The “Total Sting” – 419 Scam Evolved

Have you ever received a suspicious looking email, urging you to send money or provide your banking account details to someone you don’t know? Sure you have.

This is one of the Internet’s most common scams, and it has many names – “Phishing”, “advanced fee fraud”, “Nigerian sting” or 419 Scam (this name refers to the article of the Nigerian Criminal Code dealing with fraud).

The logic is simple – send numerous phishing emails, and you can expect that at least some people will be gullible enough to provide you with money or banking details. When you send millions of emails even a meagre return percentage is enough to generate hefty sums. But there’s a catch – most people are by now aware of this and are reluctant to reply or even open emails which do not appear to have been sent from a known acquaintance or organization. So 419 scammers have to evolve in order to survive. One way of doing so is utilizing social networks, and especially LinkedIn, since people tend to see it as a professional network and trust information and requests to connect which originate there.

Enter the “Total Sting”.

Image
An open position as Senior Project Manager at Total Oil as published on LinkedIn

The story is simple yet entails great sophistication and creativity. As a LinkedIn member you one day notice a lucrative job opening – Total oil, one of the leading oil and gas companies are looking to opening new offices at your country and are recruiting a senior project manager.

You submit your application via LinkedIn and a few days later you receive a formal looking email from Gérard Lamarche at Total HR Dept. (even the email address looks legit: apply@totalconsult.int.tf). Out of curiosity you check who this gentlemen is and find that he is a director at Total (http://total.com/en/media/news/press-releases/20120116-appointment-gerard-lamarche-director-total-sareplacing-thierry-rudder).

Image
The Invitation Letter (allegedly) received from Total Oil

Now comes the fun part. The email includes three attachments. Since you know that this is a reply email to a submission you’ve sent you don’t hesitate to open these PDF files. There’s a very attractive job description document, an officially looking invitation for an interview in London and another letter describing the technicalities of the interview. You are cordially invited to come to London and interview for the lucrative job at Total Recruitment offices, Human Resources department, TOTAL UK Limited, 40 Clarendon Road, Watford, Hertfordshire WD17 1TQ.

Out of curiosity you Google the address and find that this is indeed the official address of Total in the UK. There’s only one catch – you need to make the travel arrangements through a specific agency (but don’t worry, you will be reimbursed upon arrival). The contact person’s name is Dr. Kenneth Cole (hmmm) and the travel agency name is Belair travel and tours (located at Air Malta House, 314-316 Upper Richmond Rd, London SW1). Now things are looking a little more suspicious.

Image
A letter requesting to arrange travel through a designated travel agency

You decide to look more carefully into this. You phone the number but there is no answer. You check the website of the company, located in east Kensington, London, and find that they are using completely different phone numbers. ( http://www.belleair.co.uk/contactbelleair).

You search a little more on the web and immediate see that this is indeed a scam. (http://www.419baiter.com/_scam_emails/01-08/419_emails_total-oil-company-job-scam.html).

So you were just one of many lured into a simple phishing scam? Not quite.

This is an evolution of the classic 419, and this is why: the perpetrators of this specific scam have done almost everything possible to overcome the identifiable pitfalls of Phishing emails.

This scam is reactive, it is targeted at specific audience, it is officially looking and does not ask directly for money or details in advanced. Someone had to create a fake company profile on LinkedIn, post an authentically looking position, receive and read emails, fabricate authentically looking documents (complete with logo and an actual executive name), enter the job seeker name into the documents title and send it all back. And since this is a reply to an email/job submission the recipient is much more likely to open and perhaps respond. The logical evolution to this scam is that the scammers will create a false website (which will appear completely real) and let you submit your details there, making this fraud almost perfect.

I would like to Thank Itay and Tanya who shared this with me and assisted me in describing this in detail.

P.S. we checked and the PDF files were not weaponized (i.e. carrying Malware). had they been, this would have been a Spear-phishing campaign and a darn good one too.

P.s. 2. if you ever notice this type of scam please notify the good people of LinkedIn at phishing@linkedin.com (we have).

Cyber Intelligence Yearly Report

Executive Summary

The SenseCy Cyber Intelligence team, along with our partners ClearSky and Aman Computers, has been providing intelligence monitoring services for leading financial institutes in Israel for over a year. Our unique methodology of using “Virtual Entities” to infiltrate cyber-attack groups and the underground has proven successful in alerting regarding imminent cyber threats, as well as detecting new Malware types and monitoring broader cyber trends.

The following is an extract of an annual report sent to our customers. To receive a copy, please send a request to: info@sensecy.com

Main Findings

This report comprises an analysis of data amassed from major cyber incidents pertaining to financial institutions in Israel over the past year, as reflected in the alerts, weekly and monthly reports produced by our Cyber Intelligence team. The analysis can be summarized as follows:

  • The majority of Hacktivist campaigns were directed against the government and financial sectors.
  • Interestingly, we have found no correlation between the attack dates and any symbolically significant dates.
  • The main threat actors were political activists and political cyber warriors.
  • The more popular attack types were data leakage (exploitation) attacks, resource depletion attacks, injection attacks and social engineering attacks.

Additionally, the report includes an analysis of data collected on the sale of attack tools on underground forums (mostly Russian). The analysis comprises 42 tools and exploits, summarized as follows:

  • The most popular tools for sale on the underground are bots and exploits (some sold as exploit kits), followed by Trojan horses.
  • Their main purpose is stealing financial information.
  • The main functions of the tools sold included running Web injection attacks and grabbers, intercepting and forwarding SMS messages and calls from cell phones, Keyloggers, and DDoS attack tools.
  • Java was the program identified as most vulnerable to attack.
  • The most vulnerable Web browser was Internet Explorer, followed closely by FireFox.
  • The most vulnerable operating system was Windows.

Event Classification

This summary is based on major cyber events pertinent to the financial sector, as published in the various reports we issued throughout the year. The analysis is based on data from over 40 cyber events.

The majority of incidents reported are specifically relevant to the financial sector, but also include a category for general threats to Israeli websites, mainly from political threat elements. This classification is evident in the graph below, with the leading threats being financial, data loss, defacement and DDoS.

Classification

Timeline of Events 2013

Timeline

Classification of the Sale of Attack Tools on the Underground

The summary was based on all malware/exploit sales for the past year that appeared on underground forums, mainly Russian forums, monitored by us – more than 40 in total. The majority of tools for sale are bots, followed by exploits or exploit kits. Trojan horses are also offered for sale, but less frequently.

Underground