Clearly scammers are keeping abreast of the political developments in the Middle East. A number of Nigerian-style scams have emerged referencing the situation in Libya.
As violence escalated in Libya as demonstrators called for Col. Moammar Ghadafi to step down after 42 years of rule, countries around the world are taking action to evacuate their citizens. It seems logical that people would like to take their oil money with them, right? Or at least, that what these criminals appear to be hoping.
Researchers at Symantec identified a number of scam messages purporting to be written by someone connected to Libya’s Grand Senussi royal family, which Ghadafi had overthrown in 1969. In one variation, the writer claims to be Muhammad bin Sayyid al-Mahdi, “a Cousin” to the royal family and nephew to the last king, according to Paul Wood, a Symantec security researcher. The writer claims to deal in “Petroleum products,” to imply he has ties with the oil wealth, and requests help moving an unspecified amount of money.
In this kind of “419 scam,” scammers demand increasingly inventive upfront fees and charges, and never send any money, Wood said. Past variations have claimed to be from Philippines, North Korea, and China. “Although these types of mail are generally low volume, they can still cause significant nuisance,” Wood said.
This particular Libyan 419 scam was sent through a large Webmail provider from an IP address in Ghana, according to Wood.
Shortly after Egypt’s long-standing president, Hosni Mubarak, resigned, Symantec saw German-language spam claiming to be from Mubarak’s lawyer, Wood wrote in the MessageLabs Intelligence blog. The message asked victims for help retrieving $2.5 million of the president’s funds, frozen in a Belgian bank account, Wood wrote.
The recent uncertainty about Hosni Murabak’s whereabouts and health, as well as reports that many jurisdictions are considering seizing his assets may make this message sound plausible, said Wood.
As for the Egyptian version, the message is poorly constructed, probably because it was machine translated to German, Wood said.
Another group of spammers are using Libya to launch targeted attacks, Wood said. Sent from four different domains, the recipients were all within six organizations involved with promotion human rights, supporting humanitarian aid, or think-tanks for foreign affairs and economic development, he said. The messages appear to be part of a conversation about the economic impact of the Libya crisis, with an attached document outlining points for discussion.
The file was actually a malicious RTF document infected with a known parsing vulnerability which allows attackers to remotely execute code on the compromise machine, Wood said.