. However, the spam filters in Kaspersky Lab products are designed in such a way that they cannot be easily deceived, even if Greek letters or phonetic symbols are used.

Many websites show different text depending on where the user lives. For instance, home pages of some portals show you the news and weather of your region by default, because you are most likely to be interested in this kind of information first of all.

Of course, spammers and fraudsters also make use of this approach.

The following letter, written in Spanish, advertises an easy way to earn money online:

The attached link directs users to times-financials.com, registered in October 2013, according to the information on whois:

“Moscow City dad makes $14,000 per month” – says the title.

From Moscow? Hmmm.

Let’s try opening the same site via proxyvpn.se:

Here the dad is from New York.

If you change the language in the address and write EN instead of ES, you can view the site in English:

And if you write FR, you see it in French:

However, if you try a German proxy server, the ‘dad’ will have no idea where he is, and there will be no city name in the title:

The link for these pages is one and the same and leads to yourbinarysystem.com, registered in January 2014. The site promises users wealth beyond their dreams, and yet another link directs to a third site with a standard pyramid scheme.

We haven’t received any letters with links to this ‘dad’ in any other language, except for Spanish. However, we are pretty sure the creators of the pyramid scheme are also sending out letters in other languages to attract attention to their website. If you receive a message like this, please forward it to us!

The now-notorious arsenal of ‘Nigerian’ tricks has been enriched with yet a new scam.

A Peter Gamba (or Gamaba?) from Uganda is asking for help: in his homeland he faces the threat of persecution for his sexual orientation. The sender claims he is threatened with jail or even death. But he has money – $3,300,000. The message then follows the usual scenario – you take his money, put it to your bank account and get 20% of it in return for your help.

Minority discrimination is a very topical issue today (especially in the US where a significant proportion of English-speaking Internet users live). It is almost impossible to avoid this topic and almost everyone has their own opinion on the issue. So the criminals know what they are doing: even if some of the recipients turn out to be conservative champions of more traditional values, there’s bound to be someone who sympathizes with this unfortunate citizen of Uganda facing persecution.

Persecuted widows of overthrown presidents and prime ministers can still be encountered online, though most Internet users are wise to this type of story. This has forced the cybercriminals to look for new ways to arouse sympathy and, of course, greed.

There are plenty of fraudulent messages with the content along the lines of “your email address won a million dollars in a lottery, please contact us to claim your prize”. Internet scammers use this trick to trick users into giving away money: before they can claim their alleged prize the “lucky winners” have to pay tax or a bank charge for a money transfer, etc.

We have now come across an interesting variation of this trick, which involves a Facebook account instead of an email address.

Now, why does Eduardo Saverin (a real person and one of the founders of Facebook) need to know my Facebook username if my account has already won a prize? But an unsuspecting user, blinded by the promise of a huge prize, may not think about that – and that’s what the scammers are counting on.

I’m sure the readers of this blog wouldn’t fall for something like a “Facebook prize”, but our relatives and friends have accounts too, and they may not be so experienced in the ways of online fraud. That’s why they should be warned that such letters are nothing but a scam.

• Nigerian scammers
• Tell us the tales!
• Oh, the people you’ll meet!
• Don’t believe your eyes

An online friend of mine from a small Siberian town recently posted on her blog about how her mother fell for a scam and lost the family savings in hopes of getting some nonexistent inheritance from Africa.

My friend gave her elderly parents a computer, but it did them more harm than good. They received an email — allegedly from the employee of a bank — written in poor English but with amazing news: Anna Sergeyevna (name changed), my friend’s mother, was in line for a million-dollar inheritance. As it turned out, they had a relative in Africa, Mr. John Sergeyev, who had passed away. Mr. Sergeyev had no heirs, but his lawyer began to search for his client’s relatives online, and after much time and effort, he had finally found them in this small Siberian town.

After that, all communication stopped — emails and phone calls elicited no response.

Nigerian scammers

Unfortunately, Anna Sergeyevna was yet another victim of the so-called Nigerian scammers. Their scams (also called Nigerian 419 scams) are fairly straightforward: they send out emails typically requesting assistance in cashing out a very large sum of money (usually worth millions of dollars), proposing to split a large share of someone else’s money with the recipient, or telling the recipient that they are due to receive a large inheritance. But in order to successfully execute these transactions, the intermediary or the alleged heir needs to first cover some minor (compared to the riches to come) costs. The scammers are always armed with scanned documents to show their potential victims, and back up their claims with evidence of legal support or the word of a respectable figure which backs up the tales told in the initial email. Regardless of the fine print, though, the result is always the same: once they get your money, they vanish.

Each month, Kaspersky Lab filters intercept tens of thousands of Nigerian scam letters in different languages.

Glossary: Nigerian letter fraud

Synonym for “419 scam“

These 419 scams have been covered online and in the press. But there will always be people who have either just started to use the World Wide Web or who choose not to listen to sound advice, and those who are simply naïve and genuinely believe the scammers’ promises.

These scams have been doing the rounds for some time: the first Nigerian scam letters offering large sums of money appeared in the 1980s and were sent then by plain old snail mail. With the emergence of the Internet, Nigerian scammers welcomed the new advantages of emails. These days, Nigerian scam mailings are organized by scammers in countries all over the world.

The first Nigerian scam letters were allegedly written by the widows or children of Nigerian government officials, whose millions could only be cashed abroad. This is how the scam took on the name of “Nigerian” scam letters. Later, the stories fabricated by the scammers became more varied and inspired, and even won the Ig Nobel Prize (an American parody of the Nobel Prizes) for literature in 2005.

Tell us the tales!

Typically, scammers have just a few tricks in their bag that can be combined in one email. Nevertheless, each premise has several variations: the names used can be those of politicians, the fatal diseases and stories involving bloody murders can sometimes be impressive, and the amounts of money are always substantial — nothing less than fifty thousand dollars or euros.

The classic

Below is one example of the classic Nigerian email, where the author discusses the death of his father. Only in this example, to bring it into line with the latest news, the father was not killed during the Nigerian civil war, but was instead a victim of Gaddafi’s regime.

The lonely young heiress who needs your help

One classic set-up is a letter written by a young lady who has inherited a large estate somewhere in a war-torn African country. These emails typically target men who are registered with online dating sites (of course, these beautiful young ladies always upload their photos).

The contents of these emails go something like this:

“I am the daughter of a murdered millionaire, a refugee hiding from my father’s killer. I have a bank account holding my late father’s estate, but I need help to get it out of the bank. I can even fly to you to take care of all of the transactions with your help in your country. I am so young, and so lonely…”

The inheritance

Someone else’s inheritance is all well and good, but your own is even better. At least, that seems to be the scammers’ logic behind this type of scam email, which informs recipients of large estates bequeathed to them from previously unknown, wealthy relatives:

“Your relative in [insert very far away country here] has passed away. You did not know him, but you are his only heir. I am his lawyer [accountant, pastor], and I will help you with the paperwork.”

This is the type of letter that my friend’s mother received.

The dead guy’s loot

In this version, the person who has died is not a relative, but someone with the same name. He does not have any living relatives or heirs, nor has he written a will – and sadly it seems that all his vast wealth will go straight to the government! Rather than see the money go to waste, staff at the bank where the estate is held have apparently sought out a potential recipient, someone with the same surname who can claim the cash. And in exchange for their efforts, they ask for a small pittance of just 30% of the total amount.

But what if no one with the same name as the late millionaire can be found? Not to worry; the cash can still be shared out. The late millionaire has no living relatives, and his money is stuck in the bank. But the employees at the bank encourage the recipient to serve as the heir, and in exchange for their efforts, the new-found heir will grant them a portion of the plunder.

The philanthropist in search of a good Samaritan

Nigerian scam letters are also sent allegedly from wealthy figures on their death beds, looking for just one good and honest soul to whom they can bequeath their entire estate. As a rule, the protagonist of these emails is childless, a millionaire widower or widow (the latter being the most common version).

Here is an example of this type of scam:

The business proposal

Disgraced millionaires don’t escape the scammers’ attentions either — their money can be divvied up as well!

An alleged lawyer, accountant or personal assistant to some well-known person needs help: his client’s (or boss’s) money can’t be cashed out in their native country, but it can be transferred abroad to someone’s account. You’ll get 50% of the sum for helping out!

We received these types of letters from, allegedly, an assistant to the son of the ousted Egyptian President Mubarak, the widow of Badri Patarkatsishvili, a personal assistant of Muammar Qaddafi who managed to somehow escape from Libya, from Mikhail Khodorkovsky’s accountant, and from countless relatives of African government officials whose names no one has ever heard of but who are victims of oppression in their war-torn countries.

Here’s an email supposedly sent by the widow of Georgian millionaire Patarkatsishvili:

The mysterious box full of cash

In addition to the countries where government officials suffer through no fault of their own and are at the mercy of oligarchs, there are also countries torn apart by war. It seems Nigerian scammers think war-torn countries provide an ideal setting for intriguing stories told in emails from soldiers.

“I am a US soldier. During military operations in Iraq [or Afghanistan], I found a box full of money. I intend to keep it for myself, but I do need to transfer the cash to a reliable place. I have chosen you for this purpose. Please let me send the box to you, and once my tour is over, I will come to get the box. I’ll give you half of the money for your troubles.”

In some letters, the “soldiers” hint that the money could have been Osama bin Laden’s. One such letter claims his estate was $12.5 million. How all of that fit into one tiny metal box will forever remain a mystery.

The compensation

And finally, a devious scheme aimed at would-be freeloaders:

There are both longer, more detailed boilerplates for these types of emails as well as the brief ones, as in the example above. They all promise compensation for the unlucky victims of scam and fraud. The recipient of the email is supposed to quickly get the hint that no one is going to check to make sure this is legit, and he’ll be raking in the cash thanks to a simple government error.

But it’s all fair play. Want to get compensation without actually having fallen victim to a scam? You won’t get money, and you’ll end up becoming a victim of fraud.

Oh, the people you’ll meet!

As we mentioned above, Nigerian scam emails don’t all originate in Nigeria and now come from countries all around the world. The authors of these emails typically write in English or French, and online translation sites help them translate their literary masterpieces into any language, including Russian. The scammers can also use machine translation sites to read any responses they may receive from their potential victims.

One email from “the daughter of a major political figure” from the Ivory Coast arrived in our inbox in the artificial language of Esperanto. A quick search for the name Rosina Jillian Tagro showed that the baroness also sends letters in Polish. We can only guess where the author is really from.

Sometimes letters are simply addressed “Dear Friend,” in the hope that the recipient will fall for it, reply, and the scammer will be able to harvest the victim’s first and last names from the reply email.

As we saw above, scammers often know the first and last name of the recipient. Unfortunately, it is not particularly difficult to gain access to databases of names and addresses. If you have ever received spam, it means that your information is in at least one such database, which in turn means you may also become a target for Nigerian scammers.

Even if an email uses the recipient’s name, oddities resulting from cultural ignorance do sometimes occur. For example, a recipient entered in a database as Petrova Olga may receive a curiously composed email that starts: “Dear Mr. Olga! Someone who shares the same name as yours, Mr. John Olga, has passed away.” Russian names are a complicated thing. But this doesn’t discourage the scammers — 99 recipients of this type of email may read it, laugh, and forget all about it, but the gullible one hundredth recipient might just take the bait.

Don’t believe your eyes

If you receive an email promising you millions from an inheritance, as a gift, or as a reward for acting as an intermediary in cashing bank funds or taking money out a country suffering from unrest, think long and hard before sending any replies. These emails are sent by scammers only!

Don’t get over-excited, even if it seems like a wealthy widow, the beautiful daughter of a murdered oil tycoon or the staff of a major political figure might be writing to you personally and addressing you by name: the scammers know where and how to get their hands on databases filled with names and addresses.

If the authors of the emails send scanned copies of documents as evidence of their honesty and the existence of their millions, don’t be too quick to take them for scans of actual documents. Malicious users typically have no problems falsifying documents. It’s easy to make a fake document — scan a passport, a bank statement, legal statement, or a photograph of a pastor surrounded by his parish, and use Photoshop or another photo editor to apply some basic changes to the images.

The safest choice of all is to avoid opening emails from unknown senders. If you still want to see what kinds of tales the “Nigerians” have for you and have a laugh at the expense of machine translation, then no harm done. And send your Nigerian scam letters to Kaspersky Lab — it will help us protect other users against scam attempts.

Earlier, we wrote about the tricks that fraudsters often use on their gullible victims. There’s a prize for you, just pay a small fee to open a bank account (or transport costs, bank fees, overheads etc.), and you will be a millionaire! Sounds familiar, doesn’t it? However, old tricks become stale over time, and readers become alert and suspicious to them. So, the fraudsters have come up with a new variation of an old scam.

Apparently, the fraudsters assume a victim will find it easier to believe in a generous donation from a complete stranger than in a lottery ticket that they have purchased themselves.
Here is another letter in the same vein:

The link in the letter leads to a Daily Mail article which does indeed confirm that someone has won over $60 million in the lottery, but hasn’t collected their money.

Both these letters are strikingly similar to Nigerian scam. The potential victim is not reeled in by the prospect of a cash prize, but is tempted by a donation or a dodgy money-making proposal in supposed partnership with the message writer.

It’s amazing how often we get a message telling us we’ve won the lottery. These glad tidings share plenty of similarities: the winner is notified that he has won a handsome sum of money in a certain lottery and must contact a lottery official to receive it. Sounds tempting, but alas, this is nothing more than network fraud .

In order to receive the winnings, the user is asked to send money – ranging from a few hundred to several thousand dollars – to a specified account. This is ostensibly to meet expenses like money transfer commission, taxes, fees for opening a bank account, etc. The “lucky winner” often sees this money as insignificant in comparison to the sum they’ve just won. However, once they receive the “fee”, the fraudsters disappear, and the unwary user has little chance of ever finding them.

Be careful! Do not fall for these scams!

Telltale signs of lottery fraud

So, how can a user identify a fraudulent message?

The answer is simple: if you haven’t participated in a lottery, all “winning” messages are fraudulent.

The reader’s next question may be: what if I have in fact taken part in a lottery in the hope of a big win?

If the prize draw has actually taken place and you have actually participated in the lottery, you will be addressed by your name (or the number of the lottery ticket that you purchased), and the letter will contain the address and the name of the company that organized the lottery.

Fake lottery win notifications may come in a variety of shapes and sizes. A lot of them contain bad spelling mistakes. This is a sure sign of a fraudulent message. Serious lottery companies have editors and copywriters to make sure their letters are written properly.

In some cases, the fake messages are well written, but they are sent from public mail servers like gmail.com, hotmail.com or yahoo.com. Please remember that messages from a reputable company are always sent from corporate addresses.

In some fake lottery messages, you may be asked to reply to an e-mail address which is different from the sender’s address, e.g. to the address of an “agent” or “manager”.

In other words, a fake lottery message will always contain some type of discrepancy. Watch out for them.

Congratulations…

Here are some typical ‘Lottery letters’ that make use of the ploys most favored by the fraudsters.

A European lottery…in Nigeria

One email informs recipients that they have won a prize in a European lottery:

Expressions such as “your email address was selected” or “your address has won” are telltale signs that the message is part of a scam. After all, you haven’t used your address to participate in a prize draw, have you? And even if you have, it was unlikely to have been the European lottery named here.

If nothing else, the request to contact a Mr. Marshall Ellis in Nigeria, who for some reason uses the public service live.com, is bound to convince us that what we are dealing with here is spam – lottery organizers just don’t ask winners to contact them at their personal email addresses. All communication in such cases would be sent to and from a business address. Moreover, if the lottery is European, then why does Mr. Ellis reside in Nigeria?

Highly inquisitive users may well wonder about the euroonlinelottery.com domain from which the message was sent. Their suspicions would be confirmed. Yes, that’s right, no such site actually exists. Instead, the browser redirects to wn.com (World News). There is no sign of a lottery at the site and never has been.

Participating in lotteries without knowing about it

The second message promises a lottery win from Coca Cola, but, inexplicably, is sent from a French Yahoo! server:

The fraudsters obviously expect some recipients to suspect a scam and attempt to convince them otherwise. Here’s another example of a scam that no doubt appears to be perfectly plausible from its authors’ point of view:

We won’t bother citing this rather long message, which is designed to look like an email from Google, in full. We only want to draw your attention to the second paragraph where it states: “The online draws was conducted by a random selection of email addresses from an exclusive list of E-mail addresses of individuals and corporate bodies picked by an advanced automated random computer search from the internet. However, no tickets were sold but all email addresses were assigned to different ticket numbers for representation and privacy.”

Name-dropping

It’s easier to get the victim to take the bait if the fake lottery uses the name of a reputable organization, be it Coca Cola or Google, BMW or McDonald’s, Microsoft or Yahoo! Unfortunately, these companies cannot do anything about random fraudsters exploiting their names for their own ends.

These messages claim to come from large companies which are allegedly conducting lotteries. The attachments contain more “you won” messages. But why would representatives of all these companies send messages from public mail servers like Gmail or MSN?

Should you receive an email of this type, visit the specific company’s official website; most likely, you will find that the company is not actually holding a lottery of any kind. Furthermore, if you Google “Coca Cola lottery”, “Yahoo lottery”, “Google lottery” etc., you will receive links to articles describing this type of online fraud with specific examples and even victims’ stories.

Lost in translation

The Google Translate service has made life much easier for online fraudsters with international ambitions. If earlier their target audience was limited to their compatriots, now they can send messages to users all over the world. We routinely receive such notifications in English, German, Spanish, Portuguese, Ukrainian, Polish, Norwegian and a number of other languages, not to mention Russian.

Below are examples of the joint creative efforts of the fraudsters and translating machines. The sample texts are in English, German and Spanish.

We can’t really imagine that any of our readers would be suckered by such linguistic creations, but still, we urge all users to be cautious. Real lottery organizers would not mutilate a language like that in the above examples.

Beware!

We could go on forever with examples of fake lottery win messages. According to Kaspersky Lab’s statistics, messages like this can make up as much as three percent of all spam in any given month – that’s thousands of messages. To avoid falling victim to online fraud, you need to follow some simple rules:

1. Remember, you cannot win a cash prize in a lottery you have not participated in.
2. Do not trust automatically translated messages or those containing obvious mistakes.
3. Always check the sender’s email address(es). Lottery organizers will not send messages from free mail services.
4. If you still think the message you have received is about a real win, check all the information. Use search engines to look at the lottery name, the senders’ names and telephone numbers. Among the search results you may find detailed commentary.
5. Most importantly, always remember: there is no such thing as a free lunch.

The wedding of Kate Middleton and Prince William is by far the most popular topic of conversation today. It’s virtually impossible to look at a newspaper or a blog without seeing some mention of the royal newlyweds. And now we are getting in on the act.

And it’s not because we here at Kaspersky Lab take a major interest in the private lives of the British royals. But spammers obviously do – take a look at the offer we received today:

Yes, fake Swiss watches and iPads are so passé – what you need is a replica of Kate Middleton’s engagement ring, originally given to Lady Diana by William’s father Prince Charles. The spammers claim you now have the chance to “own a piece of British royal history”. This royal family heirloom also comes complete with a “certificate of authenticity”.

The revolutions spreading across the Arab world have grabbed the attention of people across the globe, including cybercriminals: so-called ‘Nigerian’ spam emails have recently appeared claiming to be from a variety of “relatives” of Gaddafi and Mubarak. There’s absolutely nothing new about the messages they send: the ‘Nigerians’ don’t always introduce themselves as the solicitor of some anonymous oil tycoon or a dying widow of an innocent civil servant who was murdered; increasingly, they are legally-appointed executors or relatives of well-known people who have suffered in one way or other at the hands of political opponents.

For instance, some time ago we received an email from an Olga Patarkatsiashvili who wrote in poor English asking to help her transfer the millions of the late Badri Patarkatsiashvili (a Georgian businessman and presidential candidate who died in 2008), emphasizing that she herself has been denied access to his funds. Following the wave of protests affecting Arab countries there has been a steady stream of Egyptian- and Libyan-themed ‘Nigerian’ spam.

A certain Barrister Alexander James Williams, who claims to be a representative of Hosni Mubarak, asks for help in transferring 29 million pounds. He claims that a UK resident is required to process the transaction, but the email was sent to a Russian resident who has an account with the Russian email service mail.ru.

The legal firm Galadari and Associates based in Dubai and supposedly representing Hosni Mubarak’s son asks for help in transferring US$145 million (suggesting the son is considerably richer than his father). Notably, Galadari and Associates “have studied your profile and know your position”, and are therefore quite sure that the transaction will be a success.

In the third email from “the personal account officer of Hosni Mubarak”, the amount of money is not stated, though the message is the same: please help to transfer funds – we cannot do it ourselves because of the revolution.

Emails from the family members of alleged victims have also come from Libya. Here is an email supposedly written by the “son” of Muammar Gaddafi who says his name is Saif al-Islam Al-Gaddafi. Together with his father they have decided to transfer their funds abroad “before the crisis get more worse”. So, you are welcome to help the president’s son “if you are interested and willing”!

Moussa Koussa, Libya’s ex-minister of foreign affairs, does not state his purpose directly. He simply asks the recipient for help, obviously hoping to get someone’s attention and enter into correspondence and will most likely inform the interested partner the amount of money later. However, the address in the “From” field is a bit strange and looks as if the sender has forgotten to change it after a previous spam mailing.

Of course, the Internet is awash with such messages, with the number of references to the senders’ biographies as well as the number of mistakes varying from message to message. If nothing else, the criminals have once again demonstrated how quickly and flexibly they can react to the latest news – they simply modify their templates to suit the latest events, increasing the chances of someone falling for their scams.

So, while pseudo-benefactors collect funds for earthquake victims in Japan, those behind the ‘Nigerians’ letters are transferring millions of dollars from Hosni Mubarak and Muammar Gaddafi’s bank accounts.