Nigerian 419 Lotto Scammers use Fake Lottery Website

August 24th, 2007

It began, as so many adventures do, with a chance tip from a concerned netizen. A lady on the Internet had received an email saying she had won the Lottery and had been in communication with the offenders when she decided she didn’t like the way things were going. She emailed us, and things happened.

Many moons ago I wrote a Lottery Results website. The lady emailed us with an alternate address, revealing that the scammers had copied the entire website – including the list of Lottery Scam Emails – in order to give their 419 Email Scams that added air of legitimacy.

The original site is at: www.the-lottery.info

The cloned site is at: uknlotteries.com/nationallottery/

There were several changes, all geared towards getting an unsuspecting user to type in a username and password (supplied in the scammers’ original email) and then enter their legitimate bank account details. No doubt the scammers would plunder the account, leaving the scammee high and dry.

The WHOIS for uknlotteries.com showed it was on a free hosting company, Freehostia, and that the domain was purchased through ns.com / tucows.com on 14th August – just a week before we were told about it. Pinging the domain gave 64.72.119.253 – an IP handled by AlphaRed.com. All of these companies were sent a copy of our 14-Page report.

Next up, we noticed that the ‘Contact Us’ page still contained the IP and Host Name of the person who downloaded the first copy of the site – ironically this was a security thing:

80.178.248.142.satcom-systems.net / 80.178.248.142
Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)

This was an IP address in Israel. A quick search of the server logs showed that users from Satcom Systems had been visiting at least as early as October 2006.

Examination of the source code revealed other domains in use by the spammers: CTBPLC.co.uk (Not working) and GCBOFLONDON.com (A holding page on a Microsoft Office service). Another free hosting company, Multiververs.com, was used for the latter.

The /secured/ folder did not contain an index file and so we were able to examine the other files in that directory. We found IP activity mini-logs from Web2FTP.com for the following IP addresses:

IP: 82.206.163.11	Time: 15.08.2007|00:44:50	Uploaded 42 files
IP: 213.185.118.207	Time: 16.08.2007|18:57:22 	Editted 1 file
IP: 41.220.75.3		Time: 17.08.2007|10:11:12 	Editted 1 file
IP: 63.109.248.30	Time: 17.08.2007|13:06:56	Editted 1 file
IP: 213.185.118.227	Time: 21.08.2007|10:42:37 	Editted 1 file

Further examination of other know file paths that were cloned revealed that 82.206.163.11 was the IP of the user who had uploaded the files to the fake domain.

IP WHOIS Info for 82.206.163.11? Yep…

inetnum:        82.206.163.0 - 82.206.163.255
netname:        CUST-SUBURBANTELE
descr:          Reassignment to Suburban Telecom
country:        NG
admin-c:        BA771-ripe
tech-c:         BA771-ripe
status:         ASSIGNED PA
remarks:        *************************************************************
remarks:        *                                                           *
remarks:        *   For issues of abuse related to this IP address block,   *
remarks:        *         including spam, please send email to at:          *
remarks:        *                                                           *
remarks:        *               s.ayonote@suburbantelecom.com               *
remarks:        *                                                           *
remarks:        *************************************************************
mnt-by:         AS22351-MNT
mnt-lower:      AS22351-MNT
changed:        TAC.OPS@Intelsat.com 20060623
source:         RIPE
person:       Bruce Ayonote
address:      Plot 1105 Durban Street Wuse II
address:      Abuja, Nigeria
phone:        +234 80 3313 7201
e-mail:       bruceayonote@hotmail.com
nic-hdl:      BA771-ripe
mnt-by:       AS22351-MNT
changed:      tac.ops@intelsat.com 20030611
source:       ripe

A quick IP WHOIS on the other IP addresses confirmed it – a classic Nigerian 419 Scam.

A copy of everything we’d found was sent to all concerned parties and the website was gone 10 hours later, with Freehostia being first to pull the plug. As of right now, we don’t know if the scammers can still access the domain, so it’s possible that the site will reappear on another hosting company. We’ll have to keep an eye out for that one.

Updated 6th June: It appears the scammers have created more than one site – this one actually made it into Google’s listings. I’ve tipped off the hosting company, as before, as we’ll see what happens.

Updated September 12th: Finally got rid of it. The hosting company in this case was a little less willing to help and had to be reminded, and even then asked for proof that it was a cloned and phishing site.

Tags: , ,
Posted in Internet, Problems, Spam & Viruses | No Comments »

Various Musings

April 20th, 2006

Various bits and bobs – general chunterings while having a break.

Fog on the Road!
A misty morning, guaranteed to get every nonce showing the world how wonderful their fog lights are. Great. I can see your car at least a hundred yards in front of me thanks to its car-shaped-ness, but put your fog lights on anyway – that’ll help!

Bulk Email Sender Hacking
OK so it’s not hacking as such, but I was playing about with a bulk email sender on the Mac and found that it didn’t check for strict HTML. Ordinarily it adds a TABLE to the bottom of all HTML emails containing something about using the unregistered version (cough!), and it does this by inserting a snippet of HTML just before the /BODY tag. If you do this:

    <DIV STYLE="visibility:hidden">
    </BODY>
    </HTML>
    </DIV>

at the end of your HTML email, this little bit of shareware branding gets hidden away.

Dinosaurs!
One of the reccurring dreams I have is of being chased around the streets by a Tyranosaurus Rex. I’ll hide in a room or an alleyway and it’ll appear outside the window or whatever, so I have so scurry off somewhere else. It never catches me, but I wake up rigid with fear. I’m 36 – why is this happening?

AOL Spam-Blocked – hahahah
Sweet, sweet justice. After revealing their Pay-to-Spam-Our-Users scheme recently, it was gratifying to see at least one AOL SMTP server cropping up on the BlockLists. It’s no longer on the SpamCop list which probably means it’s working in the majority of cases again, but it was nice while it lasted.

Googly Adsense
I managed to talk Foo info signing up to Google Adsense via my referral link (the big banner, here) and he’s already raking in the.. uh.. well a few cents here and there anyway. Presumably I get a tiny percentage for referring him as well.

The-Lottery.info
I added a chunk of code the The-Lottery.info last night to allow the owner to enter the prize breakdown for each draw and display it as part of the latest lottery results pages. After pondering it for, ooooh, a whole ten minutes, I eventually came up with a novel way of including default values for the various winning combinations. I though it was groovy, anyway.

Reformat Time!
Gah! I fired up the old laptop today and after it wheezed to a halt into Windows the wireless internet refused to work no matter what. Since I started working in Scunthorpe the laptop has been a dumping ground for all kinds of software (including bulk email stuff, actually) and is generally a mess – time to scrub it up!

Barry McGuigan in Cleethorpes
Barry McGuigan is in Cleethorpes on Monday 24th April at Joe Frater’s boxing night – more details here. I’ll be in attendance as usual. Amir Khan is due at the Christmas show – that should be a good one.

Site redesign
I know I mentioned the DHTML Window Thing (see right) a while ago and how I was going to implement it, but I’ve been thinking of cutting right back on the graphics and going back to plain text instead. The main reasons for this are compatibility and search engine optimisation – all those tables and shit just get in the way really.

Tags: , , ,
Posted in Various | No Comments »