Currently, in Sweden, we're facing a big issue with scammers trying to buy items for sale on various auction websites, but when you initiate contact with the potential buyer things get nasty and you might lose money. This is nothing new, and most of the auction websites have written about this to inform their users, but they do not explain in detail how these scams actually work – their FAQs only advise people to be careful. So I know that there are a lot of questions unanswered for worried users.
Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process, so that I could inform not only law enforcement but also our readers on how these scams actually work. When you know how the scam works, it will be much easier to spot them and avoid being scammed.
So, let me give you the background.
Our daughter got a new bike, so we decided to sell the old one on Blocket, the biggest website for personal ads (buying/selling) in Sweden.
After a few days my wife received an SMS (which unfortunately has been deleted). The SMS came from a Polish number, and the person wrote in very good English. They said that they were interested in the bike, but wanted to have more information, and gave my wife an email address. I told her NOT to reply via SMS but to email the person, because sometimes the bad guys send SMS from premium numbers, which means that when you reply to the SMS it will cost you much more than a normal SMS.
I told my wife to be very brief in her answers, which you can see in her initial email response below:
As you can see, the person starts to ask valid questions about the bike, which means that it's not a bot, it's actually someone who manually responded to this ad. I have no idea how they select their victims, but it is obviously a manual process.
We decided to take this even further, to see the next step in the scam, so we replied with the information about the bike – there was also still be a chance that the person was not a scammer and really wanted the bike.
It was after this email that everything started to get nasty. They accepted our offer, but what was so strange was that the person confirmed their Polish identity. Even if you look up the person on social media their identity seems to be Polish. So we decided to continue.
The person asked for our name, PayPal details and the total price, which we obviously sent them. They also said that they were going to cover the shipping cost for the bike, and had already involved a shipping company.
We shared our information, and waited for them to reply. They were VERY fast in replying to all the emails; it almost seemed as though there were a lot of people with access to the same mail account, but we weren't able to confirm this. In the email they sent just before the money transfer they also included an address in Poland. This address hasn't been confirmed, but we are trying to find out who lives at that address which can be found in the screenshot below. Within minutes they just stated that they had completed the transfer, which you can see in the second screenshot.
I did get two emails from something that looked like PayPal, but when you look more closely you can see that the email is not coming from PayPal at all. This is a very clever, but common, trick that is also used in phishing attacks. When you look at the email you can see that it's actually being sent from firstname.lastname@example.org which is hosted on Google Mail. What is so interesting with this email is that it's most likely created manually too, because it contains details such as the price we asked for the bike.
At this point no money had been transferred to my PayPal account - the emails were just fake. The fraudsters next tried to get me to transfer the shipping cost, in this case 1700 SEK (about $200 USD), from our account to the company "P.S.S Logistics". The process they outlined for transferring the money was to visit a Western Union office, and transfer it to this shipping company; but when you look more closely at the emails they sent, they wanted us to transfer it to a private person. There is a company called "P.S.S Logistics", but its registered in South Africa, the fraudsters started to use this name, but when you transfer the money it goes to an individual named "Bamise Seon" in Nigeria.
At this point I wondered if the scammers were working with hacked accounts, because all of the individuals exist on various social media networks. For example, the person who keeps email using the Polish name "Pawel Dylewski" can be found on Google Plus. And the individual in Nigeria can be found on Facebook. If you look closely on the screen captures I took from Facebook, you can see that there are two identities, one female and one male, and they are both connected to each other by the same name. In the screenshot below you can see that it's written: "Send HER a friend request", which indicates that this profile belongs to a female. You can also see that she has one friend, a person with the same name, but with a profile picture of a man and more information.
I am currently working with PayPal, Western Union, Google and law enforcement, to share the intelligence I have collected, but I also want to share this story. We need to inform everyone who is actively selling/buying things online to keep a close eye on the details. If the deal sounds too good to be true, in most cases it is.The scheme in bullet points:
- You receive an SMS from a potential buyer containing an email for further contact?
- In some cases the SMS is sent from a premium number, so when you reply you will be charged for the premium service.
- Once the email conversation starts, the buyer wants to pay with an online payment service - for example, PayPal - offering full payment, including shipping.
- They send FAKE emails pretending to come from PayPal, stating that their money has been transferred to your account. But the money won't be transferred to your account until you have completed the deal.
- The deal can only be completed if you transfer money for the shipping costs to a shipping company - for example, via Western Union.
- The shipping company does not exist, it's actually the personal account of the scammer; which means that they want you to transfer a sum from your own pocket in the hope that they will pay the full amount (including the amount for your item) into your PayPal account.
- Please do not use SMS to communicate, because fraudsters might use premium numbers to charge you a lot of money.
- Please double-check any email address: for example, in this case it did not come from "paypal.com", but "e-pay-team.com".
- Never transfer any money to anyone; and always make sure you have received payment BEFORE you ship the item you are selling.
- Never pay with a credit card unless you are 100% sure that the website is legitimate; try to use secure payment methods such as PayPal.
PS: We sold the bike today. To a REAL person
In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild.
Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. Victims include:
- Government organizations
- Military contractors
- Humanitarian aid organizations
- Private companies
- Journalists and media organizations
The Farm includes several Trojans, which we have grouped into six major families:
Here's a brief description of the animals in the farm:
- Bunny - an old "validator"-style Trojan used with a PDF zero-day attack in 2011.
- Dino - a full-featured espionage platform.
- Babar - the most sophisticated espionage platform from the Animal Farm group.
- NBot - malware used in a botnet-style operation by the group. It has DDoS capabilities.
- Tafacalou - a validator-style Trojan used by the attackers in recent years. Confirmed victims get upgraded to Dino or Babar.
- Casper – the most recent "validator"-style implant from the Animal Farm group.
The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.
Over the years we have tracked multiple campaigns by the Animal Farm group. These can be identified by a specific code found either in the malware configuration or extracted from the C&C logs.
Most recently, the group deployed the Casper Trojan via a watering-hole attack in Syria. A full description of this zero-day attack can be found in this blog post by Kaspersky Lab's Vyacheslav Zakorzhevsky.
In addition to these, the Animal Farm attackers used at least one unknown, mysterious malware during an operation targeting computer users in Burkina Faso.KSN & Sinkholing statistics
During the investigation we sinkholed a large number of C&C servers used by the Animal Farm group. This allowed us to compile a comprehensive picture of both targets and victims.
The malware known as Tafacalou (aka "TFC", "Transporter") is perhaps of greatest interest here, because it acts as an entry point for the more sophisticated spy platforms Babar and Dino. Based on the Tafacalou infection logs, we observed that most of the victims are in the following countries: Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand, Ukraine.
"Tafacalou" is the attacker's internal name for one of the validator (1st stage) Trojans. We tried various spellings of this word to see if it means anything in a specific language, and the most interesting option is one with its origins in the Occitan language: "Ta Fa Calou."
The expression "Fa Calou" is the French interpretation of the Occitane "Fa Calor" which means "it's getting hot" (see http://ejournaux.blogspot.com/2008/07/la-langue-occitane-et-ses-quelques.html). 'Ta Fa Calou" could therefore be taken to mean "so it's getting hot" based on the Occitan language.
According to Wikipedia: 'Occitan is a Romance language spoken in southern France, Italy's Occitan Valleys, Monaco, and Spain's Val d'Aran; collectively, these regions are sometimes referred to unofficially as "Occitania".
Note: A detailed technical report on Animal Farm is available to customers of Kaspersky Intelligent Services. For more information, contact email@example.com