Schneier on Security
A blog covering security and security technology.
« Terrorists Prohibited from Using iTunes |
| Man-in-the-Middle Attack Against Chip and PIN »
February 11, 2010
Interview with a Nigerian Internet Scammer
Really interesting reading.
Scam-Detective: How did you find victims for your scams?
John: First you need to understand how the gangs work. At the bottom are the "foot soldiers", kids who spend all of their time online to find email addresses and send out the first emails to get people interested. When they receive a reply, the victim is passed up the chain, to someone who has better English to get copies of ID from them like copies of their passport and driving licenses and build up trust. Then when they are ready to ask for money, they are passed further up again to someone who will pretend to be a barrister or shipping agent who will tell the victim that they need to pay charges or even a bribe to get the big cash amount out of the country. When they pay up, the gang master will collect the money from the Western Union office, using fake ID that they have taken from other scam victims.
Scam-Detective: Ok, I also want to talk more about how you managed to get your victims to trust you. I know it can be difficult for legitimate businesses to persuade customers to buy their products, yet you were able to convince people to part with their cash to get their hands on money that never existed in the first place, with at least one taking an international flight on top. That's quite a skill, how did you learn to do it?
John: Once I had spent some time as a "foot soldier" (* sending out initial approaches and passing serious victims to other scammers) I was promoted to act as either a barrister, shipping agent or bank official. In the early days I had a supervisor who would read my emails and suggest responses, then I was left to do it myself. I had lots of different documents that I would use to convince the victim that I was genuine, including photographs of an official looking man in an office, fake ID and storage manifests, bank statements showing the money, whatever would best convince the victim that I, and the money, was real. I think the English term is to "worm my way" into their trust, taking it slowly and carefully so I didn't scare them away by asking for too much money too soon.
Scam-Detective: What would you do if a victim had sent money and couldn't afford to send more, or got cold feet?
John: I would use whatever tactics were needed to get more money. I would send faked letters which stated that the money was about to be taken out of the account by the bank or seized by the government to make them think it was urgent, or tell them that this was definitely the last obstacle to the money being released. I would encourage them to take out loans or borrow money from friends to make the last payment, but tell them that it was important that they didn't tell anyone what the money was for. I promised them that the expenses would be paid back on top of their share of the money.
John: We had something called the recovery approach. A few months after the original scam, we would approach the victim again, this time pretending to be from the FBI, or the Nigerian Authorities. The email would tell the victim that we had caught a scammer and had found all of the details of the original scam, and that the money could be recovered. Of course there would be fees involved as well. Victims would often pay up again to try and get their money back.
This sounds just like any other confidence game; in fact, it's a modern variation on a classic con game called the Spanish Prisoner. The only difference is that this one uses the Internet.
Posted on February 11, 2010 at 7:19 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
At this point, is Western Union anything other than a massive money laundering operation?
This is more sophisticated than the 'guy in a cybernet cafe' model.
Spanish Prisoner as a buisness model...hmmmm. Much as I like Steve Martin....I'd have to say it sounds more like Glengarry Glen Ross.
OMG! Boca Raton has been outsourced!
What I don't get is why don't they change Nigeria to some other country in their spam?
The interesting point from my point of view is the use of human resources.
With the likes of China and others having "bucket shops" where an "owner" has a room with PC's and rents out the keyboard jockies to the next level up the food chain (ie 30cents/capatcher, 10cents goes to the keyboard jocky).
I suspect a study of the economics of each level would be profitable with regards to prevention.
Also of interest in the article:
"In the year before I was arrested I earned about $75,000 (£46,000) for my family."
It's easy to see why Nigerian, and Russian, authorities aren't cracking down to harshly...
@Clive 'would be profitable with regards to prevention.'
Anything with an organization can be picked apart? I agree with the concept but can find little literature on how you'd go about doing it. Either it's all aimed at street level individual actors or it's on the level of deploying strategic weapons. Any citations for the middle ground?
>At this point, is Western Union anything
>other than a massive money laundering
Heard the other day that Mexico's remittances from the U.S. fell from $26B to $20B. It's there second largest source of foreign trade after oil.
I'd suspect an awful large amount of that travels through Western Union and the like.
I couldn't find the U.S. annual loss figure, I found one that claimed $150M/year in 2005 for the U.K., which extrapolated to the U.S. population would be $750M/year.
So back-of-the-napkin math is for every dollar sent legitimately (if you don't count the immigration status of the earner) by Western Union to Mexico, 3 cents was transferred to a Nigerian scammer.
So it seems WU still would have a large and legitimate business.
For scale, the U.S. Secret Service currently puts ATM card skimming losses in the U.S. at $800M.
Those numbers are quite large enough to support well organized criminal syndicates, but let's keep the perspective that they're just a tiny fraction of the total size of our economy.
@Sebastian - they do. I've seen emails pertaining to be from South Africa, Palestine, Honduras, Cameroon, Chad, and a handful of other countries.
In general though, I figure they don't need to change their country of origin.
Anyone who thinks that this kind of scam can be stopped is an idiot.
It's been going on for hundreds of years. Possibly longer.
As with most other things, improved communications (the Internet) just provided a way to speed up the process and allow layers of specialization.
@ BF Skinner,
"Any citations for the middle ground?"
However the history of the UK "Pirate Radio" legislation should give you an idea of what the respective authorities (Post Office, Home Office, Dept of Trade and Industry, OfCom) in turn have tried and how the "Pirates" have evolved around the issue.
Put simply Pirates are a "political" problem not an actual problem.
The likes of the big broadcasters see them as stealing advertising revenue (not true) the Performing Rights Society etc regard them as theives (the artists see them as free "air play"). Most people who listen to them do so because they provide something other than the three big comerical operators (who own over 80% of the supposadly indipendent stations) "aproved play list"
That is it is a monopoly market designed specificaly to get "advertising revenue" and push "dependent artists" from the likes of Simon Cowel (yes the multi-millionair of the X-Factor).
OfCom are a UK Gov quango that is very self interested and does not represent the view of the UK populus or others and is a political football.
The result is the Big Money Boys regard pirates as stealing the market they have bought and paid for. And thus get very upset and lean on the politicos (they also consider to have bought and paid for) to do something.
Back in the 1980's there was a sea state change Norman Tebbit had little sympathy for the "civil service" types who regarded pirates as being worse scum than drug dealers as had Harold Wilson (Labour PM in the 60's) who had introduced the "Marine Offences Act". The result was Pirates got a good foot hold on the UK mainland and little or nothing was done to stop them.
A clasic example was "Solar Radio" in London that had so much of the "youth audiance" that Coca Cola told Capital Radio that it was going to stop the near on 1million GBP a year advertising budjet and redirect it towards the pirates.
Little "Dickie" (Richard) Attenborough who was a major figure in Capital Radio, went and banged every political head he knew making all sorts of threats and FUD and impressing on anyone who would listen that the Pirates where akin to subversives and would bring the country down.
The result was significant preasure on the likes of Eric Gotts who used every legal and illegal trick (Yes he got a criminal prosecution to his name) he could to stop the Pirates (Much as the Boston Authorities currently treat artists and students as terrorists...).
Through to the current OfCom using the likes of RIPA to attack the Pirates, which initialy failed, then on the advertisers which again failed. Through to perverting the use of the EU R&TTE Directive and OfCom officers perjuring themselves to judges and majistrates to illegaly attack legitimate suppliers of components that the Pirates obtained by setting up false companies to order through.
Interesting paper: "Understanding scam victims: seven principles for systems security".
@ Brandioch Conner,
"Anyone who thinks that this kind of scam can be stopped is an idiot."
And rearanging the words somewhat gives the reason,
This kind of scam can not be stopped as long as anyone thinks like an idiot
Why on earth anyone should think that a Nigerian General's son is going to specificaly contact them out of the blue to get their fathers supposed ill gotten gains out of Nigeria is beyond me.
That is the old business rule of,
The greater the apparent reward, the greater the real risk.
Most definatly applies.
However to be caught twice is the mark of an imbecile not an idiot (heated coin test from early last century).
And as for three or more times then they would (as with the heated coin test) be morons, and thus should be protected from themselves.
@Sebastian "What I don't get is why don't they change Nigeria to some other country in their spam?"
I've had the same offer (in a snail mail!) from England from someone claiming to be an English lawyer. This was the "You have the same surname as my late client" variation.
I'm guessing that they mostly use their real country so if the mark asks for evidence of location they can easily get a photograph taken outside some famous landmark.
@Clive Robinson "This kind of scam can not be stopped as long as anyone thinks like an idiot"
Very true. What is it about greed that turns off the critical faculties of so many?
"Much as the Boston Authorities currently treat artists and students as terrorists..."
That might be a reference to the Lite Brite thing, but I think its a little too harsh. The Boston/Cambridge area contains over thirty universities and colleges, including MIT, Harvard and Boston U. There's at least a hundred thousand students in the area (probably more). Boston is basically a student town, and the local politicians are well aware that those students vote. Boston has always been a leftish, activist sort of place.
The other day I was trying to sell a netbook and published an ad in a site that is frequented by people in my city. Since I was only interested to do the sale locally. I live in Bolivia.
However, I received a response in Spanglish offering 3x the cost I initially asked for if I accepted an international transaction. The spanglish was very odd and I knew it is best to avoid these things but I was curious. At first She claimed to be in Argentina and that he wanted the netbook for her 'reverend' ASAP and hence the price.
Well, I kept playing along avoiding to give my bank account number and any information and at the end she gave me the address to which I am supposed to send the package, somewhere in ... Nigeria...
Well, I actually googled the email address "firstname.lastname@example.org" and received results of other Latin american people warning about these scams . Apparently the foot soldiers tend to use the same email address. Anyway , it is an interesting comment, try taking a look at the images from : http://www.gsmspain.com/foros/... . This post reminded me of that other one because once again the scammers pretend to be FBI.
Of course, the English sucks but note that the victims are specifically Latin Americans, the most vulnerable victims would not notice the bad English. I heard there were already many cases of people sending expensive goods towards Nigeria only to find out the wire receipt they got was fake...
And then there's the other side: The 419 eaters who deliberately try to waste these scammers time arguing, as long as they are busy with fake baiters, they won't have time for the real victims.
A note to all readers: Not ll 419 letters floating in the "cloud" are from Nigerians, or involve Nigerians. Nigerians do not have a patent on the art of scam letter writing, or of scamming.
"What is it about greed that turns off the critical faculties of so many?"
@Erik Norgaard: "And then there's the other side: The 419 eaters..."
there is a lot more to read about the "other side" on http://www.scamorama.com ... well worth visiting from time to time...
Has Readers Digest been studying this interview? I just had a very official looking letter, followed by a faked up special delivery envelope full of checks made out to me and more stickers, bar-codes and official looking stamps all over it than a Royal Commission. Maybe not a full blown scam but certainly misleading intent to get me to part with money to sign up for something. What one is committing to is impossible to determine from the materials provided, but presume by putting that cute sticker on the envelope I am signing up for a lifetime subscription to some crap or other,
Interesting that bar-codes are now part of the tricksters tool-bag. These must give people a false sense that this is all being electronically tracked hence a secure and officially sanctioned transaction.
One thing I was struck by: <1% response rate, and only 5% of those give money -- yet it's still profitable enough to support multiple gangs.
If there are all these layers of checking, why is the English in these things things such a joke? Indeed, the same typos pop up over and over again.
I hope that the authorities of Nigeria will do something about this scam Nokia Live promo going on right now. I know from the very start that it was a scam but still i am stupid giving my details. But they have addresses and telephone numbers mentioned in this scam which I don't think exist.
@HUge: Do NOT correct or point out their mistakes. A potential victim may spot them and figure out that this offer isn't real, after all.
We don't want educated scammers.
A while back I posted a room on craigslist looking for a roomate. A scammer answered, and I quickly put it back on the market, but decided to string him along.
He sent 3k in fake money orders. I claimed they never showed up, he sent more. Eventually, I told him the jig was up. I even told him that his money orders sucked, and I had seen better. (I had, from the previous scammer who replied to another ad)
It was amusing. The guy hounded me on IM for a month after that. Kept trying to talk me into helping him, said I would make lots of money.
All he needed me to do, was send out mail from the US, so it would have a US postmark, he would send me everything that I needed. Offered me $500 a box. He also asked if I needed any counterfit US currency.
I tried to get him to agree to cash up front in the box (I would love to get to brag about scamming cash from a nigerian scammer) but, alas, he wasn't giving it up. Too bad.
It still shocks me how many people fall for these scams..years past the origin of these and people still fall for it. Just makes no sense at all..
A known person's yahoo account was recently hacked by guessing the password, then they sent emails telling everyone that person was in distress and needed money.
What portion of Western Union money transfers *to Nigeria* are legitimate? If the answer's less than 50% then block them (a law making Western Union etc liable to refund the sender if it turns out to be a fraud would effectively do this).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.