Nigerian Scammers operating out of Madrid Spain plus, using Botnets
Lately, I have been getting lots of Nigerian 419 Lottery scams, with the originating IP located in Spain, especially the ISPs - Ono.com and Telefonica.es. However, when I report these scams to SpamCop, a lot of the sending (not originating) IP addresses end up belonging to residential customers of broadband services in the US, Europe and South America. This tells me that the Nigerian crime gangs have buddied up with the owners of a botnet and are using it to relay some of their scam messages. Furthermore, some, but not all, of the scam emails also contain clickable links that lead to instant downloads of Trojan Horse downloaders, Keyloggers and Backdoors. This stinks of the Storm-Worm-Zhelatin Gang, located in St. Petersburg, Russia, although it could be a different botnet being rented out to Nigerians.
The main point of this article is not about botnets. Rather, it is to point out that many Nigerian 419 fraudsters are moving out of Africa, and Amsterdam (where they got arrested, convicted and deported), and settling in Spain. Not wanting to have their scam/spam messages traced directly to them, they have taken to the airwaves, literally. They are "piggybacking" on their neighbors' unsecured wireless routers, in apartment complexes or houses, using IP addresses assigned to other legitimate customers, to send scam runs. The victims are completely unaware that anything illegal is happening, until the Police come knocking on their door. Fortunately, the Nigerians who are piggybacking on the broadband accounts are in the same buildings. This has allowed the Spanish Police to locate and arrest some of them, as happened on February 18, 2008. Here is a quote from the Sophos article about those arrests:
Ten Nigerians arrested in Spain for email lottery scam
February 18, 2008The ten people, all Nigerian nationals, are suspected of making more than 19,000 Euros ($28,000) in three months by demanding payments from innocent internet users who believed they had won a lottery.
Police report that the emails sent by the suspects were sent from the Teatinos area of Malaga in Spain, by piggybacking on a neighbour's wi-fi internet connection without permission. Seven arrests were made in Malaga, and three more in Huelva province.
Malaga is no stranger to Nigerian-run email scams. In 2005, 310 people were arrested in Malaga in what was said to be the biggest ever bust of a lottery scam gang. The arrests followed an investigation by the FBI and Spanish police into a scam run by Nigerian gangs.
If you run a forum or website that is plagued by Nigerian scammers you can block them from accessing it by employing a "blocklist." I publish and maintain a Nigerian Blocklist in two common formats:
- .htaccess - for most Apache-based, shared hosting websites, where the webmaster only has control over his/her own website. The .htaccess rules will only block browsing you site and form submissions, but not email scams.
- iptables - for those administrator-webmasters, who have Root access to dedicated, or VPS - Linux based servers. Iptables rules can be imported into your APF firewall, to block all access to undesirables, including email access.
Rather than create an entire new blocklist for the Nigerians residing in Spain, I am adding the IP addresses and CIDRs of Spanish IPSs to my Nigerian Blocklists.
End users, who receive email via a POP client (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora), and are tired of sorting through dozens or hundreds of daily email scams and other spam, can use the program I use to filter out spam and scams. That program is MailWasher Pro, which you can read about here.
In the meantime, do not fall for any lottery scams, or other free money pitches coming from Nigerian criminals. To see the details about what they have been up to recently, read my blog article about the sudden surge in Nigerian lottery scams.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.