Nigerian image spam

Here at SophosLabs we see our fair share of Nigerian/419 fraud campaigns. 419 frauds tend to ask the victim to transfer money, in advance, in return for a large sum of money. Today we received one that is a little different, because the scam text is embedded in an image. Image spam is something we’ve seen in the past, but are more commonly used in stock pump and dump and pharmacy med campaigns. Some of these images even employ obfuscation techniques to avoid detection. However, most if not all 419 campaigns are text based.

Money mule campaign using an image

In this case, the email purports to be from an owner of a growing Ukrainian software business whose company needs help with the processing of wire transfers. Like other 419 frauds, they also ask for a lot of personal information. In this case, it is rather curious why the spammers inquire about present occupation currently held by their “potential partner”. The enticing part of the whole deal is the ability to earn 8% from every transfer.

Aside from the use of an image, another interesting part is the use of random colors each time the spam gets sent. Here is another version of the same email with different colors: (In this case, a red title bar replaced the purple title bar from the example above and clashed with the title text color. A blue side border is used instead of black.)

Money mule campaign using an image using a different wrapper color

The random characters to the left and right of the title is a telltale sign of a scam. Another indication is the From: address, which happens to be from the same domain as the recipient email address. One would expect a legitimate email of this nature to come from a more plausible sounding domain.