Technology that can be abused by Scammers

Russian dating scams: Tips

Browse our Romance Scam Database

SCAMDIGGER - pictures used in scams


Register on our SCAM FREE SITE! Our site is absolutely FREE, friendly and clean of scam. This is the most scam intolerant dating service on the web!





Why Russian scammers use TheBat!

My deep thanks to our member Nordic Traveler for enlightening us why Russian scammers use The Bat! and for providing this valuable article for my site.

Scamming is a sophisticated technique used to part the unwary of their money. The challenge for the scammer is that not everyone falls for the scam; unfortunately, enough people do fall for the scam to keep the scammers in business. This short article helps explain how Scammers use technology to help them commit a scam and signals that you can look for that will help you avoid being a victim.

Scammers have a big problem to overcome when they try to get unwary people to send them money - first, there is a much higher awareness today so far fewer people fall for the scams. This means that Scammers need to "play the percentages" and send out as many "convincing" e-mails as possible in the hopes of finding their victim. How can they do this? Through technology solutions normally used by companies.

Research


Example: joe@domain.com


Advertisement


Why Russian scammers use TheBat!

Let me ask you two questions: First, what would you think if you knew that the person writing you was using a commercial software application typically used by businesses? Second, what would you think about receiving e-mails from a mail client from someone claiming that they were using an Internet Café? If you do not understand either of these two questions, your vulnerability to being scammed is much greater. There are two pieces of background information that will help you understand why understanding the context of these two questions is important:

First, managing the large number of scams that are necessary in order to identify a victim is difficult. The solution is to use a commercial software application that has the following characteristics:

1) The Scammer needs an e-mail client that can manage large amounts of e-mail from many different e-mail accounts (using the same e-mail account for communicating with many victims can be problematic since once identified as a Scammer, there are enough Blacklists that the e-mail account will be readily recognizable).
2) The Scammer needs an e-mail client that can sort messages from different e-mail accounts into threads do that the dialogue over time can be managed - this allows "customization" of the communication with the victim to help avoid suspicion (not answering questions or ignoring important information can tip off a victim that something is wrong.
3) The Scammer needs a way to reduce the amount of effort required to communicate with all their victims.

Second, as the scale of the scamming activity increases, the Scammer will have a problem using a web e-mail service:

1) E-mail service providers, once aware of a scam, can involve law enforcement agencies and can identify other victims and send out warnings - the Scammer needs to minimize, as much as possible, traces of their scamming activities.
2) Most people would never consider using an e-mail application from an Internet Café (which many Scammers claim to be using) since all of their mail would be left on the computer they were using! If someone is using an e-mail application of any kind (Outlook Express, Outlook, etc.) while stating that they are using an Internet Café warning lights and a siren should be going off.

Now that we have identified the characteristics, we can discuss two simple tests that you can do yourself: First, as soon as possible, ask the person that you are corresponding with where they live. With this information, you can inspect the e-mail message header (most e-mail clients will show this information as "message header" or "show original message") - the part that you are looking for looks like this:

Received: from 192.168.0.4 (29.214.dialup.mari-el.ru [195.161.214.29])
(authenticated bits=0)
by mailc.rambler.ru (8.12.10/8.12.10) with ESMTP id jBHJSM2V039983
for ; Sat, 17 Dec 2005 22:29:30 +0300 (MSK)
Date: Sat, 17 Dec 2005 22:26:48 +1100
From: scammer
X-Mailer: The Bat! (v2.01)

Step one is to find out where the message actually came from - for this example I am using an e-mail where the woman claimed to be using an Internet Café in Cheboksary, Russia. I enter the following URL into my web browser:

http://www.ripe.net/perl/whois

Next, I enter the IP address from the line that starts with "Received:" which is:

195.161.214.29

And enter it into the "Search for" field on the web page, which returns the following results:

person: Nikolay Nikolaev
address: Volgatelecom Mari El branch
address: Sovetskaya 138
address: 424000 Yoshkar-Ola
address: Russia MariEl Republic
phone: +7 8362 421549
phone: +7 8362 664435
fax-no: +7 8362 664151
e-mail: nnb@relinfo.ru
nic-hdl: NN-RIPE
source: RIPE # Filtered

I am expecting the address to be Cheboksary and Chuvash Republic - I am not expecting the address to be Yoshkar-Ola and MariEl Republic! Actually, I already had a warning flag in the e-mail header:

Received: from 192.168.0.4
(29.214.dialup.mari-el.ru
[195.161.214.29])

If the e-mail actually came from Cheboksary, I would expect to see the following:

person: Medukov J Alexandr
address: 428000 Cheboxary Lenin av 2a
phone: +7 8352 662912
e-mail: master@chtts.ru
nic-hdl: MJA4-RIPE
source: RIPE # Filtered

How did I get this information? Simple, find a government or business URL in the city you are interested in and enter it into Ripe. You may need to identify the IP address by using the PING command - this will turn a text URL into an IP address that can be searched on Ripe. I will not go into this more, since this topic wanders off topic a bit.

The important thing to note is that the city and republic do not match what was expected - there are a lot of people on this and other web site forums that can assist you if you need more help.

The second test is to examine the message header and look for "X-Mailer:" - in our example we find the following:

X-Mailer: The Bat! (v2.01)

This means that the person sending me the e-mail from a supposed Internet Café is using an e-mail client application. By now, "Red Alert" should be flashing! Why would someone use an e-mail client from an Internet Cafe? Well, most normal people would not - so this is very likely a scam!

Now that I have covered how you can test your own e-mails for scamming attempts, I want to return to the technology topic.

The Bat! (also known as TB! And TB) - I will use TB! From this point on - is an e-mail client application (a program that runs on a personal computer) that is marketed towards companies and individuals that need to manage large volumes of e-mail. The OECD refers to a category of company as a Small to Medium-Sized Enterprise - an SME for short. Smaller SME's often have very limited budgets and cannot afford specialized Sales and Marketing, Customer Service, and other forms of Customer Relationship Management (CRM) software. Our laboratory supports a group company that helps smaller SME's adapt TB! for their business. I mention this because TB! Has been associated with both Spamming and Scamming - the product is legitimate and is a valuable tool for many businesses; unfortunately, the same features that make TB! effective and efficient for companies, also provide a similar benefit to Scammers. There are two features that Scammers find particularly useful:

1) TB! supports a sophisticated macro programming language and a sophisticated ability to manage templates - predefined text that can be dynamically changed by the macro programming language to respond to e-mails. This allows a technically competent person to create a Scamming system that has a high degree of automation while at the same time allowing the scammer to add custom text in predefined areas within the template. The more people that the Scammer can correspond with, the more likely a victim can be found. 2) TB! is designed to work with multiple e-mail servers simultaneously. This makes it very easy for the Scammer to use numerous "dummy" e-mail accounts for Scamming unsuspecting victims (TB! downloads and erases the e-mails from each e-mail server making it harder for investigators to track what was happening).

An e-mail client such as Outlook Express or Outlook Professional and most web e-mail clients such as Yahoo and Hotmail do not offer this level of sophistication. TB! is also very affordable at less than USD $60.00 - well within the means of the typical Scammer. TB! is a product of RIT Labs, which is based in Moldova.

This article was produced by the Enterprise Systems Architecture Laboratory (ESAL) located in Stockholm, Sweden. Reuse of this information free of royalty is hereby granted providing that this notice is included in any reproductions.

Our footnote. Beware!! recently scammers started using other mass-mailing programs (those are usually used to send spam). In particular: FC'2000, Becky and CommuniGate Pro.