A Study in 419 Facilitation
The Enemy in the Ranks
Key to understanding and analysing the role of the faker maker in 419 fraud, is having a general knowledge of how a typical 419 Advance Fee Fraud syndicate operates. We try and illustrate this in Figure 1.
In Figure 1, the positions shown are role accounts. A single party may fulfil more than one role.
A syndicate will typically consist of a ringleader, the Oga. The Oga will have lieutenants, the confidence tricksters or conmen, called a Guyman. Traditionally, scams were spammed out via minions, called Bombers. These are targeting the consumer victim, the Maga (meaning fool). The relationships are extremely informal and normally based on regional ties or extended family ties.
The Oga has access to bank accounts used for money laundering when consumers are scammed, an extended network with other Ogas to adapt the scam to more efficiently deceive and ensure success of the syndicate. Also scam templates, essentially role-play scripts that are the set up for the scam. Websites are set up accordingly.
The Guyman is somebody with the ability to interact with targets and successfully manipulate them, influencing them and putting pressure on them to make bad decisions. A Guyman may work with more than one Oga. An Oga may have more than one Guyman working with him.
The Bomber is a typically any party willing to try his hand at scamming. Reply-to email addresses will typically be under control of the Guyman. This activity is seen much like a game in which a successful response and scam will entitle the Bomber to a small portion of the proceeds. In the last few years this role has greatly been replaced by offshore spam emailing services or compromised email services.
Assisting this operation with technical expertise is a Faker Maker. The Faker Maker may or may not participate in the actual scams. Likewise he may be running his own scams while simultaneously delivering technical services to multiple Ogas.
It is this last party, the Faker Maker, which we will be looking at as the party that appears most prominently in internet related identifiers used to track 419 syndicates.
The role of the Faker Maker in 419 frauds is not generally known. Yet he is key to the long-term success of a scam. This term, although the origins of it have been lost, is used to describe somebody knowingly facilitating 419 frauds from a technical perspective for personal gain in exchange for the risk of doing so. He is a technical specialist services provider to parties involved in 419 fraud and knowingly and willingly facilitating. It's not uncommon to find smaller online companies such as web designers and/or hosting providers in this role. Typically these parties will have access to domain reseller facilities.
The services of such a party will typically include:
In this process it's not uncommon to find both domain reseller and webhosting reseller accounts being abused. This party's long term success depends on his ability to develop defensive techniques that would prevent detection and allow the scam to withstand challenges to the scam like take-down notices and suspensions. For these reasons multiple accounts will be used. Various devious techniques would be abused to prolong the lifetime of the scam.
Such a party would be well versed in stealing online content and adapting it for abusive usage. It's not uncommon for even experts to mistake a fake bank used in 419 frauds for phishing due to the deployment of tools such a HTTrack Website Copier being deployed. However typically the faker maker would attach a bespoke fake banking system in place of the real bank's. The website stolen may equally be a courier website with a similar bespoke tracking system bolted onto the stolen and adapted content, or any other type of website needed such as a lawyer or any corporate website. Where we find bespoke back-end banking and courier portals used and these can be identifying i.t.o. the faker maker. Typically such fake banks and couriers will also have an admin login page. Re-usage of the same bespoke designs should be considered a red flag.
Equally, the content may be bespoke, reflecting a totally non-existent entity used to deceive consumers. This decision is typically that of the scamming client, the Oga. Stolen content abusing goodwill attributable to the real company may meet with challenges from the real content owners, whereas bespoke content may not be as appealing to the scammers as it reflects an unknown name. It's not strange to see UDRPs succeeding against a fake maker's 419-domains, yet the UDRP describes a phishing incident. Nor is it strange to see that, no sooner has such a UDRP succeeded, than a new spoof is set up to continue the scam spoofing the same brand.
For these reasons the faker maker may choose to hide online content with bogus "Under Construction" pages, fake open indexes or even fake "Suspended" pages, while the real content may reside in a sub-directory on the hosting account. Equally the content may be hidden on a sub-domain, or perhaps even a combination of these techniques to make detection difficult. It's in these methods the faker maker advises and assists his clients in the initial planning stage. Yet these very hiding techniques may also be a marker for orchestrated facilitation. Examples would include the same unique sub-domains used, or unique sub-directories used.
Various hosting accounts are also used to move websites after an abuse notice while the upstream network owner/hosting provider believes his legitimate client has addressed the issue. As such the scam is prolonged. Once the scam runs out of hosting accounts or the domain is suspended, the same website may re-appear on another domain name, sometimes slightly altered and continues. Yet many times the same victim databases and other remnants such as email addresses are left as is.
Some of these parties may set up separate domain names for online content and web content usage. If the content domain is disrupted, the fraudsters are able to maintain email communications. Other scams are purely email driven with no associated web content. Typically the last case is often also abused while impersonating the authorities. It's knowledge of all these techniques, how to best manipulate and abuse them to perpetuate 419 fraud, that makes a faker maker successful.
An in depth analysis of a scam website may find traces left by this party during his website creation/alteration process. One example would be FrontPage extension files, typically the /_vti_cnf/ files. From Microsoft's website, we find this description:
|vti_cnf||For each HTML page and graphics file in a FrontPage web there is a configuration file of the same name.||Each configuration page contains a set of name value pairs, identifying such things as the last author to edit a page or the program associated with a file.|
This typically allows us to establish a relationship between seemingly unrelated websites and domains, as it reveals a PC system and an author. Example:
vti_encoding:SR|utf8-nl vti_timelastmodified:TR|18 Oct 2017 08:36:42 -0000 vti_extenderversion:SR|18.104.22.16816 vti_author:SR|DESKTOP-TFO6J8R\\Trisotopia vti_modifiedby:SR|DESKTOP-TFO6J8R\\Trisotopia vti_timecreated:TR|16 Oct 2017 09:14:35 -0000
In this we see a PC named DESKTOP-TFO6J8R was used by user Trisotopia. We can even see the date the file was first accessed with Frontpage and last modified. If the used systems were different from creation to last modification, this would be apparent. As such we have an audit trail. It's not uncommon to find hosting providers and domain resellers exposed using this technique. More than one problematic provider has been identified this way.
Also, a detailed domain registration analysis of continuing problematic domains used for advance fee fraud, combined with IP addresses used and DNS SOA RNAME values may yield valuable clues. While this may indicate a hosting provider's DNS SOA RNAME, it may also indicate something untoward. Proper evaluation is required to establish.
An example of a faker maker would be somebody at VBHOSTNET (ViewBound HOSTing NETwork) in Nigeria. Abuse reports to the hosting provider saw websites follow patterns of disappearing, to only later appear elsewhere. A detailed analysis showed DNS SOA RNAME sgmehis.gmail.com to be common. This is also the Rname value for VBHOSTNET.COM. A Danske Bank spoof was found at http://danskebonline.com/ac/ with the same sgmehis.gmail.com Rname: https://db.aa419.org/fakebanksview.php?key=125476
The domain registration details say:
Domain Name: DANSKEBONLINE.COM Registry Domain ID: 2119733593_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.internet.bs Registrar URL: http://www.internetbs.net Updated Date: 2017-05-02T17:44:38Z Creation Date: 2017-05-02T17:44:37Z . . . Registrant Name: Stephen B. Pier Registrant Organization: Registrant Street: 2867 Black Stallion Road Registrant City: Cincinnati Registrant State/Province: Registrant Postal Code: 45214 Registrant Country: US Registrant Phone: +1.8594954405 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: firstname.lastname@example.org
More telling was the /_vti_cnf/ files, as described previously, found:
vti_timelastmodified:TR|25 Sep 2014 18:58:12 -0000 vti_extenderversion:SR|22.214.171.12418 vti_author:SR|EmmanuelOkaiwel\\Emmanuel Okaiwele vti_modifiedby:SR|EmmanuelOkaiwel\\Emmanuel Okaiwele vti_timecreated:TR|16 Aug 2012 11:47:03 -0000 vti_title:SR|Login to your online account vti_backlinkinfo:VX|process.php customer_login.php open_account.php register.html account/index.php vti_nexttolasttimemodified:TW|25 Sep 2014 18:58:12 -0000
Ironically the author is easily identifiable online.
Another indication of this facilitation can be seen considering a Standard Chartered Bank spoof in 2015:
stancharteredb.com - https://db.aa419.org/fakebanksview.php?key=104914
Domain Name: STANCHARTEREDB.COM Registry Domain ID: 1955661179_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 2015-08-27T14:43:06Z Creation Date: 2015-08-27T14:43:07Z Registrar Registration Expiration Date: 2016-08-27T14:43:07Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Master Love Registrant Organization: Master Love Registrant Street: Opal Drive Fox Milne Registrant City: Keynes Registrant State/Province: London Registrant Postal Code: 44 Registrant Country: NG Registrant Phone: +44.867997866 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: email@example.com
Two years later this exact same domain is re-registered and launched with the exact same spoofing content, hidden at http://www.stancharteredb.com/home/, but with new tricks deployed in an attempt at avoiding detection and accountability: https://db.aa419.org/fakebanksview.php?key=128571
Domain Name: STANCHARTEREDB.COM Registry Domain ID: 2159600204_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.internet.bs Registrar URL: http://www.internetbs.net Updated Date: 2017-09-05T05:37:35Z Creation Date: 2017-09-04T12:49:17Z Registrar Registration Expiration Date: 2018-09-04T12:49:17Z Registrar: Internet Domain Service BS Corp. Registrar IANA ID: 2487 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.5167401179 Reseller: Domain Status: clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Brenda H. Anderson Registrant Organization: Registrant Street: Bonte Specht 141 Registrant City: Zeewolde Registrant State/Province: Registrant Postal Code: 3893 JD Registrant Country: NL Registrant Phone: +31.620878516 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: email@example.com
Not surprisingly, the RNAME from DNS SOA is sgmehis.gmail.com once again. This shows even scammers find equity in past works and scam templates, even if it's stolen.
Further, a check on the underlying DNS servers with the Linux utility dig shows:
$ dig -t ns STANCHARTEREDB.COM ; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> -t ns STANCHARTEREDB.COM ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65099 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;STANCHARTEREDB.COM. IN NS ;; ANSWER SECTION: STANCHARTEREDB.COM. 21599 IN NS ns2.vbhostnet.COM. STANCHARTEREDB.COM. 21599 IN NS ns1.vbhostnet.COM. ;; Query time: 465 msec ;; SERVER: 10.0.0.240#53(10.0.0.240) ;; WHEN: Wed Dec 06 01:13:08 SAST 2017 ;; MSG SIZE rcvd: 93
Email address provider @rhyta.com is an open to anybody, disposable email
address at FakemailGenerator , also serving email addresses ending in @armyspy.com, @cuvox.de, @dayrep.com, @einrot.com,
@fleckens.hu, @gustr.com, @jourrapide.com, @superrito.com and @teleworm.us.
Looking at email address firstname.lastname@example.org used for registering the Danske Bank spoof, we find another identity with another address using the same email address:
Domain Name: DANSKEBONLINE.COM . . . Updated Date: 2017-05-02T17:44:38Z Creation Date: 2017-05-02T17:44:37Z . . . Registrant Name: Stephen B. Pier Registrant Organization: Registrant Street: 2867 Black Stallion Road Registrant City: Cincinnati Registrant State/Province: Registrant Postal Code: 45214 Registrant Country: US Registrant Phone: +1.8594954405 Registrant Email: email@example.com
Domain Name: INTLMONETARYFUND.COM . . . Updated Date: 2017-04-13T16:25:05Z Creation Date: 2017-04-13T16:25:05Z . . . Registrant Name: Kyle N. Deleon Registrant Organization: Registrant Street: 502 Fleming Way Registrant City: Richmond Registrant State/Province: Registrant Postal Code: 23219 Registrant Country: US Registrant Phone: +1.8047830943 Registrant Email: firstname.lastname@example.org
We see the registrant name, address and telephone number changing for email email@example.com.
This domain is being abused to spoof the IMF: https://db.aa419.org/fakebanksview.php?key=125811
Now that we start understanding what's happening here, we should not be surprised to see even a UNICEF spoof, unicef-online.com : https://db.aa419.org/fakebanksview.php?key=125507, in fact we find 26 domains with ever changing registration details as can be seen at Whoxy, linked to email firstname.lastname@example.org: https://www.whoxy.com/email/78624763 - and this is just one such email!
Essentially we are seeing the "fruits of the poisoned tree" in the domain reseller and hosting space here. Yet it's to these very parties that abuse reporters are expected to submit abuse reports for 419 issues?
Faker Makers are extremely active in the West African fraud facilitation space. They can be identified once the researcher knows what to look for. However data has to continuously be analysed at various levels to properly identify the extent of abuse, to ring-fence the "nest". These nests can easily exceed 100 active domains at any one time, with over 300 having been found. Terminating a single domain or hosting account has no disruption or protection value. One such party has been record with over 1600 recorded domains so far, Bola. Heuses many identities and has been facilitating for years.
Once the role of the Faker Maker is understood, it's also easy to understand why these parties enter the phishing, malware and other cyber-abuse arenas. As it is, it's not uncommon to see that once a scam has been totally disrupted, these activities take place on these supposed suspended accounts. Credential stealing, spoofing email providers like Hotmail/Gmail /Yahoo is extremely popular, also online facilities such as Dropbox. Later we see these parties ending up spoofing legitimate companies in what may be B.E.C. attacks with bespoke typo-domains. As such it's the author's contention that the consumer is the training ground for later B.E.C. attacks on commerce.
More can and should be done to disrupt these parties as it is possible. After all, the Faker Maker is key to understanding who the ring leaders Ogas are; they are his clients. Numerous of these parties have been arrested, but the more successful of these have gone on to become wealthy, one even being a well-recognized millionaire businessman.