Threat Management, Vulnerability Management

Masterminds and Mastercards

Another day, another 419.

From: Jackie Lue Raia
Subject: CONTACT UPS VIA EMAIL: [email address removed]
Sent: 19 May 2011 01:09

Good Day

This is to inform you that I am a delegate from the United Nations Compensation Commission and to notify you finally about your outstanding Compensation Cheque payment of $1,759,000 USD.

Please Contact the United Parcel Service and Send your Name, Address, City, State, Zip Code, Country, and telephone number to [email address removed] for your cheque delivery.

Thanks for your attention

Jackie Lue Raia
Deputy Special Representative
United Nation Compensation (UNCC)

The use of a UPS email address (even one that is clearly fake) is kind of interesting since it tries to address the question “why are you offering to send me money when you don't know who I am?,” but I still think that if I was going to send anyone a check for nearly $2 million, I'd make sure I knew their address. In principle, then, this isn't really different from my favorite incompetent 419 of this year (so far).

Apparently sent by the magnificently named Bayron Javier Revelo Cabrera, it carries most of the message in the subject field: “750,000.00 GBP has been won by your email address in our Mega BO Promotion.” Mega BO? Is that a hint that I should change my shirt more often or a hint as to the origins of this particular scam? (Bo is a large city in Sierra Leone.)

The message itself is, however, an object lesson in economy.

Name:...................
Address:................
Ocupation..............
Country:...............

Sierra Leone must have a lot of money to throw around if it has that many winners of a lottery that doesn't even rely on selling tickets. (Well, I'm pretty sure neither I nor my email address bought a ticket, though I suppose my email address might be keeping secrets from me. Perhaps, unbeknown to me, it's even now deciding on whether to undergo surgery and become a Twitter account.)

Whimsy aside, it's clear that not every criminal is a mastermind: far from it, in fact. Consider, for instance, the bank robber who acceded to a Dallas bank teller's request that he show two forms of ID before she handed over the cash, or the burglar who took time out to check Facebook on the victim's laptop and left it still logged into his account.

Unfortunately, this sort of lapse of common sense isn't restricted to career criminals. My colleague Urban Schrott tells me that he's recently been asked how to disable ESET anti-virus software by someone who wanted to install a pirated application, but found that the AV wouldn't let him. Well, ok: software piracy is also a crime, and I'm sure Urban made that perfectly clear to the genius who posed the question.

But disabling a security product so that you can install fake AV on your own machine is probably perfectly legal, however naive. Yet Innovative Marketing (which marketed rogue AV using a somewhat convincing help desk, among other quasi-legitimate ploys) apparently received innumerable requests for advice on how to do just that.

Apparently it's true: common sense isn't as common as you might think it is.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.