Experimenting with caginess: a 419 spam case study

I recently came across a sly variation on your typical 419 spam campaign, where the spammer made an obvious effort to provide very little information about `the huge pile of money they absolutely need your help to get their hands on`. By providing very few details, they hope the message recipient will be so intrigued by the “sensitivity” of the situation, they will have no choice but to reply back and find out more.

Follow along with the message below to watch and be amazed at how the caginess is irresistible…

> Greetings,


> I know you would be surprised to read from someone relatively unknown to you. My name is LT. Keisha Curtis Morgan, a member of the U.S. ARMY USARPAC Medical
Team, which was deployed to Iraq at the beginning of the war in Iraq.

You bet I’m surprised. I don’t know you, why are you emailing me? I must read on…

> I would like to share some highly personal classified information about my personal experience and role which I played in the pursuit of my career serving under the U.S 1st Armored which was at the fore-front of the war in Iraq.

… highly personal… AND classified?!? Clearly, this is incredibly important — especially since this “classified” information is being sent around to tons of random people the sender doesn’t even know. I am just so intrigued.

> Though, I would like to hold back certain information for security reasons for now until you have found the time to visit the BBC website stated below to enable you have an insight into what I intend sharing with you, believing that it would be of your desired interest one-way or the other.

Oh, well obviously you need to hold back certain information until we establish some mutual trust. And I see your grammar has steadily worsened as the message progresses. You must be so excited and nervous to share this highly sensitive information that even basic language skills are out of your reach. I need to get on top of this situation before it’s too late.

Brief interlude: you pause to read the linked BBC news story from 2003 about a >200million stash of cash found in Iraq, believed to be abandoned by fleeing regime leaders (here). And reading the last paragraph of the article:

Five US soldiers are currently being questioned by military officials after some of that money was allegedly stolen following its discovery.

AHA! One of the thieves has emailed me and needs my help to launder his massive pile of cash. I don’t know anything about money laundering, international finance, or crime of any sort, but I’m sure I can help.

> Also, could you get back to me having visiting the above website to enable us discuss in a more clarifying manner to the best of your understanding. I must say that I'm very uncomfortable sending this message to you without knowing truly if you would misconstrue the importance and decides to go public. In this regards, I will not hold back to say that the essence of this message is strictly for mutual benefit between you and I and nothing more.

Of course you’re uncomfortable sharing information, you’re a criminal — and, soon, I’ll be one too! I won’t misconstrue anything – your secret is safe with me (and the thousands of others you sent this message to). Ok, so let’s get down to business…

> I will be vivid and coherent in my next message in this regards, meanwhile, could you send me an email confirming that you have visited the site and that you have understood my intentions? I will await your thoughts via my personal email: <some-random-name>@gmail.com

Excellent. I like vivid and coherent. I like grammatically correct too, but I’ll take what I can get, if in the end I end up with millions of dollars in my bank account.

Since there is an element of international espionage here, I ought to put my analyst hat back on for a quick second before I tap out my criminal-career-starting reply message. A few key points of interest:

  1. The “Received: ” headers indicate the message originated from some server in Africa, rather than an authenticated gmail server as one might expect with the reply-to address. Hrm… that’s odd. But maybe the thief has to forge the headers so they can avoid being caught.
  2. The “Content-Type: text/plain;charset=”Windows-1251” – which is a Cyrillic character set, i.e. Russian. Hrm… maybe these international criminals need to speak several languages (I wonder if their Russian is any better than their English?).
  3. The message was eventually delivered by a mail server known to send a massive amount of advance-fee-fraud spam. Hrm… they must have had to covertly funnel this highly secretive message (to thousands of people) amongst a bunch of other financial scam related spam, so it would remain under the radar. Yeah, that must be it.

Yup, definitely no scam here. I can’t wait to be a millionaire.