I recently saw this article from Mark Stockley for Sophos entitled Ransom email scam from ‘hitman’ demands: pay up or die and assumed – as I suspect many people will – that it was some particularly horrible example of ransomware. In fact, while it is pretty horrible in its way, it turns out that there’s no real malware as such involved, just social engineering of the 419 persuasion, where the scammer claims to be an assassin ordered to kill the person who receives the email. In fact, I’ve written about this particular 419 sub-species several times before.
While the version noted by Mark Stockley rather more polished and up-to-date technologically (it wants payment in Bitcoin!) than most of the 419 scam messages I’ve seen that use a similar approach, it’s not much different, fundamentally. Here’s an extract from a particularly crass example I came across some years ago.
I want you to read this message very carefully, and keep the secret with you till further notice, You have no need of knowing who i am, where am from, till i make out a space for us to see, i have being paid $50,000.00 in advance to terminate you with some reasons listed to me by my employers, its one i believe you call a friend, i have followed you closely for one week and three days now and have seen that you are innocent of the accusation
[…]
You will need to pay $15,000.00 to the account i will provide for you, before we will set our first meeting, after you have make the first advance payment to the account, i will give you the tape that contains his request for me to terminate you, which will be enough evidence for you to take him to court (if you wish to), then the balance will be paid later.
Sometime later, my friend and colleague Urban Schrott drew my attention to a spam campaign that had been causing some hilarity over at ESET Ireland. The message had the subject “YOUR LIFE IS IN DANGER,” and apparently came from someone calling himself Spike Dwaggin, though later he signs himself Dai Teatime. A commenter on one of my earlier blogs pointed out that Spike Dwaggin is a dragon from My Little Pony, that the name Dai features the 4th, 1st, and 9th letters of the alphabet (419 – geddit?), and told me that Dai Teatime is the assassin from Terry Pratchett’s ‘Hogfather’. (In fact, Pratchett’s assassin is Jonathan Teatime, but close enough.)]
While it’s not unusual for purveyors of 419 scams to use noms de plume reminiscent of famous people (real or fictional), this one is notably rich in popular cultural references. The article cited above references a few more, if you’re interested. But here’s the message from Spike/Dai, with some comments from me.
As I sit here sipping a martini it is my regretful duty to inform you that you have been selected for assassination.
[Given the subsequent references to SMERSH, I can only assume that this would be a vodka martini (shaken not stirred).]
I am a professional assassin (I enclose my certificate of assassination as proof) and SMERSH have contracted me to assassinate you and have specifically paid extra for a particularly nasty death which makes it look like you died in a particularly bizarre sex game gone wrong; I had already bought the shire horse stallion (he’s called Henry – picture attached), the lard and the dragon dildo (from Bad Dragon of course, I only use the very best tools) when I found out that you are innocent of the accuse, so I make out this time to contact you. Unfortunately international crime syndicates won’t admit to mistakes and cancel the hit so I will be forced to carry out the assassination on you. Sorry about that old chap but rules are rules…
[Interestingly, the killer’s modus operandi seems to have been influenced by a story relating to the Russian empress Catherine the Great, who was said (quite untruthfully) to have died as a result of being somewhat over-intimate with a horse. And could this particular horse be the Henry who ‘of course dances the waltz’ in the Beatles song ‘Being for the benefit of Mr Kite’?]
There is an option for me to help you in other for you to know who had paid SMERSH for your DEATH and don’t forget my men had been monitoring you for the past few days and daily record of your activities is been sent to me but I have refuse to order your DEATH.
[If your acquaintanceship with James Bond is limited to the movies, you may be unaware that a fictionalized version of SMERSH (a real Russian counter-intelligence agency that was wound up in 1946) plays a significant part in the very early novels. Oddly enough, a lot of commentary on 419-related forums relating to this particular example misses the fact that SMERSH and SPECTRE (a purely fictional criminal organization) are by no means the same thing, though there seems to be a certain amount of traffic from one to the other in terms of personnel. A bit like the AV industry…]
Get back to me if you value your LIFE with all due speed or else I regret I will have to carry out my original contract to assassinate you and although he is quite charming for a horse I don’t think Henry is the most sensitive of lovers.
Toodle Pip!
Dai Teatime
International Assassin
When I first saw the message on ESET Ireland’s site, I assumed it was some kind of spoof intended to amuse rather than threaten. However, after checking on one or two scam-baiter forums, it seemed that Mr Teatime was probably quite willing to take money from anyone who appeared to have fallen for his shtick. And however funny this particular message may seem to people who are security-savvy, there are others who will find messages from self-described assassins as genuinely frightening. Sadly, I suspect that not all of them will come across articles like Mark Stockley’s (or even this one) to reassure them that it’s just another scam, mailed out more or less at random.
Still, sometimes all you can do with stuff like this is laugh at it.
David Harley