You’ve seen the emails: They claim to have been sent by a financial institution in a faraway land, or from a corrupt bureaucrat in an equally corrupt government. Whatever the ruse, the senders always claim to need your help in spiriting away millions of dollars. These schemes, known as “419,” “advance fee” and “Nigerian letter” scams seemingly have been around forever and are surprisingly effective at duping people. But where in the world do these scammers get their distribution lists, and how did you become a target?
Some of the more prolific spammers rely on bots that crawl millions of Web sites and “scrape” addresses from pages. Others turn to sellers on underground cybercrime forums. Additionally, there are a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, you can expect to pay about a penny per 1,000 addresses.
One long-running, open-air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. This enterprise is based in New Delhi, India, and advertises its email lists as “100% opt-in and 100 percent legal to use.” I can’t vouch for the company’s claims, but one thing seems clear: Many of its clients are from Nigeria, and many are fraudsters.
Stretching conspicuously across the middle of the site’s home page is a big green message to the site’s Nigerian clientele: “Don’t waste money/times/resources sending [Western Union or Moneygram], Use local deposit option.” The ad links to a page with a list of payment options, which shows that Nigerian customers can pay for their email lists by wiring the money directly from their bank accounts at several financial institutions in Lagos. BuyEmails.org further advises that, “Due to tremendously high rate of fraudulent payments we do not accept Credit Cards or PayPal. E-Gold has closed, so we don’t accept it either.”
The site sells dozens of country-specific email lists. Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers; $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.
If you don’t care much about who gets your emails, or if you want to target recipients based on their email provider, the price per address goes way down. Consider these offerings:
50 million AOL addresses: $500
30 million Hotmail addresses: $450
30 million Yahoo addresses: $400
5 million Gmail addresses: $350
Don’t have your own botnet or email infrastructure capable of sending so much email without getting shut down by your ISP? No worries: This company also sells “cheap bulk emailing solutions.” It offers bulletproof hosting, which is essentially a Web server equipped with Web-based email. “Totally anonymous – your ISP wont [sic] know that you are sending out bulk emails,” the advertisement reads. “Mail to 1000 recipients in seconds.”
I sought comment via email from the owner of these services, Vikram M. Gautam, but received no reply. Someone, who answered my Yahoo instant message at the support address listed on the site, wished me luck with my “story” (their quotes), but declined to chat further. A quick Google search shows that Gautam is president of Perfect Web Resources LLC, which is a division of an outfit called Perfect Web Technologies Inc., a company that claims to own several U.S. patents on methods for sending email. In 2007, Perfect Web Technologies sued another email list vendor — infoUSA — arguing that the latter had infringed upon its patents. A federal court later invalidated the patent in question, saying it was invalid because it described an obvious “common sense” process (the sending and re-sending of spam until all of the mail is delivered).
There’s a good chance that your email address is now a product in the underground marketplace. The next scam in your inbox may claim to have been sent by a banker or bureaucrat. But, the sender probably got your name from a wholesale list-seller, and not from a trusted friend. Of course, you know enough not to reply to these, don’t you?
If you don’t care whether spammers have your address and you’re not easily spooked, you might be interested in following the folks over at 419eater.com, a group of activists who not only track the 419 scammers but attempt to turn the tables on them. My favorite sections of that site are the 419 Eater Hall of Shame and the Letters area.
Have you seen:
Is Your Computer Listed ‘For Rent’?…When it’s time to book a vacation or a quick getaway, many of us turn to travel reservation sites like Expedia, Travelocity and other comparison services. But there’s a cybercrime-friendly booking service that is not well-known. When cyber crooks want to get away — with a crime — increasingly they are turning to underground online booking services that make it easy for crooks to rent hacked PCs that can help them ply their trade anonymously.