Yahoo: “The CAPTCHA you entered did not match please try again”

Today I tried to report an advance fee scammer in Senegal, West Africa who had sent me a scam email using a Yahoo Mail account. I went to the Yahoo Spam Report form and submitted the mail headers and message text, only to get this error message:

The CAPTCHA you entered did not match please try again

Yes, that was the exact punctuation. The form I had submitted did not have any CAPTCHA test to pass. A quick Google search found others reporting the same problem. It looks like Yahoo broke its abuse report handling, which if they don’t fix it soon will both save them staff costs and make them more popular with scammers.

Haiti disaster attracts Nigerian scammers

It happened after the Indian ocean tsunami and after Hurricane Katrina. It’s happening again with the earthquake in Haiti that has killed tens of thousands and left hundreds of thousands injured, homeless, hungry or without medical treatment: Scammers in Nigeria and elsewhere are stealing money meant for victims of the disaster.

If you think there is a line that such scammers won’t cross, think again.

Here is an email soliciting donations on behalf of “HAITI CITIZENS LIVING IN THE UNITED KINGDOM” with relatives living in Haiti, but really originating from an IP address in Nigeria, West Africa:

PASTOR JOHN BROMA
HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

DEAR SIR/MADAM

WE ARE HAITI CITIZENS LIVING IN THE UNITED KINGDOM WHOM THEIR FAMILIES
ARE AFFECTED BY THE RECENT EARTQUAKE,WE HAVE BEEN TRYING TO RAISE MONEY
TO HELP THE HAITI CITIZENS WHO ARE WITHOUT FOODS,DRUG AND SHELTER,SO WE
PLEAD THAT YOU SUPPORT US WITH WHAT EVER YOU CAN.

ALL DONATIONS SHOULD BE SEND THROUGH WESTERN UNION MONEY TRANSFER
BECAUSE OF THE URGENT ATTENTION NEEDED.DO SEND IT TO THE INFORMATIONS BELOW.

PASTOR JOHN BROMA

HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

PLEASE MAKE SURE THAT YOU FORWARD THE WESTERN UNION INFORMATIONS SUCH AS
SENDERS NAME,AMOUNT SEND AND THE MTCN.WE PRAY THAT ALMIGHTY GOD WILL
BLESS AS YOU HELP THE SUFFERING HAITI CITIZEN.

THANKS FOR YOUR HELP

PASTOR JOHN BROMA(SECRETARY)

Looking at the message headers we see:

Received: from User ([82.128.33.35] RDNS failed) by mail.westnet.com
with Microsoft SMTPSVC(6.0.3790.3959); Fri, 15 Jan 2010 19:13:32 +0900
Reply-To: <pastorjohnbroma@yahoo.com>
From: HIATI CITIZENS IN UNITED KINGDOM<pastorjohnbroma@yahoo.com>
Subject: HELP FOR HAITI
Date: Sat, 16 Jan 2010 11:21:10 -0800

IP address 82.128.33.35 belongs to a cell phone provider in Nigeria:

inetnum: 82.128.32.0 – 82.128.63.255
netname: INET-MLTL
descr: CDMA 1x/EVDO Dial up pool
country: NG
admin-c: RIA27
tech-c: RIA27
status: ASSIGNED PA
mnt-by: MLTL-INT-MNT
mnt-lower: MLTL-INT-MNT
source: AFRINIC # Filtered
parent: 82.128.0.0 – 82.128.127.255

person: IP Admin-RIPE
address: Multilinks Telecommunications Limited
address: 231 Adeola Odeku Str.
address: Victoria Island, Lagos, Nigeria

The criminal who sent this mail must be one of their customers.

If you want to make a donation to help those affected by the disaster, send it to the Red Cross or another well established relief organization. Beware of any stranger who asks you to wire money by Western Union or MoneyGram, because these instant wire transfer services are essentially anonymous and untraceable and there are no safeguards whatsoever against abuse by criminal recipients, who can not be traced. That is precisely why scammers prefer you to send money that way.

If hell exists there must be a special place there waiting for these scammers, who even make money out of the orphans and dying in Haiti.

Dial +44 70 (UK number) for international online fraud

A few years ago I created the Scam-O-Matic (www.scamomatic.com), a website that every month has helped thousands of people worldwide by automatically diagnosing online fraud emails that people have submitted to it. Scamomatic.com recognizes fake lotteries, “dead customer” scams, “dying widow” scams and many other common formats from scammers from Nigeria that you may have seen in your inbox before. Even when it can’t pinpoint the exact type of scam, it often recognizes it as a generic scam format, largely thanks to the presence in the email of UK phone numbers that start with +44 70. These numbers are everywhere in Nigerian online scams, regardless of the precise scam format. The +44 70 prefix might as well be called the country code of Nigerian scammers.

If you receive any email that mentions any +4470 phone number, do not reply to it! You can submit the body of any suspicious email message to www.scamomatic.com for instant feedback about what kind of scam it might be.

These +4470 numbers are a gift to online scammers by British phone regulators. They are primarily owned by obscure British phone companies offering an anonymous call forwarding service. The economic model of these services is simple: The caller dials a rather expensive UK number and the UK service provider forwards the incoming call to a somewhat less expensive to call international number (for example a Nigerian mobile phone, which remains hidden from the caller), pocketing the difference between the call rates. For example, the caller might pay 50 cents per minute to call a +44 70 number and the call will then be forwarded to a Nigerian mobile phone that costs 25 cents per minute, leaving 25 cents per minute as a net margin for the service operator. The more successful the scammers are, the more money the phone company makes. Who ever said crime doesn’t pay?

These UK phone numbers are very attractive to scammers: When people can be made to believe that they are dealing with a bank, lawyer or government official in London, UK when they’re actually talking to a scammer on his cell phone in an Internet cafe in Lagos, Nigeria then they are much more easily defrauded by criminals.

As far as I can tell these numbers aren’t really being used for any other purpose than to enable international online crimes to be committed. In some nine years of tracking Nigerian scam emails, I have yet to come across a single legitimate user of a +44 70 number. I really don’t understand why the British government has allowed those services to continue to operate.

Now, of course the service operators can claim that they don’t know that their services are being used for criminal purposes unless someone tells them about it. On the other hand, they are not exactly making it easy to report abuse and the high prices of these services means that it’s unlikely that they’ll get much legitimate use, if any.

There are several ways to curb abuse, other than suspending +44 70 numbers altogether and I would encourage the UK government to seriously consider them:

  • The UK regulators could make it a requirement that calls via this service either originate in the UK or terminate in the UK, i.e. to prevent unrestricted global relaying, with say calls from India or the US being forwarded to Nigeria or Côte d’Ivoire.
  • The UK regulators could require service providers to announce the country name of the phone number to which the call is being forwarded if the destination number is not a UK number.
  • The UK regulators could require service providers to block forwarding to mobile phone numbers in certain countries, e.g. Nigeria

Below is a sample list of +44 70 numbers that appeared in Nigerian scams reported to Scam-O-Matic over the course of the last seven days. These roughly 60 phone numbers per day are only the tip of the iceberg:

+447005801505
+447005802020
+447005810692
+447005934945
+447005942459
+447005963237
+447005977097
+447006001100
+447006002121
+447006002413
+447006029116
+447006062478
+447010023307
+447010027439
+447010027978
+447010027983
+447010028455
+447010030769
+447010285923
+447010306559
+447010476294
+447010786457
+447011120379
+447011120510
+447011120524
+447011121450
+447011121596
+447011128170
+447011129280
+447011129286
+447011129446
+447011130062
+447011130670
+447011130769
+447011131077
+447011131152
+447011133259
+447011140499
+447011140945
+447011140989
+447011146747
+447011146830
+447011147295
+447011149054
+447011152991
+447011153129
+447011162749
+447011163186
+447011163846
+447011164243
+447011182522
+447011183455
+447011184113
+447011196412
+447011197245
+447011197787
+447014225697
+447014232391
+447014232411
+447014232442
+447014236733
+447014244984
+447014275175
+447014275728
+447017026507
+447017430128
+447017769494
+447017848035
+447023011587
+447023056559
+447023058575
+447023069806
+447023086665
+447023087509
+447023092593
+447024010876
+447024010915
+447024011554
+447024012660
+447024013770
+447024014859
+447024016712
+447024017968
+447024018504
+447024018707
+447024018725
+447024018963
+447024019584
+447024019588
+447024021204
+447024021389
+447024023138
+447024023643
+447024024530
+447024024914
+447024024938
+447024025942
+447024028606
+447024029852
+447024032255
+447024033542
+447024034362
+447024034768
+447024035958
+447024036606
+447024037907
+447024038051
+447024038950
+447024041571
+447024041989
+447024042397
+447024043571
+447024045842
+447024046548
+447024047607
+447024047708
+447024051081
+447024051604
+447024053655
+447024054764
+447024056650
+447024056684
+447024057656
+447024057695
+447024059725
+447024061362
+447024061659
+447024061805
+447024062162
+447024063633
+447024063645
+447024064180
+447024065549
+447024066713
+447024066858
+447024067752
+447024068617
+447024069933
+447024070671
+447024071597
+447024071804
+447024071867
+447024072603
+447024072995
+447024073988
+447024074220
+447024074568
+447024074742
+447024075722
+447024075954
+447024077025
+447024078351
+447024079530
+447024079908
+447024080526
+447024080571
+447024080634
+447024082668
+447024082680
+447024082728
+447024083093
+447024083705
+447024084762
+447024084918
+447024084994
+447024086967
+447024087401
+447024087599
+447024087905
+447024091678
+447024091701
+447024091706
+447024092775
+447024092795
+447024092863
+447024095774
+447024095778
+447024095878
+447024096802
+447024096869
+447024097854
+447024098802
+447024098874
+447024099606
+447031740924
+447031742574
+447031744227
+447031744980
+447031744994
+447031745967
+447031746067
+447031746887
+447031747046
+447031747509
+447031749721
+447031801246
+447031801866
+447031803498
+447031803820
+447031808512
+447031809778
+447031814575
+447031814720
+447031815436
+447031816735
+447031818230
+447031821851
+447031822608
+447031823431
+447031824330
+447031825003
+447031826670
+447031830878
+447031833248
+447031833760
+447031834660
+447031835615
+447031835762
+447031837227
+447031843396
+447031844360
+447031845639
+447031846542
+447031850801
+447031851126
+447031855107
+447031855527
+447031858919
+447031859268
+447031859327
+447031859972
+447031861174
+447031861534
+447031865718
+447031877392
+447031877975
+447031880502
+447031885537
+447031890014
+447031891762
+447031894541
+447031898197
+447031903871
+447031906765
+447031908701
+447031909751
+447031911974
+447031913322
+447031915331
+447031918554
+447031918592
+447031918698
+447031918840
+447031920863
+447031928723
+447031930960
+447031931805
+447031934581
+447031938867
+447031940670
+4470319419882
+447031943771
+447031954666
+447031956661
+447031958680
+447031960513
+447031964131
+447031971731
+447031971766
+447031972833
+447031972850
+447031973785
+447031974969
+447031978795
+447031979858
+447031982694
+447031983660
+447031983882
+447031984862
+447031988864
+447031993596
+447031993967
+447031996818
+447032334576
+447035900183
+447035900344
+447035900914
+447035901588
+447035902188
+447035902683
+447035910276
+447035911140
+447035912873
+447035913994
+447035915768
+447035922616
+447035923742
+447035924448
+447035927916
+447035928180
+447035931142
+447035937446
+447035939194
+447035939320
+447035940617
+447035944729
+447035944779
+447035947431
+447035950853
+447035951254
+447035951405
+447035954295
+447035955376
+447035956312
+447035959966
+447035960942
+447035965038
+447035966176
+447035966188
+447035966289
+447035966480
+447035968588
+447035969249
+447035969496
+447035969754
+447035969801
+447035969823
+447035972572
+447035973164
+447035973821
+447035977317
+447035978042
+447035978343
+447035978550
+447035983963
+447035988651
+447035988847
+447035989086
+447035992118
+447035996148
+447035997215
+447035997533
+447035998886
+447035999080
+447040110515
+447041743214
+447045702581
+447045704323
+447045704570
+447045705126
+447045705374
+447045706975
+447045707234
+447045707660
+447045708253
+447045709129
+447045709292
+447045710531
+447045710917
+447045711325
+447045712243
+447045712434
+447045712662
+447045712816
+447045712993
+447045713815
+447045714219
+447045719541
+447045720546
+447045721125
+447045721617
+447045722125
+447045724094
+447045725176
+447045727388
+447045729804
+447045733035
+447045733518
+447045736862
+447045742669
+447045743467
+447045747569
+447045748609
+447045754338
+447045759317
+447045767521
+447045768060
+447045770961
+447045776356
+447045780693
+447045782120
+447045783777
+447045785147
+447045785239
+447045790181
+447045791709
+447045795051
+447045798638
+447045799030
+447053491702
+447053492393
+447075158182
+447092849621
+447092861761
+447092864823
+447092980578
+447092981646
+447092981769
+447092982175

Microsoft subsidizes Nigerian scammers

A four-part series of blog postings at Artists against 419 discusses in detail the massive abuse of Microsoft’s OfficeLive (MSOL) webhosting service by Advance fee fraud scammers, which I mentioned in a previous blog post here. Currently I come across such MSOL domains at a rate of about two new ones per day.

As the Artists point out, one of the reasons for the large number of scam domains hosted at MSOL is that unlike other webhosting services where customers get their own domain, they are not charged any fees for registering and using a domain. Microsoft appears to be so desparate to find any business willing to host their website with them using the basic webhosting package that they fork out cash to VeriSign for the .com / .net domain registration fees. To secure against abuse, the user has to supply a gredit card when signing up, but no charge is ever made to that card. All that MSOL will do with it is get authorization from the card company to charge $1 to it (that means, the card company will verify that the card exists, has not been cancelled and that current accumulated charges since the last statement are at least $1 below its set spending limit). Those $1 authorizations will not show up on a monthly statement that the owner of a card whose data has been stolen could see. If the owner doesn’t see unauthorized charges he has no reason to cancel the card and the scammer could use the same card over and over to register hundreds of scam domains, while Microsoft pays hundreds of dollars in domain registration fees to VeriSign and scam victims lose thousands of dollars to the scammer.

The article series then discusses the problems with trying to get MSOL to take action against the criminal abuse of their system, which appears to be so broken that even a domain that has been disabled (no working website) can still be used for sending email, which is all that some 75% of scammers ever use it for anyway, according to the Artists.

Read the article series here:

Yahoo abuse handling improves, OfficeLive and Earthlink have their work cut out

Nine months ago I reported about a series of child porn sites that were being illegally hosted at Yahoo’s webhosting service. At the time I was seeing about half a dozen new sites pop up every day. I am glad to report that about 4 weeks ago Yahoo finally seems to have done something to stop this. After 18 months of a steady stream of new porn sites that I reported, things went quiet after two sites it suspended on November 5, 2007 that I had reported eralier that day. For the next two weeks I didn’t come across any new sites. Another 9 sites I came across on November 20, 21 and 22 were quickly terminated. Then again no new sites to report for three weeks. Thank you, Yahoo, for stopping these criminals! I don’t know what Yahoo did to prevent fraudulent signups (child porn webhosting signups usually involve stolen credit card data), but whatever it is seems to be working. Now if it could only stop the phishing scammers that still abuse their service.

Meanwhile, two other webhosts constantly keep popping up in connection with various Nigerian scams. For many months Microsoft’s OfficeLive has been the clear leader. I did some counts a few months ago and found that amongst domains connected to Advance fee scams that I was adding to the SURBL blacklist, more than half were hosted at OfficeLive, i.e. more than for all other webhosts combined!

Unlike most other webhosts, OfficeLive does not appear to maintain an abuse reporting email address to which to forward scam reports. All they have is a webform.

The runner up amonsgt Advance fee fraud domains has been Earthlink.net, where numbers seem to be increasing. If you try to report fraudulent domains that have appeared in contact addresses listed inside a scam email, such as a “claim agent” for an “email lottery” or an immigration lawyer for an international employment scam, do not waste your time contacting abuse@earthlink.com. All you would get back is a boilerplate message that the message you reported did not originate from an Earthlink account, which may well be true, but is besides the point. Here’s an example:

Hello,

Thank you for submitting a report to the EarthLink Network Abuse
Department. Unfortunately, we are unable to investigate the email you
forwarded because it does not appear to have originated from the
EarthLink network.

For instructions on determining the origin of an email, please visit:

http://support.earthlink.net/tutorial/mailbox/interpret_headers/

If, after reading the above article, you find that the email did NOT
originate from the EarthLink network, we encourage you to submit the
email to the appropriate network.

If you were trying to report fraud (“phishing”), please contact our
Fraud Department via our Fraud webform located at:

http://securitycenterkb.earthlink.net/fraudmi.asp?route=email

If you find that the email DID originate from the EarthLink network,
please reply directly to this email.

The EarthLink Appropriate Use Policy, Users Agreement, and Privacy
Policy are available at: http://earthlink.net/about/policies

We appreciate your assistance.

Sincerely,

EarthLink Network Abuse

The email I had been trying to report had been sent from a Gmail account, but it was telling people to contact an email address that used an Earthlink-hosted domain name.

I will give the Earthlink fraud report webform a try. Hopefully it works better. Webforms are poor substitute for reporting abuse via email. Much abuse will remain unreported if abuse reporting involves much more than hitting the forward button. Criminals will keep flocking to those providers who do not have effective abuse handling departments, such as OfficeLive and Earthlink.

Anti-Fraud sites under attack

Several of the main sites dedicated to fighting online scams are currently inaccessible because of a “Denial of service” (DoS) attack.

Fraudwatchers.com, aa419.org, 419eater.com and occassionally thescambaiter.com have been offline. Thescambaiter.com and 419eater.com are two of the oldest sites that fight “419” scams (named of the section in the Nigerian penal code that prohibits fraud). Fraudwatchers.org and aa419.org deal with a wider range of online scams, Nigerian scams as well as Escrow and commercial scams often run by Eastern European crime rings.

It is still unclear who is behind the attack. The selection of websites for this concurrent attack suggests Nigerian scammers, but technically the type of attack is more typical for Eastern European scammers. It may well be a sign of increased cooperation between both crime communities.

The exposure of websites to the danger of cyber attacks in a more and more net-centric world was highlighted earlier in the year when websites in Estonia were crippled for several days in large scale attacks, many of which originated from next-door Russia, with which Estonia has had a strained political relationsship.

Throughout this year criminals have been building the Storm botnet, a network of remote-controlled zombie computers infected with Malware that lets the criminal masters download and run any software on them that they chose. So far the Storm botnet has been used primarily fo sending pump-and-dump penny stock spams (see here). However, experts estimate the network as being comprised of between 1 and 10 million computers, far larger than needed to spam every computer on the planet. It’s probably the only peer-to-peer network comparable in size to eBay’s voice-over-IP giant Skype, which currently has 4 to 7 million concurrent online users.

Botnets have the potential to cripple the information infrastructure that countries increasingly rely on. Greater efforts need to be made to prevent infections, clean up or quarantaine infected computers and to track down the criminals who control them.

Botnets meet “Nigerian” spam

Today I received an email which was a familiar scam sent from West Africa. I receive literally hundreds of them every day. What made this one different was that it carried a link to a malware site.

Any Windows user foolish enough to click the link and run the executable would get his machine infected with “trojan horse” software that gives others access to their computer.

I found five different domains all used to host the same trojan and all the emails to spread them were sent from countries in Africa.

Here is an example:

Dear friend,

I’m Mr.Alfred Kodjo from Lome Togo the only son of late Mr. David Kodjo.My father was poisoned to death on Dec 23, 2005 by his fellow diamond/gold business associate in Accra Ghana.

My father told me my mother suffered high blood pressure and died when I was 3 years old, but now I’m 24 years. In the light of the above, I have contacted you to assist me to transfer out of Togo the sum of $12 million US dollars, which my father deposited in one box as family treasure with a safety company for my future, I would like the fund to get to you so that you safe-keep it for me after which I will come over to your country in due course to live and school. You will invest this money for me in commercial estate or any other business of your choice you deem healthy.

For your effort, I am prepared to give you 20% of the total funds. I am looking forward to hearing from you while thanking you for your anticipated cooperation in this regard.

Please give me also your phone numbers for better communication between us.

Kind Regards,
Mr Alfred Kodjo
just look http://postcardsbargain . com/clip.html

(spaces inserted by me, to make sure it doesn’t show as a clickable link).

The email was sent from an IP address in Togo:

Received: from [80.248.70.177] by web58607.mail.re3.yahoo.com
via HTTP; Tue, 27 Feb 2007 20:29:42 ICT
Date: Tue, 27 Feb 2007 20:29:42 +0700 (ICT)
From: alfred kodjo
Subject: {Spam!} ``Erwin co-operation from Mr. Alfred
To: kodja12@yahoo.co.th

The domain postcardsbargain.com was recently registered:

Domain Name: POSTCARDSBARGAIN.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: MANAGEDNS1.ESTBOXES.COM
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Status: clientTransferProhibited
Updated Date: 13-feb-2007
Creation Date: 13-feb-2007
Expiration Date: 13-feb-2008

Other domains in the same series were bestnetpostcards.com, freewebpostcards.com, ecolorpostcards.com and mailfreepostcards.com, which were also registered through Estdomains. Here are the details for the emails in which they were spotted:

212.60.73.44 (Gambia) – moceesay@hotmail.com:
mailfreepostcards.com / show.exe

196.28.250.11 (Nigeria) – mr_ban0x19@hotmail.com:
ecolorpostcards.com / winner.html

196.201.156.161 (Kenya) – info_jabrattofood@yahoo.co.uk:
freewebpostcards.com / show.exe

196.3.63.252 (Nigeria) – william_franca_fw2@yahoo.com.hk:
bestnetpostcards.com / show.exe

80.248.70.177 (Togo) – kodja12@yahoo.co.th:
postcardsbargain.com / clip.html

41.243.148.204 (South Africa) – den_ma006@hotmail.com:
nuclearworldaction.com / video.html / clip.exe

196.3.63.252 (Nigeria) – annahoffmanhome@yahoo.com
nuclearwarinusa.com / news.html

Malicious programs installed via links in emails can log keyboard input to steal passwords and online banking details. They can turn your computer into a remote-controlled spam sending zombie.

Such programs have been used primarily by Eastern European spam gangs for sending spam and for hosting illegal websites, such as for phishing scams. However, until recently the Nigerian gangs made virtually no use of malware.

A few months ago I started seeing a trend where spam for Nigerian “419” scams sent through Webmailers traced to IP addresses of broadband hosts in North America (bellsouth.net, adelphia.net, cox.net, comcast.net, shaw.ca), which was highly unusual at the time. I was wondering if the “lads” (Nigerian scammers) were renting botnets from Russian gangs to evade spam filters that were treating West African Internet cafe IP addresses as suspect.

With the latest malware spam from West Africa it appears the cooperation goes much deeper. While it is possible that the malware links were automatically inserted by a very clever trojan running on PCs in Internet cafes, it seems too much of a coincidence that all of the samples we’ve come across so far originated from Africa.

Close cooperation between the manpower of Nigerian and other advance fee fraud gangs and the brains of high tech crime rings in Eastern Europe is indeed a frightening perspective.