This is a brief history of scammer hunt that I’ve conducted today with my buddy from work.
At 9:24 AM we’ve received alert from our secretaries Boss that someone sent her very strange e-mail. This is message content (written in polish):
From: A****** M******* [mailto:firstname.lastname@example.org] Sent: Monday, May 22, 2017 9:24 AM To: Company name Subject: Saldo konta. Ile pieniędzy mamy na naszym koncie euro? A****** M*******. Wysłane z mojego iphone'a.
From: A****** M******* [mailto:email@example.com] Sent: Monday, May 22, 2017 9:24 AM To: Company name Subject: Account balance. How much money do we have in our euro account? A****** M*******. Sent from iphone.
It looks quite well. It’s correct polish and sender is really director of our institution. Only e-mail address alerted our cautious secretary.
We’ve quickly decided to release bait. So we’ve answered the scammer from e-mail of our beloved, non existent, accountant Jan Kowalski (it’s polish equivalent of John Doe).
From now on, I’ll translate to English at sight to cut redundancy.
Hello, We have 33.485 thousand Euro on our sub account. Sincerely, Jan Kowalski Specialist Accountancy Company name 00-000 Warsaw tel. xxx
OK, please send express payment and let me know when you finish. This is urgent. I'll send documentation later. Recipient: LINDA ESSANDOH Beneficiary Bank: SANTANDER Iban: GB59ABBY09012747877403 Bic: ABBYGB3EXXX Adres: 201-205 OXFORD ST SOHO LONDON W1D 2HW Ref: DMKTRETSTR7 Tytuł: Great branded acquisitions. 22.240 Euro Please let me know when you finish. A****** M*******. Sent from iphone.
At that moment we’ve decided that we need to buy some time, so we asked him to send us a PDF invoice. He replied that he is during some important meetings and he don’t have time so we should send him money immediately 🙂
We’ve started to pretend that we really want to transfer money to him.
He forgot to give us the amount of money so we’ve asked him. Also we’ve decided to spread a little FUD:
Of course Mrs. Director. We'll send you money immediately. I just remind you that, if we won't get documentation in 24 h, transfer will canceled - IT department has set a limit on currency account. I can ask them to disable it this time. How much money do you want?
He is definitely a nice scammer so he decided not to take all our money:
The amount is 22.240 Eur, I want express transfer and I want to get that money today.
We’ve replied that we need to inform IT department about that and he simply answered that we should reply him when we finish 🙂 He is quite brave chap! IT guys aren’t scary for him!
Finally after few minutes we’ve informed him that the transfer should get to his bank in a moment. He started pushing us to send him confirmation in a PDF format.
Did you send it? Please attach confirmation and send it to this e-mail. firstname.lastname@example.org A****** M*******. Sent from iphone.
We’ve already reported his first e-mail address to AOL. Unfortunately Comcast has moronic reporting policy and they bounced as off “due to not providing enough information”. I gave them e-mail headers and context… I don’t know what more they need.
We’ve finally decided to try to get his real IP address by sending him confirmation using a link, not an e-mail attachment. He did not catch the bait and he started to force us to send him a file once again. After we’ve replied him with URL once more he simply replied:
For the first time in English 🙂 and he appreciated our efforts to troll him!
As the icing on the cake we’ve sent him this:
- First e-mail was originated from email@example.com (reported to AOL)
- Sender used IP 220.127.116.11 (reported to owner) that belongs to United Kingdom London Digital Energy Technologies Chile Spa this company has division called Host1Plus (which provides cloud based virtual servers – I believe scammer used one of their machines, maybe he used 14 days trial or something like that).
- IBAN GB59ABBY09012747877403 is valid, it belongs to Santander UK (already reported to bank).
- Second e-mail is firstname.lastname@example.org (we couldn’t report it because Comcast support system sucks)
- Attacker probably used a german e-mail client or german version of AOL because this showed in his e-mail:
-----Ursprüngliche Mitteilung----- Von: Jan Kowalski <***@****> An: A***** M****** Verschickt: Mo, 22. Mai 2017 2:52 Betreff: ODP: ODP: ODP: ODP: Saldo konta.
Why should we all troll scammers?
You can get some additional info, report it, and save someone less technically efficient. Beside that it’s simply fun 🙂 This poor douchebag lost some of his precious time (time is money they say).
Thanks to Adrian “Ginger” L. for helping me with this.
* Sorry for my English, I’m not a native speaker. Writing is my way to improve 🙂