Previous month:
September 2010
Next month:
November 2010

October 2010

419 scams still arrive by postal mail

You may be familiar with 419 (alias Nigerian) scam emails. Fake lottery notifications, investment opportunities or advanced fee frauds are all examples of 419 scams, named after the Nigerian criminal code used to prosecute apprehended fraudsters.

You may be surprised to learn that 419 scams still arrive by postal mail. A colleague recently shared a recent 419 scam he received by postal mail. This particular letter is most likely a lure for an advanced fee fraud. In a scam of this kind, the scammer tries to convince a victim to contact him via email or phone. He will continue the deception and attempt to convince the victim to assist in a funds transfer. At some point, scammer hopes to persuade the victim to pay an advanced fee to facilitate the transfer. By doing so, the scammer promises that the victim will earn a much larger payment when the transfer is concluded. The scammer will then take the victim's payment and run.


This letter contains many of the classic 419 persuasion techniques: a plea for help from an expatriate of an African nation who needs *you* to assist him with an investment of millions of US dollars which of course must be handled immediately and confidentially. Casual searches on information contained in the letter may not be enough to debunk the correspondence as a scam: according to this news source, former Ambassador to India, General Kayumba Nyamwasa, was in fact shot and critically wounded in Johannesburg, South Africa. The lesson here is that scammers anticipate skepticism and include partial truths to convert skeptics.

Other searches reveal that Rosette's email account (partially obscured) is assigned from a legitimate US business based in New York City; oddly, neither the company nor any connection to tne Nyamwasa family are mentioned. The investigator who had this email account terminated confirmed that connections to check this mailbox came from South Africa. The telephone number country code (+27) is South Africa.

So what are you to believe if you receive correspondences like this via email or postal delivery? Nothing. Instead, report any correspondence you suspect to be a scam. 

Abuse of Domain Privacy Protection Services: Act Deux

Colleague Steve Sheng and I presented a second in an ongoing series of studies into the abuse of privacy protection services by spammers at the APWG eCrime Researchers Summit in Dallas. For this study, we sought to use a larger sampling collected over a longer time period. By automating our collection methodology, we obtained 58,000 domains from the SpamHaus DBL from August and September 2010. All the alleged spam domains we used were registered in generic Top Level Domains (com, net, info, org, ...). We collected the domain registrations using WHOIS, and obtained the registrar and proxy/privacy service provider from these using parsers developed by two CMU students, Nicolas Cristin and Ryan Su.  

We compared our results against our April 2010 study and a study of private registrations by NORC (Sept 2010):  


The studies show that a higher percentage of spammers use privacy protection services than registrants randomly selected from the general population, and that the percentage of spammers is consistent across our two study samples.

Studying a longer period gave us some additional insights. When we examined the dates that domains were reported as spam by SpamHaus, we observed "reporting spikes" in both the volume of spam registered in a given registry by a specific sponsoring registrar:


We're going to study these spikes more closely to understand what causes this behavior beyond the obvious reporting of a spam campaign. Why did the spammers use this registrar and this registry? Were they influenced by a promotion? bulk discount? bundling of privacy protection with a new registration? 

I'm a big believer in the axiom "go where the data lead you". We'll continue to sample and study privacy protection services. Meanwhile, if you have an opinion regarding registration spikes, leave a comment.