Monday, December 14, 2009

ATTENTION: The Bat! Being Used by Email Scammers

Have you received unsolicited emails or are you liaising with one of the suspicious scammers thru email correspondences? The question is how we can confirm and track these scammers even if they use sophisticated media or technology in operating their fraudulent business?

This is a simple instruction on how we can get information about the sender or the source of the email message. Let us say you are using Yahoo email service. We can track them by going to your inbox and choose one of the suspected scammers message by pointing your mouse to it then right click and choose "View Full Headers". Copy paste the information acquired in a spreadsheet and tabulate the data. Use
one or many of the available IP-Address trackers. All the information about the sender will appear including its IP address. However those professional scammers use X-Mailer: The Bat! so it would be difficult to track them down. To get to know further information about this please check the article below.

*****************************************************

Courtesy of Systems Architecture Laboratory (ESAL) located in Stockholm, Sweden

Technology that can be abused by Scammers – Are you being scammed?

Scamming is a sophisticated technique used to part the unwary of their money. The challenge for the scammer is that not everyone falls for the scam; unfortunately, enough people do fall for the scam to keep the scammers in business. This short article helps explain how Scammers use technology to help them commit a scam and signals that you can look for that will help you avoid being a victim.

Scammers have a big problem to overcome when they try to get unwary people to send them money – first, there is a much higher awareness today so far fewer people fall for the scams. This means that Scammers need to "play the percentages" and send out as many "convincing" e-mails as possible in the hopes of finding their victim. How can they do this? Through technology solutions normally used by companies. Let me ask you two questions: First, what would you think if you knew that the person writing you was using a commercial software application typically used by businesses? Second, what would you think about receiving e-mails from a mail client from someone claiming that they were using an Internet Café? If you do not understand either of these two questions, your vulnerability to being scammed is much greater. There are two pieces of background information that will help you understand why understanding the context of these two questions is important:

First, managing the large number of scams that are necessary in order to identify a victim is difficult. The solution is to use a commercial software application that has the following characteristics:

1) The Scammer needs an e-mail client that can manage large amounts of e-mail from many different e-mail accounts (using the same e-mail account for communicating with many victims can be problematic since once identified as a Scammer, there are enough Blacklists that the e-mail account will be readily recognizable).
2) The Scammer needs an e-mail client that can sort messages from different e-mail accounts into threads do that the dialogue over time can be managed – this allows "customization" of the communication with the victim to help avoid suspicion (not answering questions or ignoring important information can tip off a victim that something is wrong.
3) The Scammer needs a way to reduce the amount of effort required to communicate with all their victims.

Second, as the scale of the scamming activity increases, the Scammer will have a problem using a web e-mail service:

1) E-mail service providers, once aware of a scam, can involve law enforcement agencies and can identify other victims and send out warnings – the Scammer needs to minimize, as much as possible, traces of their scamming activities.
2) Most people would never consider using an e-mail application from an Internet Café (which many Scammers claim to be using) since all of their mail would be left on the computer they were using! If someone is using an e-mail application of any kind (Outlook Express, Outlook, etc.) while stating that they are using an Internet Café warning lights and a siren should be going off.

Now that we have identified the characteristics, we can discuss two simple tests that you can do yourself: First, as soon as possible, ask the person that you are corresponding with where they live. With this information, you can inspect the e-mail message header (most e-mail clients will show this information as "message header" or "show original message") – the part that you are looking for looks like this:

Received: from 192.168.0.4 (29.214.dialup.mari-el.ru [195.161.214.29])
(authenticated bits=0)
by mailc.rambler.ru (8.12.10/8.12.10) with ESMTP id jBHJSM2V039983
for ; Sat, 17 Dec 2005 22:29:30 +0300 (MSK)
Date: Sat, 17 Dec 2005 22:26:48 +1100
From: scammer
X-Mailer: The Bat! (v2.01)

Step one is to find out where the message actually came from – for this example I am using an e-mail where the woman claimed to be using an Internet Café in Cheboksary, Russia. I enter the following URL into my web browser:

http://www.ripe.net/perl/whois

Next, I enter the IP address from the line that starts with "Received:" which is:

195.161.214.29

And enter it into the "Search for" field on the web page, which returns the following results:

person: Nikolay Nikolaev
address: Volgatelecom Mari El branch
address: Sovetskaya 138
address: 424000 Yoshkar-Ola
address: Russia MariEl Republic
phone: +7 8362 421549
phone: +7 8362 664435
fax-no: +7 8362 664151
e-mail: nnb@relinfo.ru
nic-hdl: NN-RIPE
source: RIPE # Filtered

I am expecting the address to be Cheboksary and Chuvash Republic – I am not expecting the address to be Yoshkar-Ola and MariEl Republic! Actually, I already had a warning flag in the e-mail header:

Received: from 192.168.0.4
(29.214.dialup.mari-el.ru
[195.161.214.29])

If the e-mail actually came from Cheboksary, I would expect to see the following:

person: Medukov J Alexandr
address: 428000 Cheboxary Lenin av 2a
phone: +7 8352 662912
e-mail: master@chtts.ru
nic-hdl: MJA4-RIPE
source: RIPE # Filtered

How did I get this information? Simple, find a government or business URL in the city you are interested in and enter it into Ripe. You may need to identify the IP address by using the PING command – this will turn a text URL into an IP address that can be searched on Ripe. I will not go into this more, since this topic wanders off topic a bit.

The important thing to note is that the city and republic do not match what was expected – there are a lot of people on this and other web site forums that can assist you if you need more help.

The second test is to examine the message header and look for "X-Mailer:" – in our example we find the following:

X-Mailer: The Bat! (v2.01)

This means that the person sending me the e-mail from a supposed Internet Café is using an e-mail client application. By now, "Red Alert" should be flashing! Why would someone use an e-mail client from an Internet Cafe? Well, most normal people would not – so this is very likely a scam!

Now that I have covered how you can test your own e-mails for scamming attempts, I want to return to the technology topic.

The Bat! (also known as TB! And TB) – I will use TB! From this point on – is an e-mail client application (a program that runs on a personal computer) that is marketed towards companies and individuals that need to manage large volumes of e-mail. The OECD refers to a category of company as a Small to Medium-Sized Enterprise – an SME for short. Smaller SME's often have very limited budgets and cannot afford specialized Sales and Marketing, Customer Service, and other forms of Customer Relationship Management (CRM) software. Our laboratory supports a group company that helps smaller SME's adapt TB! for their business. I mention this because TB! Has been associated with both Spamming and Scamming – the product is legitimate and is a valuable tool for many businesses; unfortunately, the same features that make TB! effective and efficient for companies, also provide a similar benefit to Scammers. There are two features that Scammers find particularly useful:

1) TB! supports a sophisticated macro programming language and a sophisticated ability to manage templates – predefined text that can be dynamically changed by the macro programming language to respond to e-mails. This allows a technically competent person to create a Scamming system that has a high degree of automation while at the same time allowing the scammer to add custom text in predefined areas within the template. The more people that the Scammer can correspond with, the more likely a victim can be found. 2) TB! is designed to work with multiple e-mail servers simultaneously. This makes it very easy for the Scammer to use numerous "dummy" e-mail accounts for Scamming unsuspecting victims (TB! downloads and erases the e-mails from each e-mail server making it harder for investigators to track what was happening).

An e-mail client such as Outlook Express or Outlook Professional and most web e-mail clients such as Yahoo and Hotmail do not offer this level of sophistication. TB! is also very affordable at less than USD $60.00 – well within the means of the typical Scammer. TB! is a product of RIT Labs, which is based in Moldova.

This article was produced by the Enterprise Systems Architecture Laboratory (ESAL) located in Stockholm, Sweden. Reuse of this information free of royalty is hereby granted providing that this notice is included in any reproductions.

Our footnote. Beware!! recently scammers started using other mass-mailing programs (those are usually used to send spam). In particular: FC'2000, Becky and CommuniGate Pro.

*****************************************************

I hope this article is useful and informative to everybody!


5 comments:

Jacky Cheng said...

this was certainly a really helpful post! although most spam are easily identified, there are some that seem to get around. you have a very interesting blog!

Crazyhorse said...

Thank you Jacky. You are right I have tried to create a new email account and I was surprised that although it's new in just few days I started to receive spams. I never use the said e-account in any online registrations. The intention of this blog is to help educate people and it's my pleasure to share my knowledge through my researches and personal experiences.

Sandra said...

Hi Jacky, what do you do if you think you are instant messaging with a scammer. This guy Harris says that he is Alabama. He has been overly friendly from the start and after asking for my phone number twice I finally gave him my cell number. I never use it unless in emergencies which are few. It is always turned off. So I give this guy my cell number and he supposed to call the next morning. But I get an i.m. from him saying that he can't find the change to call. He says he is going to Italy and Ghana for cocoa business (??) for his chocolate shop but that he doesn't know if his credit card "will work over there". When I referred to myself as a "smart ass" he didn't know what I meant?? He said he would love to send me some of his chocolate but that he doesn't have change for that either. I'd like to know what he thinks he is paying the airline tickets with. It sure as heck won't be with my money.!!! What do you think? He sounds like a scammer doesn't he?

OASIS said...

Earning money online never been this easy and transparent. You would find great tips on how to make that dream amount every month. So go ahead and click here for more details and open floodgates to your online income. All the best.

Deborah Medina said...

Timeshares need to be looked up as a purchase and not an investment. Regardless of how timeshares are presented, they don't perform as well as a house or stock investment. If you look around the resale market for timeshares on websites like EBay, Redweek, or TUGBBS will find that you can buy a timeshare for far less money than what the first owner purchased it for:

Is timeshare a good investment?