The “Total Sting” – 419 Scam Evolved

Have you ever received a suspicious looking email, urging you to send money or provide your banking account details to someone you don’t know? Sure you have.

This is one of the Internet’s most common scams, and it has many names – “Phishing”, “advanced fee fraud”, “Nigerian sting” or 419 Scam (this name refers to the article of the Nigerian Criminal Code dealing with fraud).

The logic is simple – send numerous phishing emails, and you can expect that at least some people will be gullible enough to provide you with money or banking details. When you send millions of emails even a meagre return percentage is enough to generate hefty sums. But there’s a catch – most people are by now aware of this and are reluctant to reply or even open emails which do not appear to have been sent from a known acquaintance or organization. So 419 scammers have to evolve in order to survive. One way of doing so is utilizing social networks, and especially LinkedIn, since people tend to see it as a professional network and trust information and requests to connect which originate there.

Enter the “Total Sting”.

Image
An open position as Senior Project Manager at Total Oil as published on LinkedIn

The story is simple yet entails great sophistication and creativity. As a LinkedIn member you one day notice a lucrative job opening – Total oil, one of the leading oil and gas companies are looking to opening new offices at your country and are recruiting a senior project manager.

You submit your application via LinkedIn and a few days later you receive a formal looking email from Gérard Lamarche at Total HR Dept. (even the email address looks legit: apply@totalconsult.int.tf). Out of curiosity you check who this gentlemen is and find that he is a director at Total (http://total.com/en/media/news/press-releases/20120116-appointment-gerard-lamarche-director-total-sareplacing-thierry-rudder).

Image
The Invitation Letter (allegedly) received from Total Oil

Now comes the fun part. The email includes three attachments. Since you know that this is a reply email to a submission you’ve sent you don’t hesitate to open these PDF files. There’s a very attractive job description document, an officially looking invitation for an interview in London and another letter describing the technicalities of the interview. You are cordially invited to come to London and interview for the lucrative job at Total Recruitment offices, Human Resources department, TOTAL UK Limited, 40 Clarendon Road, Watford, Hertfordshire WD17 1TQ.

Out of curiosity you Google the address and find that this is indeed the official address of Total in the UK. There’s only one catch – you need to make the travel arrangements through a specific agency (but don’t worry, you will be reimbursed upon arrival). The contact person’s name is Dr. Kenneth Cole (hmmm) and the travel agency name is Belair travel and tours (located at Air Malta House, 314-316 Upper Richmond Rd, London SW1). Now things are looking a little more suspicious.

Image
A letter requesting to arrange travel through a designated travel agency

You decide to look more carefully into this. You phone the number but there is no answer. You check the website of the company, located in east Kensington, London, and find that they are using completely different phone numbers. ( http://www.belleair.co.uk/contactbelleair).

You search a little more on the web and immediate see that this is indeed a scam. (http://www.419baiter.com/_scam_emails/01-08/419_emails_total-oil-company-job-scam.html).

So you were just one of many lured into a simple phishing scam? Not quite.

This is an evolution of the classic 419, and this is why: the perpetrators of this specific scam have done almost everything possible to overcome the identifiable pitfalls of Phishing emails.

This scam is reactive, it is targeted at specific audience, it is officially looking and does not ask directly for money or details in advanced. Someone had to create a fake company profile on LinkedIn, post an authentically looking position, receive and read emails, fabricate authentically looking documents (complete with logo and an actual executive name), enter the job seeker name into the documents title and send it all back. And since this is a reply to an email/job submission the recipient is much more likely to open and perhaps respond. The logical evolution to this scam is that the scammers will create a false website (which will appear completely real) and let you submit your details there, making this fraud almost perfect.

I would like to Thank Itay and Tanya who shared this with me and assisted me in describing this in detail.

P.S. we checked and the PDF files were not weaponized (i.e. carrying Malware). had they been, this would have been a Spear-phishing campaign and a darn good one too.

P.s. 2. if you ever notice this type of scam please notify the good people of LinkedIn at phishing@linkedin.com (we have).


One thought on “The “Total Sting” – 419 Scam Evolved

  1. The good people at LinkedIn Customer Support just notified me that due to our reporting they have removed some presumably fake LinkedIn pages which were associated with this scam. well done!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s