Previous article

APCUG Web Site

APCUG Reports
January-March 2009

 Next article

Index for this issue		 Default font size
Large font size
Very Large

Scam Alert
by Don Singleton

Usually Scam Alert covers a number of pfishing attempts and other scams, but this time I am going to go into a lot more detail on one attempt, that started with a one line email, asking when I wanted my $250,000 transferred to me. Normally I do not respond to these, but this one, for some reason, interested me, and I played along with it for a while, while at the same time trying to make sure others did not get trapped by the bad guys. Here is the result of my efforts:

From: WESTERN UNION MONEY TRANSFER
Date: Friday, February 20, 2009 11:58 AM
To: info@wumt.com
Subject: 250,000 USD Transfer Notice

when do you want your Two Hundred and Fifty Thousand USD transferred to you?

Email was supposedly sent from info@wumt.com, which is not an active domain

The reply would have gone to western.union.money.transfer.unit@live.com. Live.com is a free email service offerred by Microsoft. It took a little looking on the Live.com site, but I finally found a place to send an email to a human, and I sent

I cannot find an abuse email, but someone is using live.com in an attempt to get bank account data. The account is western.union.money.transfer.unit@live.com

It took a while (Saturday, February 21, 2009 9:16 AM) but I got a response back.

Hello

My name is Kerri and I am with the Microsoft Global Escalations team.

We have reviewed the accounts which you have reported for being the reply email address for a fraudulent/spam email.

Upon investigation, we have found that the account has violated Terms of Use and have closed the account.

Your help in making The Microsoft Network an enjoyable place for everyone is greatly appreciated.

Thanks,
Kerri
Microsoft Global Escalations

I determined from looking at the header of the email that it was sent from an account on Zimbabwe Online (http://zol.co.zw/).

Click here to look at header

I found a technical support email address for Zimbabwe Online, so I sent:

I will be embarrassed if it turns out the whole http://zol.co.zw is a corrupt operation, but I am presuming that you are a reputable company, and that just one of your customers is trying to hijack bank account information, from pfishing emails sent from your service, with responses to go to western.union.money.transfer.unit@live.com.

The email itself is attached, and the header from the email is .... and attached the header. I got an automated response:

Dear Customer

Thank you for sending us your email. This is an automatic reply by the ZOL TrackIt system to your message regarding: “pfishing attempt”,

a summary of which appears below. TrackIt allows us to monitor the quality and speed of the response to your request. It also allows us to have a permanent record of all your requests to help serve you better.

If you feel our ZOL staff has given you particularly good or bad service - please email ceo@zol.co.zw where our management will take action.

There is no need to reply to this message right now. Your ticket has been assigned an ID of [ZOL #130418]. Please include this ID in the subject line of all future correspondence about this issue. This will allow us to keep track of your query.

You may log into the ZOL TrackIt system to view your past and current tickets at http://trackit.zol.co.zw

Having taken two actions to cut them off, just out of curiosity I played along with the original scam and replied (Friday, February 20, 2009 12:28 PM)

“Transfer it immediately to the bank information you already have.”

(I knew they did not have any bank information, but if they thought I was dumb, I could play dumb.) I received a response back in a little over 2 hours (Friday, February 20, 2009 2:37 PM). Microsoft had not cut them off yet.


Plot 43 Garki-Abuja
Call: +234 703 954 5966
===========================================================
THE FASTEST WAY TO RECEIVE/SEND CASH WORLDWIDE
===========================================================

Gee, they faked a Western Union heading for their email.

Greetings!

We have been waiting for you to inform us when you want us to send you the Money Transfer Control Number (MTCN) of your funds $250,000 (Two Hundred And Fifty Thousand United States Dollars) deposited with us for transfer to you by Mrs. Grace Powell but you failed to respond and this has prompt the Board Of Director of this company to establish immediate contact with you the receiving beneficiary after all attempt to reach the Depositor Mrs. Grace Powell has failed. We have been contacting Mrs. Grace Powell to communicate your data’s to facilitate the deposit funds transfer to you but no response, so then we decided to establish contact with you immediately.Your Email Address was the only data communicated to us by Mrs. Grace Powell for us to have the lodged funds Transferred to you. I was inform me that you are the beneficiary to received the funds over there in your country.

Mrs. Grace Powell is a member of the Economic Human Growth Development (E.H.G.D.) and we beleive the mean aim of this payment is for your personally development and i will personally advise that you use the funds wisely.However we will need the requested data’s below to commence the transfer due process as given below:

Receiver Name:
Receiver Address:
Receiver Country:
Receiver Tele-phone Number:
Receiver Occupation:

With the requested data we can commence the facilitation of your funds transfer to you.

Thank You and Have A Lovely Day
Cordial Greetings
Mr. Flin Coker
Director Of Operation

Consumers have looked to Western Union® to help them stay connected to loved ones around the world for more than 150 years. We are a global leader in money transfer services, offering the ability to send money to more than 320,000 Western Union Agent locations in over 200 countries and territories.Count on Western Union to transfer money, send payments and receive cash world-wide

I’m not sure why they stretched the picture on the bottom, or even why it was there, but I did not mind giving them my address and phone number, just to see when it would really turn into a ripoff, so I replied (Friday, February 20, 2009 2:50 PM). They must have been drooling, because they rushed back (Friday, February 20, 2009 2:54 PM):

Animated header, like above

Dear Customer,

We appreciate your prompt response to our letter and the requested data to enable us transfer of your $250,000 (Two Hundred And Fifty Thousand United States Dollars) was deposited with us for transfer to you is well taken and for your interest we have filed data for onward transfer of your funds to you.

In furtherance of the transfer of your funds to you with immediate effect as your funds has been prepared for transfer commencement, you will have to inform us how you wish the funds to be transferred to you of which is convenient and affordable for you as method option of transfer is given below of which your funds would be transferred to you.

Fex-Transfer:

This Option applies that your total funds would be transferred within 24 hours in Five (5) trans. i.e. you would be sent 5 Money Transfer Control Numbers (5 MTCN) of $50,000 Each of which you would go to any western union money transfer location to collect the payments transfer made you.

Demo-Transfer:

This Option applies that your funds transfer would be made 5 Days Transfer of which $50,000 would be made per day until the total funds transfer is completed in 5 Days . You would be sent 1 Money Transfer Control Numbers (MTCN) each day of which you would go to any western union money transfer location to collect the payment and the next day another Money Transfer Control Numbers (MTCN) would be sent to you until the transfer is completed.

Either Options differ by the Processing Facilitation Fee as given below:

Method Option 1. Fex-Transfer Sending Fee Facilitation: $600 USD (Total Transfer <$250,000> 5 MTCN for funds pick-up same day of transfer sending fee payment).

Method Option 2. Demo-Transfer Sending Fee Facilitation: $120 USD (Total Transfer <$50,000> 1 MTCN for pick-up per day after transfer transfer sending fee payment).

To that end you are to communicate to use which transfer method option is preferred and convenient for the transfer to be made to you.

We wait your chosen Method of transfer so can commence your funds transfer precedence

Cordial Greetings
Mr. Flin Coker
Director Of Operation

Stretched picture like in previous response.

Five days after I notified Zimbabwe Online their service was being used for criminal purposes I received two emails from technical support, the first (February 25, 2009 5:24 AM) telling me I should ignore the thief’s email:

Good Day

Thank you for your continued support. From what i ave gathered from the email that you have sent to me is that this is trully a false email therefore please ignore that email.

Regards
Eurry
zol Support

And the second (also February 25, 2009 5:24 AM) telling me they were closing the ticket, i.e. would do nothing further about it.

We believe this problem has been resolved and we are now closing this ticket. If we have failed to close this matter to your satisfaction please reply to this message and your case will be immediately re-opened.

As Dylan Thomas said, I “Do Not Go Gentle into That Good Night”, i.e. it takes more than that to shut me up. I replied (February 25, 2009 8:00 AM) with this (to both support@zol.co.zw, and ceo@zol.co.zw, the management email I got from the first ticket):

One of your customers tried to steal money falsely using your services, and you consider that the problem is resolved by telling me five days later to ignore his email?????

If I had not figured that out all by myself, I never would have contacted you or the people at live.com (who closed his email account).

I probably should have referred this to our FBI and CIA,

In fact, they probably would have ignored it, since a crime never was completed, i.e. I did not have any money stolen from my account.

But I hoped that Zimbabwe Online was a reputable organization that would be offended at their service being used to try to steal people’s money, and would do everything they could, including turning over evidence of the person sending these emails to the Zimbabwe Republic Police for prosecution.

They probably are not going to do anything, because they want the thief’s monthly payments for his account, but at least I want to get them thinking maybe they could get in trouble for what he is doing.

I am referring this to ZOL Management to see if they are concerned for the reputation of ZOL. If they are not, perhaps the entire company is involved, and perhaps I should be talking to the people at RIPE Network Coordination Centre in the Netherlands, who seem to be responsible for your connection to the Internet, or SkyVision Holdings Ltd. in the United Kingdom, who feed the eris-pluto.zol.co.zw (196.201.1.185) router from eris-fa0-0.jc.tan-net.com (213.255.219.78).

I got that information by using VisualRoute to do a trackback to zol.co.zw.

Tech support really hopes I will drop the issue. Friday, February 27, 2009 6:15 AM they closed the ticket again, and sent me:

Good Day

Thank you for your continued support.I am sorry if it seems like we are neglecting the issue but we are greatful .As we speak my superiors are currently on the issue .Thank you.

Regards
Eurry
Zol Support

So far nothing from his superiors. Oh well, I really did not expect anything, and I am happy that Microsoft responded as it should have. And it gave me material for a Scam Alert.