Classic Spam: Nigerian Credit-Card Scams
The bottom line: Anyone who wants to buy something from your website is going to use your website's order mechanism, or at least will be able to tell you what they want to buy. If they don't do either, your bulls*it detector should be engaged.
Swindlling foreigners via the internet seems to be the number one high-tech industry in the western African republic of Nigeria. I’ve already covered the most famous Nigerian racket, the notorious advance-fee or “419” scam ; on this page is a sample of another Nigerian con game, smaller in scale perhaps but no less persistent or annoying.
From firstname.lastname@example.org Sun Jun 12 22:36:05 2005
Received: from zaxxon.io.com (zaxxon.io.com [18.104.22.168])
by mail.io.com (8.13.3/8.13.3) with ESMTP id j5CJIK9Y000134
for hidden ; Sun, 12 Jun 2005 14:18:20 -0500 (CDT)
Received: from web33713.mail.mud.yahoo.com (web33713.mail.mud.yahoo.com [22.214.171.124])
by zaxxon.io.com (8.13.3/8.13.3) with SMTP id j5CJHZ1x075466
for hidden ; Sun, 12 Jun 2005 14:17:43 -0500 (CDT)
Received: (qmail 30197 invoked by uid 60001); 12 Jun 2005 19:17:30 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
Received: from [126.96.36.199] by web33713.mail.mud.yahoo.com via HTTP; Sun, 12 Jun 2005 12:17:30 PDT
Date: Sun, 12 Jun 2005 12:17:30 -0700 (PDT)
From: SARAH MATT <email@example.com>
Subject: Order Enquiry.
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on zaxxon.io.com
Stay in touch with email, IM, photo sharing & more. Check it out!
<<HTML version of mail body omitted>>
If you happen to run a website that sells -- or even just displays -- such portable and fungible luxury goods as watches, jewelry, or fine pens. you have probably gotten a bushel of messages just like this one (I myself get at least two or three per month). What’s going on? Nothing but good old-fashioed credit card fraud. Using a variety of brute-force methods, Nigerian crooks are able to get hold of plenty of valid credit card numbers beloging to innocent parties, and they seek to use them quickly, before the fraud is detected and the numbers deactivated to buy goods that they can resell for cash.
Here’s what might happen if you decided to bite on such a message: the crook will place an order and give you a credit card number. Or maybe he’ll give you several credit card numbers (asking you to split the total among them). Maybe the numbers will all look the same except for the last few digits what a coincidence! Oh well, no matter, your POS machine approves them, so box up the order and ship it via express service to Lagos (the principal city and former capital of Nigeria, the city that most of these lowlifes call home). Some time later, after a clearing process that could take days or even weeks, and well after the crook has already made his bucks out of the deal, you will get a chargeback from the bank that issued the credit card. That means that the money they put into your account at the time of sale will be unceremoniously yanked back out again, probably along with chargeback fees. So, you are left with no goods, and no money.
Like the 419 perps. the credit-card scammers all seem to rely upon a template or cook-book approch to creating their mailings. The many, many messages of this sort that I’ve received all seem to adhere more or less closely to a formula:
- The crook may give you a phony-sounding English-language name (in this case, “Mrs. Henry Jane”). Often, it will be a different name from those given elsewhere in the message (as is the case here, with both “Sarah Matt” and “Sarah Mart”).
- He may claim to be buying on behalf of a retail shop, probably also with a phony-sounding name. (Here’s a big fat clue: serious retailers don’t usually buy stock from other retailers, they buy from distributors or wholesalers).
- He indicates that he wants to buy something, but most often omits to mention what. He seems to be particularly absent-minded, since he also often asks you to include your
website URL in your reply so he can surf over and make his selection (pretty suspicious if he’s got your e-mail address and knows you’re selling stuff, he certainly ought to have been to your site previously).
- He states that the goods must be shipped to Lagos, and even identifies the express services he wants you to use. They’re always express services, too, since he depends upon getting the goods quickly before the chargeback hits. He’s not worried about the high extra cost of such shipping after all, it really isn’t costing him anything if he does it right.
- He offers payment via credit card; in fact, he usually names a couple different kinds of card (“. VISA, MASTERCARD, OR AMEX CARD” as above), which again is pretty suspicious. And, in any case, retailers don’t usually use credit cards to purchase inventory they either pay cash or apply for short-term (30-day) credit directly from the wholesaler.
- These messages are usually written in the same rather odd and stilted version of English that we also see in the 419 e-mails (e.g. “I was opportuned to visit your website. ”).
So, what should you do about these messages?
It’s perfectly OK to ignore them, although one internet merchant actually likes to string the crooks along (“. sorry, there was a problem with the card number you gave me. ”), getting them to send him more and more credit card numbers that he then reports to the bank as having been stolen.
You are also entitled to report them to the providers involved. These are actually easier (in some respects) to trace and report than the average spam, since there’s seldom any header forgery.
- In the case above, we see that the message came from 188.8.131.52. which checks out against the HELO host name ( web33713.mail.mud.yahoo.com ) provided in the same line. We can conclude that the message was sent via Yahoo web mail (most of these messages seem to come by way of one free-mail service or another). A whois lookup to whois.abuse.net yields firstname.lastname@example.org as an abuse contact. Since the crook requires a response by return e-mail, we can assume that the return address email@example.com is valid (or, at least, was valid when the message was sent); you will also want to mention such addresses in your reports so they can be shut down. Occasionally, the perp may give you an address with a service other than the one he used to send the mail; you’ll also use whois to find the abuse contacts for these addresses, and copy the report to them. Again, you should be sure to include the complete message (including all the headers) in your report.
- Tracing the mail back to its actual origin (i.e. the IP address in Nigeria from which the crook contacted the webmail service to compose and send the message) can be difficult. Messages that are originated on webmail sites won’t have an “official” SMTP routing record for the transfer from the user’s computer to the webmail host. Many providers will sometimes include a “doctored” header line that contains this information, but it may not be in a standardized format, and may not be trustworthy. In any case, I suspect that making a complaint about fraud mail to a Nigerian internet café may be a bit like lobbying for a no-smoking area in a cigarette factory.
Whatever you do, you obviously do not want to fill any orders from such a buyer, at least not on his terms. If someone presents a credit card for a suspicious-looking transaction, you are free to ask the buyer to provide all information on the card (including the expiration date, the security code, and the name of the bank issuing the card). If you have an automated order system, you’ll want to make sure that it collects the security code from the card along with the card number (the crook won’t know the security code if he doesn’t actually have the card in his hand). Finally, you might simply want to make it a policy not to accept credit card ordersand perhaps even wire transfersfrom Nigeria (or certain other countries where this scam is rampant), instead requiring more secure forms of advance payment.