Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Investigating fraudulent email and another Nigerian scam twist SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Investigating fraudulent email and another Nigerian scam twist

"THOSE PEOPLE YOU ARE DEALING WITH ARE FAKE." So starts the Nigerian-style scam email submitted to us by Daniel Sefton. In such schemes, the sender attempts to swindle the recipient out of money, often by convincing the victim to pay some fee to transfer a prize, an inheritance sum, or money from another unexpected source.

Contents the Fraudulent Email

The message we received offers an interesting twist on the scam by warning the recipient to be careful when receiving such messages. The email claims to come from Susan Walter, a US citizen living in Texas. "Susan" writes, "I am one of those that executed a contract in Nigeria years ago and they refused to pay me, I had paid over $70,000 trying to get my payment all to no avail."

The message explains how "Susan" traveled to Nigeria in an attempt to collect the funds owed to her. There, she met with Barr. Mat Oto, a "member of CONTRACT AWARD COMMITTEE." He then "took me to the paying bank, which is Zenith Bank, and I am the happiest woman on this earth because I have received my contract funds of $4.2Million USD."

"Susan" also explains that she saw documents that listed the recipient of her email as a victim of such a fraud. She advises the recipient to contact Barr. Mat Oto via the supplied contact details. This will allow the recipient to retrieve the money that might be owed to him or her, at the mere cost of $1,200 payable to the Internal Revenue Service (IRS).

A web search revealed that such messages began circulating in late April, 2008. April's message I encountered used a specified a different name for the helpful Nigerian official, "Barrister Afam Richardson Esq," and used the subject "Your happiness is my concern." A message sent in May used "Susan Walter" as a sender. One specified the amount paid to IRS as $980; another as $1,200.

Investigating Fraudulent Messages

If you receive a suspicious message, consider searching for its elements on This website archives and indexes spam messages of fraudulent nature. The most interesting feature of the site is the correlation it performs across contact details specified in the messages, such as names, email addresses, and phone numbers. This helps you find related messages to understand the scope and history of the scam.

Consider the diagram the website generated for "Susan's" message described above:

The diagram on the website is clickable. Clicking on "Susan's" email address brought me to a page that showed a related message and additional elements worth investigating:

Very handy!

Do you have your favorite tools or websites for investigating fraudulent emails? Let us know, and we'll share your tips with our readers.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.



216 Posts
Jun 5th 2008

Sign Up for Free or Log In to start participating in the conversation!