Things with "apuranta" started the same way they did with "Larry". He sent me a message a couple of hours before "Larry" and I replied with the same email. You can likely see where this is going by now, but this guy put a bit more effort into it.

So, "apuranta" sent me a message saying:

Hello, Do you still have the item for sale? so contact me via my mail kulla.gross209@gmail.com

Again, the same weirdness in grasping the consept of an auction site. I later noticed that the username had quite likely been hijacked, as it had been inactive for a year before this, and all the auction feedback was written in Finnish. I doubt someone who is fluent in Finnish would correspond with me in English and present himself as "Kulla Gross" from Madrid

I want you to get back to me with the total price of the item plus shipping cost of the item through EMS SPEED POST to Madrid in SPAIN.

I will be expecting from you.

Expecting what from me? Anyway, "Larry" had already offered the 350 GBP at this point, so I replied with:

Hi,

I have been offered 420 euros for the phone, although that is not confirmed at the moment, so you would have to top that. This is an auction after all. Shipping costs look like 12,30e as a priority letter, EMS is more than 50 euros, but not any faster.

And "Kulla" replied back:

Ok, i will pay you 450 eur for the phone and i will pay 13 eur for the
shipment of the phone so i will pay you 463 eur for the phone and the
shipping cost.

Send me your bank details to make your payment.

Holders Name
Account Number
Iban
Bic
Bank Name

Below is the shipping address in Spain.

Martin Preye Angel.
PASEO DE VIGO, NO 8 2C
FUENLABRADA,28942
MADRID, SPAIN.

Seems familiar, doesn't it? And what's with this "Martin Preye Angel" person? I thought he was "Kulla Gross"... No phone number this time, though. As with "Larry", I wanted to see how far this would go and replied (account details omitted):

Sounds reasonable. I shall be requiring the funds in beforehand (as COD is not possible outside Finland), and will make the shipment once they have been received. If this is ok with you, please place a bid of 450 euros on the auction site so that all goes by the book. I will then end the auction once the bid is in.

SEPA-payment should take 2-3 days and the shipping takes 3 days, so you should receive the phone early next week if all goes well.

And soon "Kulla" told me he would make the payment "asap". Right. This is where the effort comes in. Soon after "Kulla"'s promise of payment, I received two emails from "Colony Bank". I tried to export them in some reasonable format for this blog, but HTML-emails are apparently a bitch to work with... Here is a screen capture of the first one (click it to see it in full):

You can't see it from the still pic, but the bars under the Colony Bank logos are gif animations of falling dollar bills. Nice touch. Here are (slightly obfuscated) pdf-conversions of the first and second email so you can read the whole text.

Now there's so many things wrong with these emails, that I don't even know where to begin... (All-caps subject is never a good sign, by the way.) First off, the language has a lot of mistakes and phrases that simply aren't used in this kind of correspondence. It's basically the same stuff you see in the so-called Nigerian letters all the time, so I won't go deeper into that. Also the gif animations and three logos in a row is just plain stupid.

On a factual level, why would an American bank handle transactions in Europe? And why would they use "Euro" instead of "EUR"? Banks are very fond of currency abbreviations, you know. Well, I know it's possible, but still quite unlikely.

But the total failure comes with the email address. colonybank.compliance@accountant.com? Why would a bank use some other domain name than their own? Oh, come on. Just take a look at accountant.com and you'll see why things aren't looking very good at this point. And I haven't even dug deeper yet.

Looking at the source code of these HTML-monstrocities reveals the final evidence against the authenticity of the emails. The SMTP headers show the emails were actually sent from Yahoo! webmail, which I doubt any bank would do, especially as these are supposedly automated messages. Here are a couple of excerpts of the headers:

X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 743359.98694.bm@omp107.mail.gq1.yahoo.com
Received: (qmail 44122 invoked by uid 60001); 28 Jul 2009 13:47:59 -0000
Message-ID: <539930.42657.qm@web112219.mail.gq1.yahoo.com>
X-RocketYMMF: serena_jones1970
X-Mailer: YahooMailClassic/6.0.19 YahooMailWebService/0.7.338.1

The X-RocketYMMF-field apparently is the Yahoo! username used while sending the email. Another hijacked account or just a fake one? Doesn't really matter at this point. Looking at the HTML source code itself reveals more Yahoo!-stuff, as the email addresses are actually mail.yahoo.com-links. You can see the URL's on the pdf-files.

"Kulla" contacted me later as I didn't react to the fake Colony Bank emails. Needless to say, I wasn't feeling very co-operative at that point.

A couple of days later the fradulent nature of the emails was confirmed by Colony Bank themselves as well. They said they provide no such intermediary service. So, nice try boys. You didn't fool me, but unfortunately I don't think everyone has been as informed as I have. The sad thing is that people really do fall for this kind of activity and I don't it's likely "Larry" or "Kulla" will ever be caught. Therefore raising awareness is the best course of action here.

Finally, remember the gif-animations of falling dollar bills? Well, they were hotlinked from ameradream.com, a site selling money making courses for 600 USD...

Pages: · 2

No feedback yet

April 2017
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Random musings on even more random subjects.
You might also like to take a look at my Twitter feed.

Search

  XML Feeds

open source blog