Nigerian 419 Lotto Scammers use Fake Lottery Website

13:43.19 - Friday 24th August 2007   (Link to This Entry)

It began, as so many adventures do, with a chance tip from a concerned netizen. A lady on the Internet had received an email saying she had won the Lottery and had been in communication with the offenders when she decided she didn't like the way things were going. She emailed us, and things happened.

Many moons ago I wrote a Lottery Results website. The lady emailed us with an alternate address, revealing that the scammers had copied the entire website - including the list of Lottery Scam Emails - in order to give their 419 Email Scams that added air of legitimacy.

The original site is at: www.the-lottery.info

The cloned site is at: uknlotteries.com/nationallottery/

There were several changes, all geared towards getting an unsuspecting user to type in a username and password (supplied in the scammers' original email) and then enter their legitimate bank account details. No doubt the scammers would plunder the account, leaving the scammee high and dry.

The WHOIS for uknlotteries.com showed it was on a free hosting company, Freehostia, and that the domain was purchased through ns.com / tucows.com on 14th August - just a week before we were told about it. Pinging the domain gave 64.72.119.253 - an IP handled by AlphaRed.com. All of these companies were sent a copy of our 14-Page report.

Next up, we noticed that the 'Contact Us' page still contained the IP and Host Name of the person who downloaded the first copy of the site - ironically this was a security thing:

80.178.248.142.satcom-systems.net / 80.178.248.142
Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)

This was an IP address in Israel. A quick search of the server logs showed that users from Satcom Systems had been visiting at least as early as October 2006.

Examination of the source code revealed other domains in use by the spammers: CTBPLC.co.uk (Not working) and GCBOFLONDON.com (A holding page on a Microsoft Office service). Another free hosting company, Multiververs.com, was used for the latter.

The /secured/ folder did not contain an index file and so we were able to examine the other files in that directory. We found IP activity mini-logs from Web2FTP.com for the following IP addresses:

IP: 82.206.163.11	Time: 15.08.2007|00:44:50	Uploaded 42 files
IP: 213.185.118.207	Time: 16.08.2007|18:57:22 	Editted 1 file
IP: 41.220.75.3		Time: 17.08.2007|10:11:12 	Editted 1 file
IP: 63.109.248.30	Time: 17.08.2007|13:06:56	Editted 1 file
IP: 213.185.118.227	Time: 21.08.2007|10:42:37 	Editted 1 file

Further examination of other know file paths that were cloned revealed that 82.206.163.11 was the IP of the user who had uploaded the files to the fake domain.

IP WHOIS Info for 82.206.163.11? Yep...

inetnum:        82.206.163.0 - 82.206.163.255
netname:        CUST-SUBURBANTELE
descr:          Reassignment to Suburban Telecom
country:        NG
admin-c:        BA771-ripe
tech-c:         BA771-ripe
status:         ASSIGNED PA
remarks:        *************************************************************
remarks:        *                                                           *
remarks:        *   For issues of abuse related to this IP address block,   *
remarks:        *         including spam, please send email to at:          *
remarks:        *                                                           *
remarks:        *               s.ayonote@suburbantelecom.com               *
remarks:        *                                                           *
remarks:        *************************************************************
mnt-by:         AS22351-MNT
mnt-lower:      AS22351-MNT
changed:        TAC.OPS@Intelsat.com 20060623
source:         RIPE

person:       Bruce Ayonote
address:      Plot 1105 Durban Street Wuse II
address:      Abuja, Nigeria
phone:        +234 80 3313 7201
e-mail:       bruceayonote@hotmail.com
nic-hdl:      BA771-ripe
mnt-by:       AS22351-MNT
changed:      tac.ops@intelsat.com 20030611
source:       ripe

A quick IP WHOIS on the other IP addresses confirmed it - a classic Nigerian 419 Scam.

A copy of everything we'd found was sent to all concerned parties and the website was gone 10 hours later, with Freehostia being first to pull the plug. As of right now, we don't know if the scammers can still access the domain, so it's possible that the site will reappear on another hosting company. We'll have to keep an eye out for that one.

Another Fake Lottery Site

Updated 6th June: It appears the scammers have created more than one site - this one actually made it into Google's listings. I've tipped off the hosting company, as before, as we'll see what happens.

Updated September 12th: Finally got rid of it. The hosting company in this case was a little less willing to help and had to be reminded, and even then asked for proof that it was a cloned and phishing site.