I've seen various extortion spams over the past 12 months or so, but this one has a particularly vicious twist.
If you haven't seen one of these before - it's just a spam, randomly sent to your email address. You can safely ignore it.
From: Liza Guest [liza-guest@eosj.cia-gov-it.tk] Reply-To: liza-guest@eosj.cia-gov-it.tk To: [redacted] Date: 18 Mar 2019, 06:33 Subject: Central Intelligence Agency - Case #79238516
Case #79238516
Distribution and storage of pornographic electronic materials involving underage children.
My name is Liza Guest and I am a technical collection officer working for Central Intelligence Agency.
It has come to my attention that your personal details including your email address ([redacted]) are listed in case #79238516.
The following details are listed in the document's attachment:
Your personal details,
Home address,
Work address,
List of relatives and their contact information.
Case #79238516 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.
The data which could be used to acquire your personal information:
Your ISP web browsing history,
DNS queries history and connection logs,
Deep web .onion browsing and/or connection sharing,
Online chat-room logs,
Social media activity log.
The first arrests are scheduled for April 8, 2019.
Why am I contacting you ?
I read the documentation and I know you are a wealthy person who may be concerned about reputation.
I am one of several
people who have access to those documents and I have enough security
clearance to amend and remove your details from this case. Here is my
proposition.
Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through Bitcoin network to this special bitcoin address:
3QTV16BBsaEBVuwZv8wCjEgWZTKVVQPJ3h
You can transfer
funds with online bitcoin exchanges such as Coinbase, Bitstamp or
Coinmama. The deadline is March 27, 2019 (I need few days to access and
edit the files).
Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.
Please do not contact me. I will contact you and confirm only when I see the valid transfer.
Regards,
Liza Guest
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency
Another version comes "from" tannerlynch@oiks.cia-gov-it.gq and solicits payments to 32ngJWq6YYGUfvCbj3Ji7MNSnqi3rdM5qa. There are probably others. At the time of writing, neither of these two Bitcoin wallets had received any payment.
Nigerian registrants. Dodgy Eastern European host offering bulletproof and anonymous hosting. Yup, I very much doubt there is anything legitimate at all hosted on 188.241.58.60.. or indeed any part of Qhoster's network.
I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.
From: Ravi [Redacted] <ravi@victimdomain.com> Reply-To: Ravi [Redacted] <ravi@victimdomain.com-3.eu> To: accounts@victimdomain.com Date: 23 February 2018 at 12:02 Subject: Arrange this payment
Pleаsе make а £9,627.00 faster раyment for thе nеw contrаctor.
I will send the doсs as soon аs i'll sort out my stuff.
Lеаve a rерly oncе сomрlеted or in casе you get аnу рroblеm while sеtting it up.
Rеgards
Ravi [Redacted]
Sent from my iPhonе.
-----------------
From: Andrea [Redacted] <andrea@victimdomain.com> Reply-To: Andrea [Redacted] <andrea@victimdomain.com-0.eu> To: sarah@victimdomain.com Date: 5 March 2018 at 10:31 Subject: 5 Mar. faster payment
Morning Sаrah
Plеаse sеtup a £9,736.00 fastеr рауmеnt in fаvour of the new bеnеfiсiаrу.
Sort code: 30-61-10
Acс. number: 10811231
Pауее: Thеa Smith
I will sеnd the doсs аs soon аs i'm lеss busу.
Leave a rерly once сomрletеd or if уou get аnу рroblеm whilе sеtting it uр.
Rеgаrds
Andreа [Redacted]
Sеnt from mу iPhone.
-----------------
From: Andrea [Redacted] <andrea@victimdomain.com> Reply-To: Andrea [Redacted] <andrea@victimdomain.com-v.eu> To: karen@victimdomain.com Date: 7 March 2018 at 11:08 Subject: Arrange this payment
Hi Karеn
I nеed you to аrrаnge а £8,643.00 fastеr рауmеnt for the nеw bеnеficiarу.
I will sеnd thе doсumеnts as soon as i'm less busу.
Lеavе а rеply oncе donе or if you get аnу problem whilе sеtting it uр.
Regаrds
Andrеа [Redacted]
Sеnt from my iPhonе.
-----------------
From: Andrea [Redacted] <andrea@victimdomain.com> Reply-To: Andrea [Redacted] <andrea@victimdomain.com-v.eu> To: mary@victimdomain.com Date: 8 March 2018 at 11:03 Subject: 8 Mar. faster payment
Hi Mаrу
I neеd уou to mаke a £8,839.00 faster раymеnt for the new supрlier.
Sort codе: 30-62-12
Acс. numbеr: 10738345
Benеficiаry: Emmа Brown
I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.
Rеgards
Andrea [Redacted]
Sent from mу iPhone.
"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.
Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.
So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.
For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.
At the moment the email replies go to a server at 185.235.131.65 (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.
All these following domains are linked to the scam (there are probably more):
uk-0.eu
uk-1.eu
uk-2.eu
uk-3.eu
uk-4.eu
uk-5.eu
uk-8.eu
uk-9.eu
uk-f.eu
uk-v.eu
com-0.eu
com-1.eu
com-2.eu
com-3.eu
com-4.eu
com-5.eu
com-6.eu
com-7.eu
com-8.eu
com-f.eu
com-v.eu
This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.
UPDATE 2018-03-12
Another version..
From: Andrea [redacted] <andrea@victimdomain.com> Reply-To: Andrea [redacted] <andrea@victimdomain.com-w.eu> To: helen@victimdomain.com Date: 12 March 2018 at 12:57 Subject: Handle this payment
Hi Hеlеn
Pleasе makе a £8,909.00 fastеr payment for the nеw vеndor.
Sort сodе: 30-64-15
Acс. number: 10576602
Pаyeе: Elizabeth Moore
I will send the paperwork oncе i'll sort out mу stuff.
Lеave a rерlу whеn thе oреration is сomplеtе or in cаsе уou gеt аnу problеm whilе setting it up.
Regаrds
Andrеа [redacted]
Sеnt from my iPhone.
This uses the domain com-w.eu and is hosted on 185.241.54.62 (hostname uk-w.eu) along with uk-b.eu.
UPDATE 2018-03-13
Two more examples with the same pattern:
From: Ravi [redacted] <ravi@victimdomain.com> Reply-To: Ravi [redacted] <ravi@victimdomain.com-w.eu> To: keith@victimdomain.com Date: 13 March 2018 at 09:52 Subject: Payment due 13 mar.
Hi Keith
Plеase аrrange a £8,563.00 fаstеr paуment for the new benefiсiarу.
I will sеnd the pаperwork as soon аs i'm lеss busу. Lеаvе а rеplу when the oрerаtion is сomрlеte or if уou gеt аny problem whilе setting it up.
Regаrds Rаvi [redacted]
Sеnt from my iPhonе.
----------
From: Andrea [redacted] <andrea@victimdomain.com> Reply-To: Andrea [redacted] <andrea@victimdomain.com-w.eu> To: emma@victimdomain.com Date: 13 March 2018 at 09:26 Subject: Settle up this payment
Hi Emmа
Please mаkе a £8,999.00 fаstеr pаymеnt for the nеw benеfiсiаrу.
I will forward the docs onсe i'll sort out my stuff. Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.
Regаrds Andreа [redacted]
Sеnt from mу iPhonе.
What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.
For the latest spam messages, the email relays through various hosts but always seems to originate from 91.243.80.176 (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.
Subject: Help Your Child To Be A Professional Footballer. From: "FC Academy" [csa@sargas-tm.eu] Date: Sun, October 8, 2017 10:30 am To: "Recipients" [fcsa@sargas-tm.eu] Priority: Normal
Hello, Does your child desire to become a professional footballer?
Our football academy are currently scouting for young football player to participate in 3-6 months training and our main purpose is to recruit young and talented footballers to help become a great football player in Life and become a great star . Our agent will train and linked your child up with big clubs in United Kingdom and Europe.
We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.
Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.
If you want to help your child achieve their soccer dream, reply us for more information. Best Regards, CFAA.
At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:
Domain name: champ-footballacademyagency.co.uk
Registrant: NELSON OZI
Registrant type: Unknown
Registrant's address: 404 sapphire tower 404 sapphire tower USA Kentucky 97101 United States
Data validation: Nominet was not able to match the registrant's name and/or address against a 3rd party source on 19-Sep-2017
Relevant dates: Registered on: 19-Sep-2017 Expiry date: 19-Sep-2018 Last updated: 19-Sep-2017
Registration status: Registered until expiry date.
Name servers: dns1.yandex.net dns2.yandex.net
Disclaimer WHOIS lookup made at 10:50:09 08-Oct-2017
There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:
svbfib.com svbfibem.com globalcreditsus.com
These all seem to be connected with an IP range 169.255.59.0/24 (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.
The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from 103.207.37.101 in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.
It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.
For the past six years I have been following the exploits of Patchree "Patty" Patchrint and Anthony Christopher Jones who claim to run a series of seminars on project management and grant writing. Umm.. and failed restaurants in Los Angeles. I'm not going to repeat all of the information in this post, I advise you to read the whole story.
This latest scheme is a quite snazzy-looking website at www.pmacademyusa.org called "Project Management Academy USA".
The website may look professional, but it is simply done using the WIX website builder:
You'll notice that the site supplies no information at all about who runs it. However a useful tip alerted me to the site, which is basically a more glitzy version of the Institute of Project Management America from a few years back, including this lazy example of copypasta:
About Project Management Academy USA At Project Management Academy USA, our programs are led by practitioners-working professionals who are experts in the process of maximizing results using professional project management practices. Modern industry needs results driven professionals who are focused on a disciplined dedication to effective project management from initiation to closing. We strive to combine real-world scenarios, actual case-studies, with the knowledge provided by PMI and academic foundations to create certified project managers who are prepared for further certification and credential. Our programs are ultra-foundational, meaning they ensure attainment of the universal basics of project management, prepare participants for certification exams, and provide the advantage of our mastery components, which are unique to our programs and are followed by a Masters designation.
They currently advertise courses running in the following locations:
January 17-20, 2017 University of Southern California 8:00am to 5:00pm
February 21-24, 2017 University of Miami 8:00am to 5:00pm
February 28 - March 3, 2017 University of Texas at Austin 8:00am to 5:00pm
March 21-24, 2017 University of California Berkeley 8:00am to 5:00pm
March 28-31, 2017 University of Chicago 8:00am to 5:00pm
Funnily enough, the venue seems to be changed at the last minute from the prestigious university it was advertised at to some other location in the rough vicinity. And also, at the last moment the person who was meant to be teaching the course is substituted at the last moment for someone who has to fill in and mysteriously seems to have problems getting paid (if this is you then please add a comment below).
If you have doubts about the quality of these causes, I urge you to read the posts and especially the comments that go with them. Those are not my words, but the words of the people unfortunate enough to either pay for a course or who turn up to teach.
My name is Glen, I am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance. Salary is $2600-$5500.
If you are interested in this offer, please visit Our Site
Good day!
It's not very interesting to tell the truth, but it relies on hacked WordPress sites in order to provide landing pages. Of course, hacking someone's site to do this is illegal and no legitimate business would promote itself like this.
Inspiral Carpets? Yup, that's the website of the Manchester rock band of the same name. Rather than a carpet shop. As this URLquery report shows, it lands on..
cash-onlines.com [172.246.233.55] (Enzu, US)
There's a familiar landing page..
Clicking the link goes to www.the-quantumcode.com hosted on 31.220.0.35 (Terratransit, Netherlands). This is some bollocks about a binary options trading robot which will apparently make you millions. Obviously this is a scam, because if it was really that easy we'll all be doing it.
One little scammy trick is a counter to tell you that loads of people are looking at the site but there are only a small number of slots available.
The numbers are completely made up. If you look exactly the same page in another browser window, they are different.
It's hard to say if the spam was sent out by whoever runs the binary options site or an affiliate. But it's still crap either way.
Hosted on the same server are the following domains which are probably more of the same plus a load of other bollocks:
This spam email advertising a "too good to be true" investment is a scam:
From: Tim Hoffman [letter@612.com] To: contact [contact@victimdomain.tld] Date: 30 July 2016 at 09:26 Subject: Fanrong Europe Fund – 1 Half 2016 return +32.69%.
Dear Sirs,
Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.
Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.
We welcome you to contact us through our web-site to learn more about investing with us:
www.FanrongFund.info
Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund
www.FanrongFund.info
Reply to: marketing@fanrongfund.info
If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info
NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.
I have received two of these emails, one coming from the IPs 188.69.207.57 and 188.69.223.168 which are both allocated to a mobile phone provider in Lithuania (UPDATE: also 188.69.223.54). The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:
The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.
The website is pretty generic looking and opens with these words of wisdom:
Our main trade approach is: "Close the position if it runs to loss, and hold it if it runs to profit".
Hans Messner fund manager "Fanrong Europe Fund"
What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:
The "About" page carries this text:
We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).
Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.
fanrongfund.info appears to have mirrors at:
fanrongeuropefund.info
fanrongeuropefund.com
Both of these are hosted on 46.4.24.196 (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.
fanrongeuropefund.com Registry Registrant ID: Not Available From Registry Registrant Name: Li Yong Registrant Organization: Registrant Street: Schwingerstrasse 9 Registrant City: Zurich Registrant State/Province: Zurich Registrant Postal Code: 8006 Registrant Country: CH Registrant Phone: +41.442289632 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: info@fanrongeuropefund.com
For completeness, the domain fanrongcapital.com is hosted on 5.100.152.26 (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..
Registry Registrant ID: Not Available From Registry Registrant Name: Wei Zhang Registrant Organization: Fanrong Capital Registrant Street: 20F, 1 Harbor View Street Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 111000 Registrant Country: HK Registrant Phone: +852.58085536 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: fanrongcapital@yahoo.com
Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.
Fake conferences are a pretty common scam. The criminals send out spam about serious-looking upcoming conferences that don't exist and then rip victims off for travel costs, conference fees and hotel accommodation. This spam about a fake conference about terrorism caught my eye because it comes from the amusingly named (but fake) Dr Happy Wisdom:
From: Dr. Happy [shreyag@bajajcapital.com] Reply-To: "Dr. Happy" [iedhsto.officedesk@gmail.com] Date: 15 June 2016 at 23:24 Subject: INTERNATIONAL CONFERENCE PROGRAM 2016
Dear Sir/Madam,
On
behalf of the International Economic Development on Human Security and
Terrorism Organization, I am pleased to invite you to our conference
that will be held from August 15th to 19th, 2016 @ the conference place in Dallas Texas USA and August 22nd-26th 2016 @
in Dakar Senegal. The conference meeting will contain various talks and
mini workshops related to the issues of Challenges to Economic
Development & Human Security in our society.
The
topic of the conference is "The Effect of Terrorism on Global Economy
and Human Security " the sponsors of this event shall cover your
round-trip air tickets from your country to the USA and from USA to
Dakar Senegal back to your country and we shall also provide visa
assistance with the U.S Embassy in your country of residence and your
ground transportation from the airport to the conference venue. The
hotel accommodation booking cost will be your own responsibility in Republic of Senegal. Please contact the conference secretariat for more information and registration for participation: [iedhsto.officedesk@gmail.com].
We look forward to your confirmed presence at the conference.
Respectfully Yours,
Dr. Happy Wisdom,
Program Assistant.
The email does actually originate from an IP address in Senegal (41.82.15.40) but then it is routed through a hacked server belonging to the domain bajajcapital.com which is a finance company in India. The compromise email account can be seen in the "From" field.
At best this scam is some sort of financial fraud. At worst, turning up to it could put your life in danger. Avoid.
I blogged about "Project Management International" last year, an outfit running (in my personal opinion) fake or low-quality seminars, at that time using the domain projectmanagementinternational.org.
This outfit is run by Anthony Christopher Jones and Patchree "Patty" Patchrint (aka Patty Jones) from California. I've written about this oufit several times in the past five years, but it turns out that Jones and Patchrint have been running similar schemes since 2008.
In 2011 ABC15 news in Arizona investigated a previous incarnation of these scheme, named "NAPPPA"...
These Jones / Patchrint operations seem to pop up from time to time and then disappear, usually after being exposed for what they are. This latest iteration of the fake "Project Management International" organisation uses the domain projmanagementintl.org. It's a flashy-looking site, but really it is just made from a standard template.
The "Registration" page lists some prestigious universities as hosting these courses.
From what I can tell, the usual thing that happens is that at the last minute the location is changed to a nearby hotel or conference centre, and it seems that no booking are ever made with the university. All feedback on the courses seems to indicate that they are all of very poor quality. There are numerous reports that the people hired to teach these courses are also not paid as promised.
The courses themselves are advertised through spam email (example here)
The Project Management Fundamentals Course
will be offered May 25-27, 2016 at the University of Utah campus in Salt Lake City, Utah. Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .
May 25-27, 2016 Salt Lake City, Utah8:00am - 5:00pm
The Project Management Fundamentals Course
is designed for those seeking professional project management certification. It serves as a thorough introduction to the fundamentals of project management. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.
Project Management Fundamentals Course provides 24 hours of project management education hours for both PMI's Certified Associate in Project Management (CAPM)
® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 24 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials. Additionally, the program awards 2.4 Continuing Education Units (CEUs) upon request.
Program Description
Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.
The skills developed in the Project Management Fundamentals Course apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.
Our approach to project management education offers proven, results-focused learning.
Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.
Tuition
Tuition for the three-day Project Management Fundamentals Course is $595.00
Program Schedule and Content
1.Project Initiation, Costing, and Selection, Day 1
2.Project Organization and Leadership, Day 1
3.Detailed Project Planning, Day 2
4.Project Monitoring and Control, Day 2
5.Project Risk and Stakeholder Management, Day 3
Benefits
·A Project Management International Certificate of Accomplishment is awarded upon completion of the three day program. ·
Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.· Each class is highly focused and promotes maximum interaction.·
You can network with other project management professionals from a variety of industries.· Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.·
Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will receive 24 project management education hours towards the requirements for eligibility.
Registration
Participants may reserve a seat online at the Project Management International website
, by calling the Program Office toll-free at (888) 201-6372, or by sending their name and contact information via email to the Program Registrar.
Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.
To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.
Contact numbers listed on the spamvertised site are:
If you see these telephone numbers on other seminar sites, then it will be the same operation. The site quotes a PO box as a contact address but reveals no other information about this so-called corporation.
Project Management International PO BOX 812112 Los Angeles, California 90081
If you feel you have been scammed by this operation then I urge you to report it to the police, FBI, FTC or your local AG's Office. If you would like to share your experiences (positive or negative) then please feel free to use the Comments section below.
Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.
This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.
Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.
Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.
Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.
Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!
(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)
This type of Chinese domain registration scam has been around for years.
From: Jim Gong [jim.gong@cnregistry.net] Date: 15 December 2015 at 13:40 Subject: "petroldirect"
Dear CEO,
(If you are not the person who is in
charge of this, please forward this to your CEO, because this is urgent,
Thanks)
We are a Network Service Company which
is the domain name registration center in Shanghai, China. We received an
application from Huabao Ltd on December 14, 2015. They want
to register " petroldirect " as their Internet Keyword and " petroldirect
.cn "、" petroldirect .com.cn " 、" petroldirect .net.cn "、" petroldirect
.org.cn " 、" petroldirect .asia " domain names
etc.., they are in China and Asia domain names. But after
checking it, we find " petroldirect " conflicts with your company. In
order to deal with this matter better, so we send you email and confirm whether
this company is your distributor or business partner in China or not?
Best
Regards,
Jim General Manager
Shanghai Office (Head Office) 3008, Jiulong Building, No. 836 Nandan
Road, Shanghai, China Tel: +86 216191 8696 Mobile: +86
1870199 4951 Fax: +86 216191 8697 Web:
www.cn-registry.net
In fact, there is no Huabao Ltd - it's just a made-up name that the scammers use to try to persuade you into buying some overpriced and worthless domains. Nobody is interested in buying these domains, and no domain registrar would contact you before registration in any case as it is not the responsibility of registrar to do so*.
I certainly don't recommend forwarding this to your CEO, as many CEOs will not understand the scam and may fall for it. If you do forward it, make you that you point out that this is a scam.
This scam has been around for so long, that I even made a video about it..
These following domains are all variations of the same rogue Chinese registrar:
A little while ago I registered a trademark. I was a bit surprised to see a small flurry of scammers following that up (by snail mail), sending me what to all intents and purposes are fake invoices. Here is one of them.
In the greyed-out text at the bottom, you can just about read the bit where they give the game away..
Basically, this "ETP" outfit is saying.. send us £930 for no reason at all. Avoid.