Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations - - PowerPoint PPT Presentation

inside the scam jungle
SMART_READER_LITE
LIVE PREVIEW

Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations - - PowerPoint PPT Presentation

May 28, 2023 436 likes •806 views

Inside the SCAM Jungle: A Closer Look at 419 Scam Email Operations Jelena Isacenkova Olivier Thonard Andrei Costin Aurelien Francillon Davide Balzarotti Nigerian Scam Trap 2 Nigerian Scam Trap 3 Spam vs. 419 Scam 419 SCAM SPAM

slide-1
SLIDE 1

Inside the SCAM Jungle:

A Closer Look at 419 Scam Email Operations

Jelena Isacenkova Olivier Thonard Andrei Costin Aurelien Francillon Davide Balzarotti

slide-2
SLIDE 2

2

Nigerian Scam Trap

slide-3
SLIDE 3

3

Nigerian Scam Trap

slide-4
SLIDE 4

4

Spam vs. 419 Scam

419 SCAM

Low-volume

Hide behind webmail accounts

Manual sending

Trap with social engineering techniques

Contact with victims via emails and/or phone numbers

SPAM

High-volume

Highly dynamic infrastructure

Automated sending

Trap victims through engineering effort

Contact with victims over URLs

slide-5
SLIDE 5

5

Why we study campaigns

― The goal:

– identify and characterize 419 scam campaigns – find predictive scam email features

― Our assumptions:

– Scam is likely sent in campaigns, like Spam – Emails and phone numbers are personal scammer assets (Costin et al., PST'13) => linking features

slide-6
SLIDE 6

6

Outline

― Dataset ― Methodology ― Experimental results ― Conclusions

slide-7
SLIDE 7

7

Dataset

slide-8
SLIDE 8

8

Dataset

― Public data from 419scam.org ― From January 2009 till August 2012 ― 36,761 scam messages ― 12 countries (Europe, Africa and Asia) ― 34,723 unique email addresses ― 11,738 unique phone numbers

slide-9
SLIDE 9

9

Scam origins by phone numbers

slide-10
SLIDE 10

10

Scam origins by phone numbers

Nigeria – 30% Benin – 14% South Africa – 5%

slide-11
SLIDE 11

11

Scam origins by phone numbers

UK Personal Numbering Services (PNS) Nigeria – 30% Benin – 14% South Africa – 5%

slide-12
SLIDE 12

12

Scam origins by phone numbers

UK Personal Numbering Services (PNS) Nigeria – 30% Benin – 14% South Africa – 5% Spain – 4% Netherlands – 3%

slide-13
SLIDE 13

13

Data categories

slide-14
SLIDE 14

14

Methodology

slide-15
SLIDE 15

15

TRIAGE

― Security data mining framework (Thonnard et al. at

RAID'10, CEAS'11, RAID'12)

― Multi-dimentional clustering ― Links common elements together forming

clusters/campaigns

slide-16
SLIDE 16

16

TRIAGE, part 2

slide-17
SLIDE 17

17

Experimental results

slide-18
SLIDE 18

18

Campaigns

1,040 campaigns identified, with at least 5 messages each

Top 250 campaigns on average:

– Long and scarce: last for one year and have only 28 active days – Small (38 emails): keep low-volume, could be unorganized – Use 2 phone numbers – Use 6 Reply-To email addresses – Use 14 From email addresses

slide-19
SLIDE 19

19

Re-use of emails and phones

slide-20
SLIDE 20

20

Re-use of emails and phones

Being re-used on average 6 months Being re-used on average 2,5 months

slide-21
SLIDE 21

21

Examples

slide-22
SLIDE 22

22

slide-23
SLIDE 23

23

Main traits:

Single phone number Two campaign topics Long lived 83 emails

slide-24
SLIDE 24

24

Fake lottery

1 year

slide-25
SLIDE 25

“Eskom generates approximately 95%

  • f the electricity used in South Africa

and approximately 45% of the electricity used in Africa.”, - Escom

slide-26
SLIDE 26

Different topics over time

Main traits:

Topics change Monthly package of emails Single phone number 58 emails

slide-27
SLIDE 27

Different topics over time

Main traits:

Topics change Monthly package of emails Single phone number 58 emails

November December January February March

slide-28
SLIDE 28

iPhone campaign

Main traits:

One topic Two phone numbers Big re-used email package 190 emails

slide-29
SLIDE 29

29

Macro-clusters

― Link strongly connected clusters into loosely connected ― Linked through emails and/or phone numbers ― 62 macro-clusters, 195 inter-connected clusters

slide-30
SLIDE 30

30

Top macro-clusters

― Some are organized groups operating on international scale ― Fake lottery scam is primarily run by scammers located in

Europe that are connected with African scammer groups

slide-31
SLIDE 31

31

Clusters by countries

― Majority of unclustered data

present isolated African actors => unorganized

― Macro-clusters cover African

and many European actors => bigger organized groups covering Western markets

slide-32
SLIDE 32

32

Clusters by countries

Unclustered: stealthy or isolated scammers

― Majority of unclustered data

present isolated African actors => unorganized

― Macro-clusters cover African

and many European actors => bigger organized groups covering Western markets

slide-33
SLIDE 33

33

Clusters by countries

Unclustered: stealthy or isolated scammers

― Majority of unclustered data

present isolated African actors => unorganized

― Macro-clusters cover African

and many European actors => bigger organized groups covering Western markets Organized

slide-34
SLIDE 34
slide-35
SLIDE 35

35

Conclusions

Emails and phone numbers play a crucial role in Nigerian email scam – Campaigns are long and scarce – Scammers hide behind webmail and forwarded phones – Scam campaigns differ in their infrastructure, orchestration and modus operandi – Different scammers probably compete for trendy topics, thus changing topics over time

slide-36
SLIDE 36

36