In a recent abuse report to a registrar, we got replies that simply did not make sense. Then we finally realized that the registrar simply does not know what a fake 419 scam bank is! They were (wrongly) under the assumption that because it was a fake bank, it naturally had to be being used for phishing.
This is an opportunity to educate. So let us look at the differences between fake bank websites used for phishing, and fake bank sites used for 419 fraud.
In a phish page, the phisher will try and emulate the real target bank website as closely as possible.
A 419 scammer may impersonate a real bank, abusing the brand familiarity and name, or may chose to create a totally fictitious entity.
Although a phisher may rent his own hosting space and register a domain, a phisher will normally hijack a legitimate website and plant the malicious phishing content on the hacked website.
When it comes to a 419 scam website, the scammer’s consultant (yes, scammers have consultants), will register a domain (typically with fake registration details), rent hosting space and plant the scam website on this hosting space.
In a phish the target is the clients of the brand being spoofed. That’s why the phish has to look identical to the real bank or brand being spoofed.
In the 419 fraud world, the scammer deliberately avoids allowing the victim to use a bank he is familiar with. Typically the bank has to be remote from the victim in another country; this is part of the scam. The victim has to use a fake attorney (played by the scammer). The victim has to encounter numerous tax obstacles and fictitious amounts. The heart of the scam is the victim believing (because he can see it on a website – it must be real) that they truly have a large amount of money in their supposed ‘bank account’ on the fake bank website.
Phishing cause direct brand dilution and issues for the entity being spoofed in a phishing campaign. The call desk etc are flooded with disgruntled clients. Personal information (passwords/etc) of the victim can fall into the hands of the criminals who are doing the phish.
In 419 fraud, it’s rare that the victims phone up the real bank. Typically they still believe they are dealing with a real bank even after being scammed, thinking the other parties they dealt with are the only scammers.
The sole purpose of a phish page is to steal legitimate credentials from of the spoofed entity’s clients.
With a fake 419 bank, the purpose of the website is to flash a fictitious amount as being payable to the victim, typically millions of dollars. However the client cannot gain access to this money unless he pays certain admin fees, taxes and other fictitious fees. The flashed amount is used as motivation for the victim to pay these fictitious fees. The credentials are pre-populated, allowing the victim to log into the fictitious bank.
With a phish, the login has to be as close as possible to the entity being spoofed. After all, the client may have logged into the real website many times and should not get suspicious.
When it comes to a fake bank, as previously explained, the victim will not be familiar with the bank where his money is supposed to be. As such there is no need to imitate a real entity’s login page. Instead, we normally find a bespoke page where the victim has to enter his scammer-supplied credentials. It’s not uncommon to find numerous fake banks on the same IP, all claiming to be different banks, many copied from real banks, but all having the same design login page with only minor cosmetic alterations.
On a phishing page, the contact details (if present) will normally be those of the brand being targeted.
On a 419 bank, the contact details are normally those of the scammers themselves. The telephone numbers are typically mobile telephone numbers. VOIP numbers and other forwarding services are also popular. The UK +447…. numbers are part of the reason why UK banks are so popular in 419 spoofs. The actual address may be fake or taken from a government registry, but victims are unlikely to mail a letter to the bank anyway.
419 scam website statistics are sometimes buried in phishing website statistics. Indeed, it may be impossible to discern between the two if the investigator does not know what to look for.
| May or may not
impersonate legitimate entity
| Impersonates legitimate
| Normally on owned hosting
| Normally on hacked / free
| Target victims are
| Targets victims at
|Does not impact spoofed
|Impacts spoofed entity
| Bank accounts
| Bank accounts do not
exist and collected
| Login screen differs from
real entity’s login *
| Imitates real entity’s
| Contact details may
differ from entity spoofed
| Contact details normally
identical to spoofed
Login pages are a great clue
Upcoming Article: The roles of the scammer technical consultant, the faker maker.