Today I received an email which was a familiar scam sent from West Africa. I receive literally hundreds of them every day. What made this one different was that it carried a link to a malware site.
Any Windows user foolish enough to click the link and run the executable would get his machine infected with “trojan horse” software that gives others access to their computer.
I found five different domains all used to host the same trojan and all the emails to spread them were sent from countries in Africa.
Here is an example:
Dear friend,
I’m Mr.Alfred Kodjo from Lome Togo the only son of late Mr. David Kodjo.My father was poisoned to death on Dec 23, 2005 by his fellow diamond/gold business associate in Accra Ghana.
My father told me my mother suffered high blood pressure and died when I was 3 years old, but now I’m 24 years. In the light of the above, I have contacted you to assist me to transfer out of Togo the sum of $12 million US dollars, which my father deposited in one box as family treasure with a safety company for my future, I would like the fund to get to you so that you safe-keep it for me after which I will come over to your country in due course to live and school. You will invest this money for me in commercial estate or any other business of your choice you deem healthy.
For your effort, I am prepared to give you 20% of the total funds. I am looking forward to hearing from you while thanking you for your anticipated cooperation in this regard.
Please give me also your phone numbers for better communication between us.
Kind Regards,
Mr Alfred Kodjo
just look http://postcardsbargain . com/clip.html
(spaces inserted by me, to make sure it doesn’t show as a clickable link).
The email was sent from an IP address in Togo:
Received: from [80.248.70.177] by web58607.mail.re3.yahoo.com
via HTTP; Tue, 27 Feb 2007 20:29:42 ICT
Date: Tue, 27 Feb 2007 20:29:42 +0700 (ICT)
From: alfred kodjo
Subject: {Spam!} ``Erwin co-operation from Mr. Alfred
To: kodja12@yahoo.co.th
The domain postcardsbargain.com was recently registered:
Domain Name: POSTCARDSBARGAIN.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: MANAGEDNS1.ESTBOXES.COM
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Status: clientTransferProhibited
Updated Date: 13-feb-2007
Creation Date: 13-feb-2007
Expiration Date: 13-feb-2008
Other domains in the same series were bestnetpostcards.com, freewebpostcards.com, ecolorpostcards.com and mailfreepostcards.com, which were also registered through Estdomains. Here are the details for the emails in which they were spotted:
212.60.73.44 (Gambia) – moceesay@hotmail.com:
mailfreepostcards.com / show.exe
196.28.250.11 (Nigeria) – mr_ban0x19@hotmail.com:
ecolorpostcards.com / winner.html
196.201.156.161 (Kenya) – info_jabrattofood@yahoo.co.uk:
freewebpostcards.com / show.exe
196.3.63.252 (Nigeria) – william_franca_fw2@yahoo.com.hk:
bestnetpostcards.com / show.exe
80.248.70.177 (Togo) – kodja12@yahoo.co.th:
postcardsbargain.com / clip.html
41.243.148.204 (South Africa) – den_ma006@hotmail.com:
nuclearworldaction.com / video.html / clip.exe
196.3.63.252 (Nigeria) – annahoffmanhome@yahoo.com
nuclearwarinusa.com / news.html
Malicious programs installed via links in emails can log keyboard input to steal passwords and online banking details. They can turn your computer into a remote-controlled spam sending zombie.
Such programs have been used primarily by Eastern European spam gangs for sending spam and for hosting illegal websites, such as for phishing scams. However, until recently the Nigerian gangs made virtually no use of malware.
A few months ago I started seeing a trend where spam for Nigerian “419” scams sent through Webmailers traced to IP addresses of broadband hosts in North America (bellsouth.net, adelphia.net, cox.net, comcast.net, shaw.ca), which was highly unusual at the time. I was wondering if the “lads” (Nigerian scammers) were renting botnets from Russian gangs to evade spam filters that were treating West African Internet cafe IP addresses as suspect.
With the latest malware spam from West Africa it appears the cooperation goes much deeper. While it is possible that the malware links were automatically inserted by a very clever trojan running on PCs in Internet cafes, it seems too much of a coincidence that all of the samples we’ve come across so far originated from Africa.
Close cooperation between the manpower of Nigerian and other advance fee fraud gangs and the brains of high tech crime rings in Eastern Europe is indeed a frightening perspective.
Today I received my first malware spam in this series that wasn’t sent from Africa. It came from an Ameritech DSL IP in the United States and used domain / URL nuclearworldconflict.com / iran.html
Here are domains from the series, all hosted on the same IP address:
nuclearwarinusa.com A 209.123.8.198
nuclearworldwarsite.com A 209.123.8.198
postcardsbargain.com A 209.123.8.198
nuclearworldaction.com A 209.123.8.198
thenuclearworldwar.com A 209.123.8.198
2007postcards.com A 209.123.8.198
freewebpostcards.com A 209.123.8.198
mailfreepostcards.com A 209.123.8.198
ecolorpostcards.com A 209.123.8.198
bestnetpostcards.com A 209.123.8.198
nuclearworldconflict.com A 209.123.8.198
Would you have any clue of how to get rid of this virus/trojan?
I’m fearful that the link will be posted without my consent prior or after this comment, thus, please do not click on any of the links.
thanks very much for this information. it was 2 am when i clicked upon a link like this from a stupid friend whose computer is infected… i was on my mac and was able to stop the download. your post literately saved me 6 months of work.
it is becuase you people don’t have any thing to do that i why you are interfaring to other peoples matter.
shame to you
I was sent a confirmation saying I had won 1,000,000.00 dollars form the Australian Lottery : Old Mutual Lottery Organization. the supposed
phone number was: 27-73-859-3333. This is all a bunch of crap….