Inside a 419 scam site
10th May, 2010
Most of us have received a 419 scam in our mailbox at some time or another. Forming part of what is also known as an advance-fee fraud, these emails typically ask the recipient for their help in transferring a large amount of money from a foreign bank account. In return for their assistance, the recipient is purportedly allowed to keep a significant cut of the proceeds.
There are often some inventive background stories behind the origin of monies — some may involve a government or bank employee who is aware of a large amount of unclaimed money that they themselves cannot access directly. Other common ruses are wealthy foreigners dying in a plane crash shortly after depositing lots of money in a bank, or even a dictator who has built up a fortune in stolen assets.
Most of us are wise enough to ignore these emails; indeed, many are filtered away as spam before they even get a chance to be read. But what happens when someone falls for this first part of a 419 scam? After the victim responds to the fraudster, how does he prove that the money really exists?
In the case of the fictitious bank employee and his bank's unclaimed fortune, one obvious 'proof' is to supply the unwitting victim with the online banking username and password. The victim can then log in to the online banking site and verify that there is, apparently, a lot of money in the pot.
Of course, the online banking site is entirely fake and does not contain any real money; nor does it really allow the money to be transfered to other bank accounts.
A closer look at a real scam site
Every now and then, we stumble upon a scam site that reveals more information than the fraudster intended. Sometimes this is caused by a configuration oversight, but more often than not, this is simply caused by limitations in the free hosting platform or compromised web space selected by the fraudster.
The Asterx Standard Bank is well documented as a 419 scam site. One of its many instantiations was placed onto a free 50webs hosting account, but the fraudster forgot to create an index page. If it wasn't already obvious from the poor web design effort, this makes it rather obvious that the site is fake:
Each webpage on this 419 site is a static HTML file, several of which display fake account details. None of these pages requires authentication, which is clearly something to be suspicious of.
This is the page that the fraudster really wanted you to see, of course:
To add a bit of credibility to the fake login page, it even produces a popup window, warning the victim about identify theft:
After logging in with the top-secret credentials supplied to you by the fraudster (which are of course unnecessary — any username and password will let you in), the account status page shows that the bank account does indeed contain a very healthy balance! Also note the unauthorised use of the VeriSign logo, in an attempt to add some further credibility to the fraudulent site:
By this stage, the fraudster hopes you'll be totally convinced that the money is real. Perhaps convinced enough to transfer the money to your own bank account within 24 hours:
Naturally, transferring such a large amount of money can take a while. This is an ideal moment to slip in a progress bar:
Even the most gullible victim would probably wait for the money to arrive in their account before forwarding a percentage of it on to the fraudster, so how does the fraudster expect to make money?
The fake online banking application informs the victim that the account is on "de-active" mode, and a "Presidential Clean Source of Funds Clearance" is required in order to reactivate the account and have full access to transfer funds:
Undoubtedly, the fraudster will be able to offer the necessary funds clearance document — in exchange for an advance fee, of course. Although this fee may seem very small in comparison to the 8 million dollars at stake, the prospect of getting access to those 8 million dollars could very well blinker a victim into going along with the whole implausible scheme. This is likely to result in the loss of their advance fee, and perhaps anything else the fraudster can coax out of them.