You can't get the staff – Social engineering

Sometimes I like to talk about software engineering but today I would like to ramble on about a different subject: Social engineering.

Social engineering is a common technique for getting malware on systems and of course, for Phishing. The “419 scam” (named after the section of the Nigerian penal code which addresses fraud schemes) is the best known but it is widely practiced in all parts of the world and not just internet Cafés in Lagos. I would like to look at one that I had only this morning:

““CONTACT OUR FIDUCIARY AGENT !!!

UK NATIONAL LOTTERY
Support Center
Bevan House
51 Bevan Avenue
Conwy LL28 5AF
United Kingdom.
 
DEAR WINNER,
We are pleased to inform you of the announcement today,22th October 2007, of winners of the UK NATIONAL LOTTERY, Held on 24th October 2007 in Croydon,London.Your email address was attached to ticket number 023-0148-790-459, with serial number 5063-11 drew the lucky numbers 43-11-44-37-10-43, and consequently Won you the lottery in the 3rd category.You have therefore been approved for a lump sum pay Of £500,000.00 Great British Pounds(GBP) in cash credited to file REF NO. UKNL/26510460037/07. This is from total prize money Of £2,000,000.00 Great British Pounds(GBP) shared among the four International winners in this category.
To file for your claim, please contact our fiduciary Agent;
 
Mr DAVID WALTER.
#999 Edgware Road,
London W2 1EY
United Kingdom.
Email: claimsagent907@yahoo.co.uk
TELEPHONE: +447xxxxxxxxxx    
 .
Sincerely,
Dr paul white
Zonal Co-ordinator”

Ok, the title is odd. Who would naturally in title such a mail using the word “FIDUCIARY”? Also, in a quick credibility check, why would a fiduciary officer (a much glorified accountant and financial controller) handle claims when they have a claims department? So, that doesn’t seem right.

That address has been used in at least a dozen other scams. How hard would it be to find another address? Sloppy work. A moment of research and this mail is blown sky high.

Hmm… they know my email address and not my name? They can’t even guess? Not from Mark.Long@Microsoft.com? I know that giving my email address like that will probably harvest SPAM but that is OK :-) It will go with the rest.

They announced the result of the draw on the 24th back on the 22nd? Sounds crooked to me.

Grammar alert! My email address drew the lucky numbers? All by itself? How clever is that?

The lucky numbers include 2 number “43”s – I am no expert but don’t numbers have to be unique? How would you tick 43 on the form twice?

“and consequently Won you the lottery in the 3rd category” – uh, pardon? 3rd Category? And why is there a capital “W”?

Observe the sequence of random numbers and letters. The intent is to seem very specific. So, they don’t know my name but they have the number of the ticket and the serial number of the ticket? Not convinced.

“This is from total prize money Of £2,000,000.00 Great British Pounds(GBP) shared among the four International winners in this category.” – the strange Capitalisation continues. International winners? I am not that international, being snug and safe here in Reading. The national lottery is not the international lottery in any case. Additionally, what are the odds of the totals and the share being such round numbers?

# before the number? American convention, not used here in Blighty.

What is the second address for? Am I supposed to write to both of them? Edgware road? Really? For those not from these shores, Edgeware road (note the difference in spelling) is a well known London street and it is equally known for its underground station (one of the 7/7 bombing sites) and links Marble Arch and Edgeware. The street number given was actually that of a rather good Middle Eastern restaurant but I don’t think that is significant.

The email address is at Yahoo.co.uk? And this guy has at least 906 colleagues? Do Camelot (who run the lottery) use free emails accounts these days? It must be because of the 906 people giving away all of the money. These mails normally have a free email account associated with them and it is normally different to the email address in the mail header – it was in this case too. Watch out for

Of course, they could need to use free email accounts because they have a PhD writing their mails. That can’t be cheap. Possibly his degree is in poetry specialising in e.e.cummings since they seem to have the same approach to capitalisation. Another expense must be the mobile phone number given - all UK numbers starting with 7 are mobile (cell) phones.

Zonal? If our friend claims agent 907 is a zonal co-ordinator, how many zones do they have?

Really. C-, must try harder.

So, this was a very unremarkable bit of Phishing SPAM. Next time, I will be looking at some of the mails used to spread the storm Trojan which is often incorrectly called the storm Worm. It isn’t a worm although it does use SPAM as part of attempts to enlarge the botnet.

Oh, on a final note, I am looking at a cube note (a bit of paper dropped on my desk) claiming that an AI called Testaccount23 has escaped and is living at http://test23account.spaces.live.com – I smell a viral campaign. However, I am not sure that is within my remit :-)

Signing off

Mark