George Mason University researchers Damon McCoy and Jackie Jones have found that the majority of Craigslist buyer scams originate from one of only 5 Nigerian gangs – with substantial help from US-based accomplices.
The researchers posted “honeypot” ads for laptops – priced, on average, at a 10% premium over Amazon in order to weed out most legitimate buyers. In fact, only one non-scammer tried to purchase an overpriced gadget.
The honeypot started attracting flies and the ‘buyers’ got in touch via email. The researchers responded by sending images of the products.
When the scammers clicked on the image link, their IP addresses, and therefore their location, were revealed. More than half of the scam emails were sent from Nigeria, and from just five groups of scammers.
The researchers were looking to attract people trying a so-called advance fee fraud scam, also known as Nigerian 419 scams.
The Craigslist spin on the 419 scam is that the “buyer” of whatever you’ve listed to sell says he wants to pay for the item with a certified check but that he can’t pick up the goods himself and needs to use a “mover” agent.
So the buyer sends a check for substantially more than the purchase price, with instructions to send the difference to the mover agent and maybe pocket a bit extra for the additional running around.
This is very similar to other overpayment scams, described by Paul Ducklin in anatomy of a scam as:
The fraudster sends you a cheque for more than the correct amount. Rather than cancelling and reissuing the cheque – since the scammer trusts you – you are asked to bank the cheque and simply to refund the difference. Except, of course, the cheque is fraudulent and ends up dishonoured. You are left out of pocket.
The researchers told PCWorld’s Jeremy Kirk that this is the most profitable buying fraud, and unlike many other 419 frauds, it has nothing to do with bogus PayPal payments.
Of all the checks received, only one was written by hand, all other checks were printed using check writing software, such as VersaCheck, using legitimate check paper, based on the [existence] of watermarks and other security features.
Most were business checks, and, based on internet searches, 90% of those businesses were legitimate.
Beyond the look and feel of the checks, the researchers found that the bank routing numbers were, also, all legitimate.
When they could identify the banks, the researchers found that 73% were located within or near the city of the check’s business address.
When the researchers took some of the checks to the banks upon which they were drawn, to gauge how authentic the checks appeared, each bank said that the checks looked legitimate and would likely be cashed.
The two elements the cashing bank couldn’t verify, because of privacy rules, were the account numbers and the signatures.
Depending on the issuing bank’s policy, the full or partial amount of funds may be floated while the check clears – or, in this case, while it doesn’t clear.
The bank may, of course, try to claw that money back, either in full or partially.
The researchers were taken aback by how many US-based accomplices are supporting the scam, McCoy told PCWorld:
I think the most surprising thing was the number of people in the U.S. participating in this scam.
All of the checks were mailed within the US, indicating that the Nigerian gangs had recruited local help.
The researchers also identified mover agents from 26 states, with most used only once, for the receipt of money.
Texas showed up at the top of the list, with 63% of the state’s scammers identified acting as both the mailer of the bogus checks and the mover agent/mule.
As far as the businesses from which the checks were purportedly written, the researchers didn’t ascertain whether or not they were in on the fraud.
They spanned businesses both large and small, including auto parts stores, gas stations, universities, churches, and city government offices.
Such a strong tie-in to the US is an effective way to cover the fact that the scam originates in Nigeria, McCoy told PCWorld.
The researchers used a variety of methods to determine that only a few groups were responsible for most of the fraud.
Beyond IP addresses, the methods included analysis of the return addresses used on the payment-carrying envelopes and the signatures on the checks themselves.
Because so few groups make up so much of the bogosity, they said, focusing on disrupting the top groups should have a sizable impact on the overall scammer community.Follow @NakedSecurity