Babies Offered for Adoption in 419 Scam

A variation on the 419 email scam is being used by fraudsters to take advantage of couples desperate to adopt a child. Once they are carefully lured into a fake adoption process, the victims are then asked for money to cover legal and administrative fees.

While most recent 419 scams rely more on the naivety of victims than any ingenuity on the part of the spammer, some fraudsters are beginning to make more of an effort to directly communicate with the victim to secure their confidence. Their scams are well researched, convincingly presented and may borrow stories from real life to make their stories more authentic and better able to withstand a little scrutiny.

While fake adoption scams have been seen from time to time before, in this instance Symantec observed real life background details and a scammer who goes to great lengths to engage with the victim.


Figure 1. Scam email using adoption story

Rather than using the usual advance-fee fraud scam narratives, such as winning a foreign lottery or a wealthy African leader dying, this fraudster adopts a different approach. Despite this, there were many telltale signs pointing towards a scam.  The message was sent to hidden recipients (through a hacked webmail account originating from Hungary, but routed through Italy), and the message required a response to a different webmail provider. These are typical characteristics of an advance-fee fraud, but we decided to investigate further to see how the scammer intended to ask for money.

In an effort to make this adoption narrative appear as legitimate as possible, the fraudster made us go through several hoops before finally getting to the point where we were asked to send money. During our correspondence—which spanned 11 email replies over a two month period—the scammer informed us in great detail about the mother’s story, and the regulations involved with private and independent adoption. They even went as far as providing a fake adoption form along with pictures of the baby!


Figure 2. Babies offered for adoption through this 419 scam campaign


Figure 3. Fake adoption form used to gain victim's confidence

When the fraudster finally decided to ask for money, we were asked to send US$2,500 to cover the "Court Order Preparation and Document Fee." This took the form of one payment of $1,500 and another of $1,000, through a financial services wire transfer. It is likely the scammer requested the payments to be sent this way so the transaction appeared more legitimate and the victim would have more confidence that the scam was actually real.


Figure 4. Scammer requests baby adoption money

When the fraudster provided a name and address to receive the wire transfer payment, we assumed this information was phony. However, looking up this address led us to a startling discovery.

The payee address listed was the office address of a legitimate Adoption and Family Law attorney (who has absolutely no connection to this scam). While most scammers use any old fake name to perpetrate an advance-fee fraud, hijacking a real person's identity can make the fraud appear more convincing. The unsuspecting target may look up the name and confirm the person is a legitimate attorney who is practicing in the United States. It all "adds up," they send the money, and become yet another victim of the scam.

The execution of this adoption scam signals a new approach by 419 scammers, some of whom have now come full circle in their approach. In an interview with The Economist two years ago, I revealed how some advance-fee fraudsters have moved from sending legitimate and official-looking scam messages to far less professional looking missives offering large sums of money in unlikely scenarios. None of these scam narratives are very sophisticated because the scammers look for victims to "self-select."

This example serves as a reminder that not all advance-fee fraud scams are lazy attempts to get the most gullible victims to participate. Some fraudsters use creative tactics, such as this adoption narrative drawn out over months with convincing background details and official-looking forms. There is no doubt that scammer imagination and creativity will continue to evolve in the future.

419 Scammers Take Advantage of the Facebook IPO

Today sees the highly-anticipated IPO (Initial Public Offering) of the social-networking site Facebook. The IPO is expected to be several times oversubscribed as the demand for shares greatly exceeds the number of shares being issued.

The high-profile nature of this IPO has not escaped the attention of the “419” or the “advance fee fraud” scammers. As a brief reminder, these scams typically promise vast sums of money in exchange for assistance. However, before said sums of money can be received, several increasingly-inventive up-front charges and fees must be paid. The fees keep coming and the promised money never materializes.

We recently spotted a 419 scam message offering a "FACEBOOK (IPO) SUBSCRIPTION PARTNERSHIP PROPOSAL". The use of an all uppercase heading is a common hallmark of such 419 scams.

The scam claims to be sent from a finance firm with offices in multiple locations around the world. The exact nature of the scam is unclear. The scam mentions loaning money under "soft" or generous terms to buy Facebook stock or shares and then selling them back to the finance firm at a price higher than the original purchase price.

The financial company claims to have offices in London, Hong Kong, and Dubai, yet the phone number included in the message is an answering service with a Sacramento, California phone number. The company's website claims that its registered office is in Cardiff, Wales.

A final strong indication that this is a scam is the email address, which the scammer is soliciting replies to. It is an amateurish-looking address at a common free Web-based email provider. A legitimate company would almost certainly use an email address at its own domain, rather than using a free Web-based address. The email address and name in the "From" header of the message are also different to the email address and name used in the message body.

Given the high profile nature of this IPO, we expect scammers to continue to take advantage of it in much the same way that they have taken advantage of previous news stories and events.

As usual, when receiving any kind of financial offer, exercise extreme caution. Use companies registered with the appropriate regulatory bodies for your jurisdiction, and if in doubt, don't hand over any of your money.

Symantec customers are protected against this and many other threats.

Mrs. Gaddafi offers 40 million dollars for safekeeping

Creative Commons photo of Gaddafi courtesy of James GordonImagine my surprise this morning when I received an email from the second wife of Colonel Muammar Gaddafi, Safia Farkash al-Baraasi!

I suppose I wasn’t really surprised, as every time there is a major news event, tragedy or television spectacle, spammers and fraudsters use the topic to social engineer their victims.

The message itself was quite brief:

Subject: From Safia Gaddafi,Please kindly open the attached file for more information


Spam from Mrs. Gaddafi

Clearly this message must be legitimate, the from address is mrs.safiagadaffi2 AT Considering Google’s position on identity we should automatically grant this message higher priority.

The attached Microsoft Word document follows the tried-and-true formula of Nigerian 419 scams. While the story was well researched, it appears to have been based on news reports from May suggesting Mrs. Gaddafi had 20 tons of gold hidden away.

My favorite part reads “As you may be aware that my husband is presently facing a difficulties in Libya.”

Of course, to be of assistance I need to provide Mrs. Gaddafi with my name, address, age, occupation and cell phone number.

Wouldn’t it have been easier to just ask Anonymous? They have dumped that very same information on half of the population at this point.

Don’t open attachments from unknown people, even if they are famous. The standard logic applies here. No one will email you because they have too much money and need your assistance.