Fighting malware and spam

Nigerian (419) scam in an MS Word document

October 2008

A new type of Nigerian scam (aka 419 scam) is circulating, in which the body of the email contains little information (see screenshot below), while the real content is in contained in an attached MS Word document.

The body of the email comes in plain-text and HTML with identical content, so there is nothing strange here. As can also be observed in the screenshot, there is no 'To' field and the email is really sent from the email address and server specified in the 'From' field.

The following screenshot shows the content of the Word document attached to the email, which is written in the type of bad English that is characteristic of this kind of scam:

In an attempt to attract recipients' interest the email makes reference to the recent political turmoil in Zimbabwe where President Mugabe is accused of killing innocent people. The links point to such news.

Why as an MS Word Document?

An MS Word document is used in this scam because by placing the text in an attachment it becomes very hard to detect as a phishing scam using techniques that search emails for words that commonly occur in phishing mails: millions of dollars, usage of Mr, Ms, Miss, the mentioning of African states, mentioning of deceased relatives and so on.

While 'hiding' spam in an attachment is nothing new (see the entry The Office in the Spammers' Compendium), this is a new technique for 419 scammers.

Sorin Mustaca, Avira

Poll

Jobs

• Senior Malware Researcher (Beaverton/Hillsboro Oregon, United States)
• Malware Analyst (Gaithersburg, MD OR Denver, CO, United States)