London Traveler Scam

“I am not in London, I have not been mugged.”
A scam we first starting seeing on social networks at the beginning of 2009 is still going strong. Today, the criminals behind these threats are using stolen (or phished) social networking  accounts, email accounts, and instant messaging and other forms of chat to fool people into parting with their money.

The scam basically works like this. A “friend” contacts the intended victim and tells them they are in London and have been mugged. They are okay but have lost all their money and have no way to get home. They are trapped in a foreign country unless the friend can help them out. All the victim has to do is wire them money for plane fare and their friend can fly home.

This basic scam has been around for a long time, but there are variations. And the twist on this one is your reward is in helping a friend out, not in obtaining some Nigerian prince’s fortune. Now it seems like everyone knows about the Nigerian prince. But the London traveler scam still fools lots of people. Consider this reaction of one Facebook user. “I just chatted with my sister on Facebook and she told me she was stranded in London. She was mugged at gunpoint. …please join me in prayer for this situation.”  

This story has a happy ending. Someone quickly posted the true whereabouts of the sister. And it wasn’t anywhere near London. There was a lot of confusion until someone figured out it was all a scam. Maybe the good news here is the media that enabled the scam also unraveled it. Another person allegedly mugged in London took to his Facebook page to declare, “I am not in London, I have not been mugged.” His friends got the message.

What’s amazing is to see how few people stop to ask, “What is my friend doing in London?” I have always wondered why London is the city the phony mugging takes place in. I don’t think of London as full of muggers. I can think of plenty of other cites that would seem like a more dangerous place to be stranded in. Maybe London is the place most Americans can picture their friends visiting. If you have an idea, then go to our Facebook page and comment on our wall posting.

Obviously, readers of this blog will not fall prey to this scam. Help stop others from falling for this scam by turning the features of social media against the scammers. If you see a friend posting about being mugged in London, or any city, call them out on it. Let all their friends know it’s a scam. And watch out for the next variant of this scam, whatever it may be. The basic rule of thumb here is friends don’t ask friends for money over the Internet.

The Arabic Wave Gathers Momentum in the Spam World

The Tunisian wave has captured the minds of people across the Middle East region. What is surprising to note is the creative use of the Internet in discussing such sensitive issues. The unrest in Tunisia has "tsunamied" into a mass movement straight at the heart of the Arab world. Egypt, with the ousting of President Hosni Mubarak, has become ground zero of this wave. But, as this movement gains momentum and spreads, there are many waiting to misuse this space—as demonstrated in the sample discussed below.

In this typical 419 scam message, the scammer masquerades as the erstwhile President Hosni Mubarak. A handsome proposal, considering the (bogus) bonanza of a 30% handling fee to be given to the one who cooperates in siphoning his booty out of Egypt. Further, because of the urgency of the situation, one is required to give "full contact information" as well as "some identity proof" as security for the said task. As always, the spammer hasn't forgotten to provide a link for a legitimate news site—in this message, a BBC news link is furnished. The origin of this attack is in Mauritius and is sent through fake accounts created with the name of Hosni Mubarak on a free webmail service.

Although the scammer has made all possible effort to make this offer look really enticing, the message is lame. Why would anyone seek your help in such a so-called confidential task? Moreover, gathering personal information by using tactics similar to that mentioned above is a very common scamming ploy.

With the continuing liberation waves in neighboring Arab countries, we expect to see similar spam campaigns appear. Symantec recommends that users remain cautious when dealing with email messages from unknown senders and use a Symantec message security solution to prevent getting scammed.

Note: Thanks to Amit Kulkarni for contributed content.

Snowshoe Spammers Target the British Royal Wedding

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring were observed in the past few days, sent by well established spammers.

Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email. This domain has also been used in other spam campaigns, such as the long running Who’s Who social networking spam messages (see our May 2008 State of Spam report for similar attacks). It was registered on February 9, 2011, using Moniker Privacy Services for anonymity, and since then has been used in at least half a million spam emails. This spammer has registered many different domains across a range of IPs in a technique that is sometimes known as “snowshoe spamming”.

If the user clicks on the link in the email, it firstly redirects to the ‘’ domain, which checks that the user’s IP is based in the US, before redirecting to the final destination product site. The product site was registered much earlier, on December 21, 2010, using a different registration service, indicating that the people behind the site might be purchasing spam services rather than sending it themselves.

Symantec Brightmail has had predictive filters in place to block these particular snowshoe attacks since October 2010. The graph below shows how many messages per day have been blocked from this spammer.

As the British Royal wedding gets closer though, we do expect to see it featured in other spam campaigns to attract users’ attention; at the very least in scraped news headlines.

Thank you to Pavlo Prodanchuk for contributed content.

This Time it’s Social Networking over Presidents’ Day

In the United States, Presidents' Day is celebrated on the third Monday of February to honor two of America’s greatest presidents, Abraham Lincoln and George Washington. This year, Presidents' Day will be celebrated on February 21. Recently, Symantec has observed spam attacks leveraging Presidents' Day and has seen attempts to exploit the "groups" function of a social networking site.

The samples shown below are screenshots of one such group from a social networking website. The group is quite obviously trying to exploit the Presidents' Day event:


The group description “MEGA SPAM!... Spam YOUR A TOOL! on your messages” [sic] is an attempt to inspire group members to start flooding spam messages at a specific time ("FEB 15 AT 11 AM”). Inexperienced users may be unaware of the risks involved with joining untrustworthy groups such as this. Please be wary of the types of groups or users that you associate with on social networking sites.

Simultaneously, spammers have yet again begun providing fake offers by promoting products at discounted prices. The sample shown below is the screenshot of a spam Web page targeting Presidents' Day:

Basic tips for avoiding spam messages and online scams:

-    Avoid submitting any personal information to unknown websites.
-    Do not click on suspicious links in email messages.
-    Most social networking websites now allow applications, groups, etc. to be blocked and/or reported. Use these options to deny any other requests from unwanted applications.
-    Frequently update your security software, which protects you from potential online scams.

Note: Thanks to Anand Muralidharan for contributing this blog.