Hacker Troll

Hunt for scammer

This is a brief history of scammer hunt that I’ve conducted today with my buddy from work.

At 9:24 AM we’ve received alert from our secretaries Boss that someone sent her very strange e-mail. This is message content (written in polish):

From: A****** M******* [mailto:[email protected]] 
Sent: Monday, May 22, 2017 9:24 AM
To: Company name
Subject: Saldo konta.

Ile pieniędzy mamy na naszym koncie euro?


A****** M*******.
Wysłane z mojego iphone'a.

English transcription:

From: A****** M******* [mailto:[email protected]] 
Sent: Monday, May 22, 2017 9:24 AM
To: Company name
Subject: Account balance.

How much money do we have in our euro account?


A****** M*******.
Sent from iphone.

It looks quite well. It’s correct polish and sender is really director of our institution. Only e-mail address alerted our cautious secretary.

Act one

We’ve quickly decided to release bait. So we’ve answered the scammer from e-mail of our beloved, non existent, accountant Jan Kowalski (it’s polish equivalent of John Doe).

From now on, I’ll translate to English at sight to cut redundancy. 

Hello,
We have 33.485 thousand Euro on our sub account.

Sincerely,
Jan Kowalski
 
Specialist
Accountancy
 
Company name
00-000 Warsaw
tel. xxx

Scammer response:

OK, please send express payment and let me know when you finish. This is urgent. I'll send documentation later.

Recipient: LINDA ESSANDOH
Beneficiary Bank: SANTANDER
Iban: GB59ABBY09012747877403
Bic: ABBYGB3EXXX
Adres: 201-205 OXFORD ST SOHO LONDON W1D 2HW
Ref: DMKTRETSTR7
Tytuł: Great branded acquisitions.
22.240 Euro

Please let me know when you finish.


A****** M*******.
Sent from iphone.

At that moment we’ve decided that we need to buy some time, so we asked him to send us a PDF invoice. He replied that he is during some important meetings and he don’t have time so we should send him money immediately 🙂

Act two

We’ve started to pretend that we really want to transfer money to him. He forgot to give us the amount of money  so we’ve asked him. Also we’ve decided to spread a little FUD:

Of course Mrs. Director. We'll send you money immediately.

I just remind you that, if we won't get documentation in 24 h, transfer will canceled - IT department has set a limit on currency account. I can ask them to disable it this time.

How much money do you want?

He is definitely a nice scammer so he decided not to take all our money:

The amount is 22.240 Eur, I want express transfer and I want to get that money today.

We’ve replied that we need to inform IT department about that and he simply answered that we should reply him when we finish 🙂 He is quite brave chap! IT guys aren’t scary for him!

Act three

Finally after few minutes we’ve informed him that the transfer should get to his bank in a moment. He started pushing us to send him confirmation in a PDF format.

Did you send it? Please attach confirmation and send it to this e-mail.

[email protected]

A****** M*******.
Sent from iphone.

We’ve already reported his first e-mail address to AOL. Unfortunately Comcast has moronic reporting policy and they bounced as off “due to not providing enough information”. I gave them e-mail headers and context… I don’t know what more they need.

We’ve finally decided to try to get his real IP address by sending him confirmation using a link, not an e-mail attachment. He did not catch the bait and he started to force us to send him a file once again. After we’ve replied him with URL once more he simply replied:

Crafty.

For the first time in English 🙂 and he appreciated our efforts to troll him!

As the icing on the cake we’ve sent him this:

Jan Kowalski - IT Department at your service!
Jan Kowalski – IT Department at your service!

Technical data

  • First e-mail was originated from [email protected] (reported to AOL)
  • Sender used IP 191.101.59.9 (reported to owner) that belongs to United Kingdom London Digital Energy Technologies Chile Spa this company has division called Host1Plus (which provides cloud based virtual servers  – I believe scammer used one of their machines, maybe he used 14 days trial or something like that).
  • IBAN GB59ABBY09012747877403 is valid, it belongs to Santander UK (already reported to bank).
  • Second e-mail is [email protected] (we couldn’t report it because Comcast support system sucks)
  • Attacker probably used a german e-mail client or german version of AOL because this showed in his e-mail:
    -----Ursprüngliche Mitteilung----- 
    Von: Jan Kowalski <***@****>
    An: A***** M******
    Verschickt: Mo, 22. Mai 2017 2:52
    Betreff: ODP: ODP: ODP: ODP: Saldo konta.
    

Why should we all troll scammers?

You can get some additional info, report it, and save someone less technically efficient. Beside that it’s simply fun 🙂 This poor douchebag lost some of his precious time (time is money they say).

Thanks to Adrian “Ginger” L. for helping me with this. 

* Sorry for my English, I’m not a native speaker. Writing is my way to improve 🙂

Published by

Konrad Fedorczyk

Konrad Fedorczyk

I'm interested in programming and gamedev. I especially luv HTML5 and everything connected to web technologies.

3 thoughts on “Hunt for scammer”

Leave a Reply

Your email address will not be published. Required fields are marked *