I received an email from a Mr. 'John Nelson' offering to buy some wine. Here is John's initial email.
Hello, my name is John Nelson, an American . I live and work here in Seoul, South Korea. Actually when I was around last year for christmas holiday, I got a bottle of one of your wines from a friend as a gift and I love the taste .Since then , I have been planning on getting your wines for my birthday party ...coming up soon here in Seoul, South Korea. I will be making my payment via my American based credit card . I am registered with a shipping agency here in Seoul, which has representatives in USA . So you are not get the wines shipped but the wines will be picked up at your winery by this licensed shipping agency .The shipping agency have all the appropriate exportation documents and permits. . . Kindly get back to me so that I can make my orders . Thanks. John
Let's find out a little bit more about 'John Nelson.'
John's email appears to be firstname.lastname@example.org. But when I double-click on the sender name, the sender is actually email@example.com. He has sent the email to his ‘john’ moniker, with probably blind carbon copies to dozens of wineries. Note that he has not addressed the email to a winery or a person. Nor does he mention what wine he enjoyed, or why he enjoyed the wine. I think we can assume that an American with the fully Wayne-esque name of John Nelson would also have a basic grip on English grammar and punctuation.
Next, I follow this protocol (for Outlook Express):
- double click on the message
- click on File
- click Properties
- click Details tab
This brings up a long list of IP (internet provider) addresses. A wealth of information. When I click on Message Source, the information is provided in plain text, which can be cut and pasted into a word processor. Next, we're going to look up some of these IP addresses and find out where in the world John Nelson really is.
There are a lot of numbers on the page, but we want to look at the bottom and move up the list to the first IP, which is most likely to be the origin. The other IP's are probably relay hubs. The date and time will also be printed at the end of each line, so you can spot the earliest time in the list.
John's IP address looks like this: [22.214.171.124].
John is writing to us from Lagos, Nigeria.
Just to be sure, I also use the Trace Email function at WhatisMyIPAdress.com. This search returns the same information, along with: Latitude 6.4531, Longitude 3.3958
Next, let's use mx.toolbox Blacklists to see if this IP has been blacklisted with any of the Blacklist watch services. (Some IP's specialize in spam.) Yes, this IP has a Level 1 warning, and has been registered as sending heavy spam within the last 7 days. Next, using the functions at ip-lookup.net, we learn that there is a partial spam block on this IP, which falls under the jurisdiction of British-owned, Amsterdam-based, Réseaux IP Européens Network.
And we are provided with contact information for a complaint: For issues of abuse related to this IP address block, including spam, please send email to DCC SATELLITE:
- Filtered person: Arvind Gupta
- address: Blk 54A, Plot 10, Off Adebayo Doherty,
- address: Off Admiralty Way, Lekki Phase 1,
- address: Lagos, Nigeria
- phone: +234-1-4721306
- e-mail: firstname.lastname@example.org
Let's set this information aside for the moment. Our next step is to write a response to Mr. John Nelson. Safety first. I won't worry about the scammers finding this post. Life is too short to be paranoid. But I will use an old email address and pose as a man. In fact, I am a poor, hard-working cellarman with a fledgling wine production, and any transactions or shipments must be processed through "my employer" or "a friend."
Hello John, Here is what I have available. All full cases have a 25% discount: 1996 Cabernet Sauvignon, $36 per bottle; 2003 Viognier, $24 per bottle; 2000 Syrah, $17 per bottle. Please let me know if you are interested.
You'll notice I didn't mention a brand name. (It doesn't exist.) Will he ask? I also haven't asked about his shipper or the export documentation. Any legitimate exporter or shipper would request detailed invoices and sometimes lab reports for the wine in the shipment.
Well, it must be business hours in Nigeria because I heard back from John in 17 minutes. He places an order for 15 cases of wine, 5 each.
To avoid the shipping responsibilities and difficulties please contact ALPHATRANS SHIPPING COMPANY ,via the email address below; alphatrans Shipping company has all the documents and permits required for the exportation of the wines . Contact them with the following information : (1)Your full location address where the wines will be picked up . (2) The sizes and weights of the cases of wines. The shipping company will estimate the shipping cost and there after contact you of the time the wine will be picked up . As soon as you have the shipping cost from the shipper , get back to me with the grand total cost so I will be able to forward my USA Issued credit card number to you for the full payment once . Please contact the alphatrans SHIPPING & CO. now at [email@example.com]. Waiting to hear back from you now . John.
- John doesn't appear to care what the brand is. Could be Chateau La Merde for all he cares.
- He doesn't question the vintages, ask any questions about the wine, or indicate that he gives a pigeon's fart about quality. Yet he's willing to order 15 cases of this plonk for his birthday party.
- He wants my exact location. As if! I'm tempted to give him Vern's address. Vern is the local toothless jerk who shoots all animals that cross his property. Killed a boy's puppy, and shot Gazoo in the face with buckshot. Gazoo nearly died. I despise Vern. But I won't give him up to Nigerian terrorists. Not yet.
- There really is a shipping company called AlphaTrans, Ltd. They are located in the Ukraine, and specialize in deliveries to Asia. But when you look at their real email contact information, it consists of real names ending in @alphatrans.ua. Not @rediffmail.com. (Rediff is India's version of Yahoo and Gmail.)
So I get back to John with a quote for the wine—$693—and I try to see if he will give up an address for his shipper. No dice.
Hello, thansk for mailing, contact my shipping company at the address i gave you and give them all the information concerning the wine and distination and they will come for the pick up. regards
So I gave AlphaTrans the address of the biker bar in a nearby town.
A quote arrives from the shipping company for $200 per case for Chateau Schit, or according to their math . . . $2500. Which doesn't even add up, but oh well, I’m so desperate to make this sale, I don’t care.
I email John back with this quote and ask for his credit card information, including the type of card, credit card number, expiration date, security code and issuing bank. He writes back that his bank has warned him not to provide "these informations." What the heck, I tell him to send whatever he can.
After a few days, John sends his credit card information. He provides no less than FOUR Mastercard numbers, with instructions in ALL CAPS to divide the charges equally. The first 12 digits of each card are identical, which is a little suspicious. The first six digits of every credit card is a BIN—bank identification number. So rather than call a generic toll free Mastercard phone number, where I will most likely be dealing with dolts or 'bots (or both) I look up the BIN number—512107—using a free shareware program called Mars Bank Base. From this, I learn the issuer is Sears National Bank, and a contact phone number is provided.
I am fortunate to speak with Angela at Sears Bank, who is friendly and professional. Ironically, when I explain the situation, she remembers dealing with another report from a winery just this week on Mr. John Nelson! (She could not, however, remember the name of the winery.) Although she cannot reveal who the real cardholders are, she checks each number and assures me that the owner of each card is NOT a Mr. John Nelson. She will immediately lock each account, notify the real cardholders of the attempted fraud, and issue new cards.
Credit card companies must use specific algorithms and identifiers when issuing their numbers. Sophisticated scammers use computers to generate accurate numerical phrases up to 12 digits long, and then they just spool through random digits for the last 4 numbers until they get a number that conforms to the Luhn algorithm. Angela confirms my suspicions. John is using four cards partly to avoid Fraud Alert action, but also because it increases his chances of using valid card numbers. Sure enough, one of the accounts has already been closed; limiting his valid credit cards to three.
Next, I email the shipper and inform them that I will be charging the cards today (clearly a lie) and I ask them where they want me to send the money, hoping to nail down a location. But they want me to send a Western Union money transfer for the shipping fees to their US representative. And this is where my investigation takes a strange and unanticipated turn.
Read Part III: "It Ain't TV, Lady"