A Closer Look at 419 Scam Email Operations
-
Upload
jelena-isachenkova -
Category
Science
-
view
41 -
download
0
description
Transcript of A Closer Look at 419 Scam Email Operations
![Page 1: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/1.jpg)
Inside the SCAM Jungle:
A Closer Look at 419 Scam Email Operations
Jelena Isacenkova Olivier Thonard
Andrei CostinAurelien Francillon
Davide Balzarotti
![Page 2: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/2.jpg)
2
Nigerian Scam Trap
![Page 3: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/3.jpg)
3
Nigerian Scam Trap
![Page 4: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/4.jpg)
4
Spam vs. 419 Scam419 SCAM
― Low-volume
― Hide behind webmail accounts
― Manual sending
― Trap with social engineering techniques
― Contact with victims via emails and/or
phone numbers
SPAM
― High-volume
― Highly dynamic infrastructure
― Automated sending
― Trap victims through engineering effort
― Contact with victims over URLs
![Page 5: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/5.jpg)
5
Why we study campaigns― The goal:
– identify and characterize 419 scam campaigns
– find predictive scam email features
― Our assumptions:
– Scam is likely sent in campaigns, like Spam
– Emails and phone numbers are personal scammer assets (Costin
et al., PST'13) => linking features
![Page 6: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/6.jpg)
6
Outline― Dataset
― Methodology
― Experimental results
― Conclusions
![Page 7: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/7.jpg)
7
Dataset
![Page 8: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/8.jpg)
8
Dataset― Public data from 419scam.org
― From January 2009 till August 2012
― 36,761 scam messages
― 12 countries (Europe, Africa and Asia)
― 34,723 unique email addresses
― 11,738 unique phone numbers
![Page 9: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/9.jpg)
9
Scam origins by phone numbers
![Page 10: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/10.jpg)
10
Scam origins by phone numbers
Nigeria – 30%
Benin – 14%
South Africa – 5%
![Page 11: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/11.jpg)
11
Scam origins by phone numbers
UKPersonal Numbering Services
(PNS)
Nigeria – 30%
Benin – 14%
South Africa – 5%
![Page 12: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/12.jpg)
12
Scam origins by phone numbers
UKPersonal Numbering Services
(PNS)
Nigeria – 30%
Benin – 14%
South Africa – 5%
Spain – 4%
Netherlands – 3%
![Page 13: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/13.jpg)
13
Data categories
![Page 14: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/14.jpg)
14
Methodology
![Page 15: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/15.jpg)
15
TRIAGE― Security data mining framework (Thonnard et al. at RAID'10,
CEAS'11, RAID'12)
― Multi-dimentional clustering
― Links common elements together forming clusters/campaigns
![Page 16: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/16.jpg)
16
TRIAGE, part 2
![Page 17: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/17.jpg)
17
Experimental results
![Page 18: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/18.jpg)
18
Campaigns― 1,040 campaigns identified, with at least 5 messages each
― Top 250 campaigns on average:
– Long and scarce: last for one year and have only 28 active days
– Small (38 emails): keep low-volume, could be unorganized
– Use 2 phone numbers
– Use 6 Reply-To email addresses
– Use 14 From email addresses
![Page 19: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/19.jpg)
19
Re-use of emails and phones
![Page 20: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/20.jpg)
20
Re-use of emails and phones
Being re-used on average 6 months
Being re-used on average 2,5 months
![Page 21: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/21.jpg)
21
Examples
![Page 22: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/22.jpg)
22
![Page 23: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/23.jpg)
23
Main traits:
Single phone number
Two campaign topics
Long lived
83 emails
![Page 24: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/24.jpg)
24
Fake lottery1 year
![Page 25: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/25.jpg)
“Eskom generates approximately 95% of the electricity used in South Africa and approximately 45% of the electricity used in Africa.”, - Escom
![Page 26: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/26.jpg)
Different topics over timeMain traits:
Topics change
Monthly package of emails
Single phone number
58 emails
![Page 27: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/27.jpg)
Different topics over timeMain traits:
Topics change
Monthly package of emails
Single phone number
58 emails November
December
January
February
March
![Page 28: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/28.jpg)
iPhone campaignMain traits:
One topic
Two phone numbers
Big re-used email package
190 emails
![Page 29: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/29.jpg)
29
Macro-clusters― Link strongly connected clusters into loosely connected
― Linked through emails and/or phone numbers
― 62 macro-clusters, 195 inter-connected clusters
![Page 30: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/30.jpg)
30
Top macro-clusters
― Some are organized groups operating on international scale
― Fake lottery scam is primarily run by scammers located in Europe that are
connected with African scammer groups
![Page 31: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/31.jpg)
31
Clusters by countries
― Majority of unclustered data
present isolated African
actors => unorganized
― Macro-clusters cover
African and many European
actors => bigger organized
groups covering Western
markets
![Page 32: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/32.jpg)
32
Clusters by countriesUnclustered:stealthy or isolated scammers ― Majority of unclustered data
present isolated African
actors => unorganized
― Macro-clusters cover
African and many European
actors => bigger organized
groups covering Western
markets
![Page 33: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/33.jpg)
33
Clusters by countriesUnclustered:stealthy or isolated scammers ― Majority of unclustered data
present isolated African
actors => unorganized
― Macro-clusters cover
African and many European
actors => bigger organized
groups covering Western
markets
Organized
![Page 34: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/34.jpg)
![Page 35: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/35.jpg)
35
ConclusionsEmails and phone numbers play a crucial role in Nigerian email scam
– Campaigns are long and scarce
– Scammers hide behind webmail and forwarded phones
– Scam campaigns differ in their infrastructure, orchestration and modus
operandi
– Different scammers probably compete for trendy topics, thus changing topics
over time
![Page 36: A Closer Look at 419 Scam Email Operations](https://reader033.fdocuments.net/reader033/viewer/2022042613/549eab4ab4795991608b465e/html5/thumbnails/36.jpg)
36