The Faker Maker
The role of the Faker Maker in 419 frauds is not generally known. Yet he is key to the long-term success of a scam. This term, although the origins of it have been lost, is used to describe somebody knowingly facilitating 419 frauds from a technical perspective for personal gain in exchange for the risk of doing so. He is a technical specialist services provider to parties involved in 419 fraud and knowingly and willingly facilitating. It’s not uncommon to find smaller online companies such as web designers and/or hosting providers in this role. Typically these parties will have access to domain reseller facilities.
The services of such a party will typically include:
- registering domains
- creating fraudulent website content
- obtaining hosting space for the fraudulent content
- populate the hosting space with fraudulent content
- configuring email addresses for 419 fraud
In this process it’s not uncommon to find both domain reseller and webhosting reseller accounts being abused. This party’s long term success depends on his ability to develop defensive techniques that would prevent detection and allow the scam to withstand challenges to the scam like take-down notices and suspensions. For these reasons multiple accounts will be used. Various devious techniques would be abused to prolong the lifetime of the scam.
Such a party would be well versed in stealing online content and adapting it for abusive usage. It’s not uncommon for even experts to mistake a fake bank used in 419 frauds for phishing due to the deployment of tools such a HTTrack Website Copier being deployed. However typically the faker maker would attach a bespoke fake banking system in place of the real bank’s. The website stolen may equally be a courier website with a similar bespoke tracking system bolted onto the stolen and adapted content, or any other type of website needed such as a lawyer or any corporate website. Where we find bespoke back-end banking and courier portals used and these can be identifying i.t.o. the faker maker. Re-usage of the same bespoke designs should be considered a red flag.
Equally, the content may be bespoke, reflecting a totally non-existent entity used to deceive consumers. This decision is typically that of the scamming client, the Oga. Stolen content abusing goodwill attributable to the real company may meet with challenges from the real content owners, whereas bespoke content may not be as appealing to the scammers as it reflects an unknown name. It’s not strange to see UDRPs succeeding against a fake maker’s 419-domains, yet the UDRP describes a phishing incident. Nor is it strange to see that, no sooner has such a UDRP succeeded, than a new spoof is set up to continue the scam spoofing the same brand.
For these reasons the faker maker may choose to hide online content with bogus “Under Construction” pages, fake open indexes or even fake “Suspended” pages, while the real content may reside in a sub-directory on the hosting account. Equally the content may be hidden on a sub-domain, or perhaps even a combination of these techniques to make detection difficult. It’s in these methods the faker maker advises and assists his clients in the initial planning stage. Yet these very hiding techniques may also be the very identifying marker for orchestrated facilitation. Examples would include the same unique sub-domains used, or unique sub-directories used.
Various hosting accounts are also used to move websites after an abuse notice while the upstream network owner/hosting provider believes his legitimate client has addressed the issue. As such the scam is prolonged. Once the scam runs out of hosting accounts or the domain is suspended, the same website may re-appear on another domain name, sometimes slightly altered and continues. Yet many times the same victim databases and other remnants such as email addresses are left as is.
Some of these parties may set up separate domain names for online content and web content usage. If the content domain is disrupted, the fraudsters are able to maintain email communications. Other scams are purely email driven with no associated web content. Typically the last case is often also abused while impersonating the authorities. It’s knowledge of all these techniques, how to best manipulate and abuse them to perpetuate 419 fraud, that makes a faker maker successful.
Faker Makers are extremely active in the West African fraud facilitation space. They can be identified once the researcher knows what to look for. However data has to continuously be analyzed at various levels to properly identify the extent of abuse, to ring-fence the “nest”. These nests can easily exceed 100 active domains at any one time, with over 300 having been found. Terminating a single domain or hosting account has no disruption or protection value. One such party has been record with over 1600 recorded domains so far. He uses many identities and has been facilitating for years.
Once the role of the Faker Maker is understood, it’s also easy to understand why these parties enter the phishing, malware and other cyber-abuse arenas. As it is, it’s not uncommon to see that once a scam has been totally disrupted, these activities take place on these supposed suspended accounts. Credential stealing, spoofing email providers like Hotmail/Gmail /Yahoo is extremely popular, also online facilities such as Dropbox. Later we see these parties ending up spoofing legitimate companies in what may be B.E.C. attacks with bespoke typo-domains. As such it’s our contention that the consumer is the training ground for later B.E.C. attacks on commerce.
More can and should be done to disrupt these parties as it is possible. After all, the Faker Maker is key to understanding who the ring leader Ogas are; they are his clients. Numerous of these parties have been arrested, but the more successful of these have gone on to become wealthy, one even being a well-recognized millionaire businessman.
To be clear: Much as we would like to consider all abuse to not be a domain issue, to be content issues, 419 fraud is most definitely domain based abuse. And more so, annually domains in the hands of faker maker makers are used with devastating effect against consumers and business, undermining trust and confidence in the net.
The faker maker may be a hosting provider’s reseller client, subscribing his aliases to earn reseller credits on an account for recruiting new clients, then defrauding from all these accounts. The faker maker may be a domain reseller, polluting the domain name system.
Once again, Artists Against 419 is currently disrupting such a faker maker. Currently over 100 active domains are spoofing lawyers, banks and legitimate commerce. So far about 800 historical domain has been recorded, linked to one party. No sooner had a major bank won a UDRP for the second time in as many years against the same party, than he simply replaced the domain with a new once, re-hosting the same content in the new domain. A $10 domain is cheaper than a $2500 UDRP any day, making cyber crime profitable. Its’ registrars who self blind to obvious issues with “We are only a registrar” type responses, ignoring obvious fake registration data and their ICANN RAA obligations, that are these miscreants allies. Faker makers appreciate such a registrar’s willingness to accept any money, even stolen money. We regularly see our abuse reporting archive receive such replies from “honorable ICANN accredited” registrars!
Service providers may wish to take a closer look at accounts of resellers who are constantly the source of abuse reports linked to 419 fraud. Look, analyze and understand what is happening on your services. Artists Against 419 will gladly assist any service provider. However, do not pass the buck as not your responsibility. Be part of a solution, not a problem. The faker maker is the enemy in the gates of a trusted internet.