March 9, 2020 By Moazzam Khan 5 min read

It would be a challenge to find someone who has not heard of the now-infamous “Nigerian Prince scams,” also known as “419 scams” and “advance-fee scams.” The concept itself dates back to the French Revolution, but it has come a long way due to human gullibility. More recently, it has taken to the internet to deceive scores of email recipients hoping for a big payday.

Online scams in this category involve the victim receiving emails that promise a large sum of money in exchange for taking supposed business actions that the sender requires. According to the scammers, the money is usually stuck in some offshore account and you are promised a considerable part of it if you are willing to help the individual pay a “small fee” to release it from the bank.

Lately, while shuffling through some emails, I personally stumbled upon what I thought was the same type of scam. However, after playing along to an extent, I came to learn that online scams originating from Nigeria have evolved. While some stick with the old rich prince ploy, others have devised more elaborate schemes to secure money. If you’re thinking cryptocurrency might be involved, then you’re right on the money.

A Romance Scam Grooms Potential Victims

It all started on a dating app. I matched with a profile that appeared to be legitimate. Unlike other fake profiles that are obvious to spot, this person’s pictures looked like an honest user’s might. The profile description was detailed and pertinent to the geographical location where the person claimed to live. To add an extra layer of authenticity, the person even called me on the phone to help gain my trust.

Although things seemed fine at first, there were some early signs that gave them away: being suspiciously eager to have frequent phone calls from the start, messaging in the early hours of the morning, using WhatsApp instead of SMS and having little contextual understanding of the city where they claimed to live.

Now feeling suspicious, I wanted to at least find out where this person was located. Since they claimed to have an MBA and be an expert in investments, I created a fake real estate listing on a page designed to track their IP and asked them if they thought the house in my link would be a good investment. They took the bait and the results showed me that they were operating from an IP address in Lagos, Nigeria.

The Plot Thickens

After establishing that this was indeed a scam and the person was lying about their true whereabouts, I wanted to know their end goal. The individual I was speaking with claimed to run a cosmetics business and deal in bitcoin investments to supplement their income. The mention of bitcoin piqued my interest.

After some initial pleasantries, they started to unravel their scam, claiming that they made $9,000 with an initial investment of $5,000. They proceeded to send me a series of videos of people claiming to have made large sums of money by investing in bitcoin as well. I feigned interest and asked the individual to explain the details, which is when they said that I needed to first buy bitcoin using a crypto exchange of my choosing. I initially suspected that they would recommend I use a fake exchange set up for the purpose of having people buy coins they would never get, but they did not insist on the source of the coins.

Then came the more specific part: I would have to use a site called “au2traders[dot]com” to invest my bitcoin. The scammer insisted I use this specific domain for investing the cryptocurrency, so I knew that the scam lay in wait there.

I went on to evaluate the site and found many easy-to-spot issues that told the tale of an online scam. The website wasn’t well-developed and appeared to be hurriedly put together — links to social media did not work, there were grammatical errors in the text and there was no phone number listed for support, only an email address for supposed customers to contact in case they had issues. The website’s footer did not even note the incorporated name of the company that operates au2traders.

The site also showed a fake physical address in New York City with an invalid six-digit zip code. 108 Adam Street in New York is located in Brooklyn, with the postal code 11201.

A search on the X-Force Exchange threat intelligence platform listed this website in the spam category.

I wanted to see who owned the domain and how long ago it was created. A quick WHOIS query revealed that it was registered just 50 days earlier and the domain was protected using a privacy protection service that hides the domain owner’s identity and address and replaces it with the service’s address.

Testimonials on the website described people who apparently went on to complete millions of trades and were now top earners. The site also featured photos of the individuals — a nice touch. A simple reverse image search on Google showed me that there were hundreds of copies of these exact same generic images available on various sites across the internet.

I also searched a professional network for employees of this supposed company but only one result emerged, noting a marketing specialist located in New York City, the supposed location of the headquarters with the fake address.

A Scam Is a Scam

I went ahead and opened an account on the site to glean more information about what appeared to be a rather gray area to me. The site required a minimum deposit of $300 to begin trading, and there were options to trade in different cryptocurrencies.

Although I’m unsure as to how exactly the scam unfolds after one deposits bitcoin on the platform, all the information I gathered on the website leads me to believe it was set up by someone looking to receive anonymized cryptocurrency payments from users who would never see their money again.

The very lengthy “Terms and Conditions” page on the website warns the reader that they are trading in binary options and that they could lose part, or all, of their investment. Many odd rules are applied to any attempt to withdraw one’s money from the platform. It also notes that service is not available to residents of the U.S. or Canada, yet the company is supposedly located in New York.

Binary options are prone to fraud in their applications and are banned by regulators in many jurisdictions across the globe. The FBI has been investigating binary options scams and some cases have been tied to criminal syndicates. A testimony from an FBI agent on a recent case of binary options fraud revealed tactics very similar to what I had seen in my own review of this scheme.

Indeed, online scams have come a long way, and grooming potential victims via romance scams is just the tip of the iceberg. A word to the wise: Remain vigilant about any off-topic communications with people online. Keep your heart, and your hard-earned money, protected from fly-by-night fraud.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today