Last summer (June 2009), I posted about an example of a very common scam that relies on the scammer gaining access to someone else's email or Facebook account, then sending messages to all their contacts claiming that they've been mugged while abroad on business or vacation, and need their friends to send them some money so that they can sort themselves out. In the example I blogged about then, the scammer carried out the conversation via Facebook chat, but there are plenty of other channels for such conversations: other instant messaging apps, direct messaging on social networking services, and plain old email.

Of course, these are a persistent problem, and an example popped up a couple of days ago on a security industry mailing list. In this instance, it was a gmail account that had been hijacked. As is rather common with type of scam, the purported mugging victim claimed to have been held up at gunpoint while on vacation in London, though the IP address indicated that the message was sent from Lagos, Nigeria. Which won't come as a surprise to anyone with previous experience of this type of spam. When an English politician's account was compromised  back in February, 2009, the scammer in that instance claimed that "he" (Labour MP Jack Straw) had lost his wallet in Lagos, in the land of the 419 scam.

Having lived in London for many years of my life (though I don't now), I can confirm that people do get mugged there (including me, once), though I suspect that it's very rare indeed for it happen at gunpoint. But I suspect that the reason that London is so often chosen as the imaginary venue (so often that the scam is sometimes referred to as Londoning or "the London scam") has more to do with habit and accessibiity: London seems to be a convenient meeting point for 419-ers picking up money from victims, perhaps because it's easy to get in and out from the Netherlands, which seems to be a popular base for such gangs. It's also been suggested that there are connections with money mule networks elsewhere in the UK.

So what can you do about it?

  1. Well, you can be very suspicious of messages like this, however they arrive and wherever or whoever they come from.
  2. Don't even think of responding to the request until you've verified the source with extreme prejudice.
  3. If the way the message is expressed is uncharacteristic (especially if it sounds more "foreign" than you'd expect), that's a pretty good indication that you're not talking to the person you think you're hearing from.
  4. Be particularly sceptical when a "friend" wants you to send them cash by a scam-friendly channel such as Western Union.
  5. 419 scams sometimes inventive in social engineering terms, but not necessarily hi-tech: take reasonable precautions to avoid having your accounts (email, Facebook, other social networking sites) compromised. Use hard to break passwords, don't use the same password for multiple accounts, and be on the lookout for any attempt to trick you into giving your password away, and that will reduce your attack surface (no guarantees of invulnerability though!)
  6. Facebook have a terse summary of their take on it here: http://www.facebook.com/security?v=app_4949752878&viewas=22000040.

 

In the case of the incident described here, it turns out that Google/Gmail were pretty helpful once their report form was filled out, so if you think your account is compromised, don't just give up without trying the obvious routes to remediation.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/