Getting Hinky About Nigerian Scams

The first generation of computer viruses was relatively easy to identify and quarantine. Get infected, run your favorite scanner, the scanner quarantined the virus—end of story. This process worked fine until the virus writers became more sophisticated. In the early 1990’s, the world of computer viruses changed radically when polymorphic viruses came on to the scene. While early viruses were easy to indentify by their static signature, polymorphic viruses mutate and rendered the first-generation of virus scanners useless.

Similarly, the first generation of Nigerian advance-fee fraud scams was relatively easy to identify. But the real challenge was getting people not to fall for those scams. As far back as 1997, the Bureau of International Narcotics and Law Enforcement Affairs of the United States Department of State wrote a 33-page document [PDF link] that detailed the Nigerian advance-fee fraud scheme and how to avoid being a victim.

Also see Mind Games: How Social Engineers Win Your Confidence

The classic advance fee-fraud was somewhat limited in its scalability given that there are only so many permutations of murdered/deposed mothers, fathers, uncles, brothers and brother-in-laws, from corrupt governments in Nigeria, Somalia, Senegal and surroundings, and that over time, people would eventually become suspicious.

In response to growing consumer awareness the scammers started to do what the polymorphic viruses did—they mutated. However, while the scams are morphing, the end result is the same; the scammers get their money, and the victim is out, with no recourse.

With the tactics changing, what can you do to protect yourself from these scams? Technology and spam filters generally can’t identify these emails. Scammers often compose their emails to not get flagged, and are often written like a prospectus sent from a legitimate firm. The best thing you can do is get a feel for these scams. Use your common sense, and remember the adage that if something sounds too good to be true, it usually is. Finally and perhaps most importantly, develop your own sense of hinky.

What is hinky? In a fascinating article, BT Chief Security Technology Officer Bruce Schneier writes how terrorist Ahmed Ressam tried to enter the US from Canada with a suitcase bomb. Ressam was approached by U.S. Customs Agent Diana Dean, who asked him some routine questions and then decided he looked suspicious. Ressam was fidgeting, sweaty, jittery and avoided eye contact. In Dean’s own words, he was acting hinky. Ressam’s car was eventually searched, and he was finally discovered and detained.

Agent Dean did not use any fancy scanning technology; she used her experience and inner feelings to determine the hinky. And the rest is history.

Also see TSA’s Risk-Based Approach to Security

Today’s scammers require you to use your hinky to the maximum. Here is a recent scam where using hinky paid off.

Below are two screen shots from emails that initially, seem innocuous, but originate from scammers. For those without a well-developed sense of hinky, the invitation to the conference might be seem as complimentary or as a well-deserved honor. For those who reply without looking deeper, they are on their way to being scammed. This is unfortunate as these emails have a number of glaring aspects that help you recognize their fraudulent nature.

Here are a few red flags. While a single red flag does not necessarily render something a scam, when they number more than three, you should be extremely suspicious:

• Source is Africa based, and BusinessDay writes that Africa is in a league all of its own when corruption is the barometer.
• Return email address domain is usa.com, which is a link for finding cheap travel in the USA.
• Email states “We are accepting you to partake because you were recommended by one of our staff”. Legitimate emails would likely state the name of the staff member.
• Contacts to reply to have domains of gmail.com, and usa.com. Usually a conference organizer will have a web site or dedicated domain, but not so in this case.
• The contact phone numbers which have U.S. area codes redirect to Africa. When asked, the answering party stated they were in Washington, DC. When asked, they couldn’t say what the weather was like in Washington, DC or even give the name the street of their supposed office there. When called about an hour later, the same person claimed they were in New York City. The answering party was unable to provide any information about the conference, and said to register and book a hotel room, and then hung up.
• The email lists the conference website as www.aayo.co.cc. But co.cc is simply free domain name registrar.

Those who are hinky-challenged may respond and set themselves up as bait—which is exactly what the scammers are counting on. The email asks the party to supply a significant amount of personal data — no legitimate conference would require that kind of information, and certainly not at such an early stage.

The email ends with a few paragraphs of irrelevant items to give it a semblance of legitimacy. It ends with contact information, but no physical address.

If someone is foolish to respond by sending the information to the scammers, the heat will soon be on them. The scammers then send a confirmation email and advise the party that they then need to book a hotel room for their stay as detailed in the following email:

The attached registration forms are used to garner some additional personal information and give it a further semblance of legitimacy and the impression of a real conference. Once again, notice the contact information — both of them have generic addresses, not one tied to a hotel chain.

If you reply to those, you get the next email in the chain where the scam comes full circle. The scammers ask you to wire your hotel deposit to them.

Scammers always want to string the victim along and will always mix fact and fiction. In the email, the hotel claims to be a branch hotel under Accor Resorts, which is a legitimate chain. But hinky tells us that you should be able to book directly from the web site and secure the reservation with a credit card; not a cash wire transfer.

The scammers offer the victim two options for payment, of which only one will actually work, and they claim that it is the best method—specifically, the Western Union money transfer. They state they can only send the Official Letter of Hotel Confirmation letter upon receipt of the money. No legitimate hotel would ever do that.

For those who have been scammed this far, they may unsuspectingly send the money via Western Union. Once the scammers pick up their money, the scam has come full-circle. The scammers have your money and you have absolutely no resource or way to get your money back.

The reason scammers like Western Union is that it is extremely quick and reliable. Once the transferred money is picked up by the scammer, the victim unfortunately has absolutely no chance of recovering the money from Western Union.

Conclusion

Scammers are very creative and getting more sophisticated every day. They know people’s weaknesses and use them to manipulate. Scammers continue to devise a never-ending set of variants on their frauds. While you can’t defeat them, you can use your hinky to identify them, to ensure you don’t become a victim.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education).