Summary: I was approached by an nigeria money scammer at the couchsurfing platform. To put the scammers criminal effort into good use, i domcumented the whole case to serve as learning material for my students.
This posting is more about general internet fraud and has less to do with coding. Couchsurfing is an internet site matching people seeking a free place to sleep with people offering such a place. I use the couchsurfing websites for years and recently started not only to surf as guest but also to host guests from all over the world. So far, i never had any bad experience. The most “dramatic” experience i had was a host that was a bit boring, so we ended up watching tv together instead of talking.
Last week however i was contacted by an criminal trying out the classic Nigerian money scam on couchsurfing.
Those scams always operate by playing with the greed of a victim, promising the victim a large sum of money and getting him to pay several small amounts of money to prepare the transfer of the big sum.
As i also teach internet security in my programming courses for children i decided to document the whole case so that my students can learn something.
Couchsurfing (CS) offers features like other social networks, among them messages. The scam began with an opening message:
> >Hello, >You look so great here! >Am traveling to your city this week,can you kindly meet and host me? >
It was early morning and replied in automatic mode:
> >Hi Pastor, aside from the fact that I am really not great looking, of >course I can meet and host. Just write an couchsurfing request. >Please request for 2 nights only. >I don't enjoy hosting couples and I do not host people without cs profile. >
Because i get too many couch requests from couples, usually the girlfriend requesting for her herself and her boyfriend without even bothering to create an CS profile for her friend.
The scammer was not loosing time:
> >Hello Horst, >I will be greatly pleased to have you meet me and be my host for two nights on my travel stay in Vienna. >Thanks. >
The actual request was for 3 nights however. I was just checking if i had not already accepted other guests and that my rooms were free, so i accepted the request. It occured to me only later that this was maybe the first idiot test that i passed sucessfully (not being able to count to three). Or the scammer was also not paying close attention, possibly having to work on several dozends scams at the same time. Who knows.
Accepting an couch request does not automatically means that the requester shows up; often the couchsurfers get several requests responded, so CS offers a “confirm” feature. Unless someone confirms my accepted request, i do not start to take the request very seriously.
I did however at this point (shortly before or after requesting) looked a bit closer at the profile. That's what i found, carefully clobbed togehter by the scammer:
It's full of warning signs, but i had not paid any attention. The only thing that worried me somewhat at this point in time was the religious profession… while i am a Christian myself i found most expressive religious people either boring or arduous, mostly both. The warning sings that should have raised my attention were:
The other thing i should have noticed but did not:
The pictures were not even all from the same person, and had wildly different screen resolutions. I hat not noticed because i watched on my small smartpone screen and not on my computer. The use of low-resolution images happens only if someone right clicks on google image search results pictures instead of uploading original pictures. For fun, use Google reverse image search to see where the scammer got his pictures from. Muslim marriage sites, wikipedia article, sport events… I would at least have photographed the next real-world village beauty myself as a scammer. However, i must confess the scammer did display some taste in choosing pictures of women:
please note that i have no image rights for those images! I use them here for documentary reasons
please note that i have no image rights for those images! I use them here for documentary reasons
The scammer confirmed the (already accepted) request and i sent some more detailed information. I X-ed out some detail information about me here so that the next scammer must at least do some minimal research:
> >Hi Pastor, welcome to Vienna. >Please Tell me exact time and place of your arrival, I will pick you up if possible. >My address is XXXXXXXXXXX, Apartment X, XXXX floor. Ring at “Horst XXXX”. My Phone an WhatsApp is XXXXXXXXX. >I work saturday from XX:XX to XX:XX. >You can reach my home with Public Transport from Metro Station u4 rossauerlände, then cross the little bridge and turn left. >Please read my room description in CS. >
It is usually less time-consuming for me to pick the guests up at their arrival instead of suffering long waiting times where guests wander without phone and wifi connection throug a strange city and need remote guidance or getting lost.
The scammer was of course role playing the charmed lady:
> >Thanks for this great offer,i will repay you with goodness and kindness. >
Up to this point, i had really not even the faintest idea that scammers do exist in Couchsurfing. I think i scored here some more “idiot will do anything for pretty fake profile picture lady” points in the eyes of the scammer.
I was now slowly waking up and not in the mood for long chatting (i wanted to make breakfast). So i tried to fix arrival time for picking up guest:
> >Just Tell me time and place if arrival instead >I had lost Couchsurfers Wandering clueless through Vienna, so i prefer picking them up myself if possible. >
The scammer made an even harder idiot test for me, that i also passed with flying colors:
> >can you come receive me at the arrival lounge of the airport? >
The trip to the airport in Vienna is actually pretty cheap (1,70 €) but a bit time-consuming.
But now it got strange, because i was still getting no arrival information. The real scam was just beginning to start:
> >okay,i will furnish you with the arrival and departure time asap. >Thanks so much once again,Horst. >
I, of course, had trouble understanding why someone requesting a couch could not provide arrival details
> >Yes, Wien Schwechat airport? When exactly is your Pläne arriving? Please write Date and time >
> >Wien Schwechat = VIE I think. Make sure you are not arriving via Bratislava airport or I won't find you >
And so i forced the Scammer to increase his skill in geography, making the world a minimal better educated place, one scam at a time:
> >Yes,Vienna International Airport,Schwechat >
> >Ok! Do you know arrival time and Date of your flight? Please write me as soon as you know >
Now the scam started for real:
> >Okay,i will.But there is this problem am having right now. >I am cash-strapped at the moment and i need to make some shopping tonight. >My donor agency which will be transferring 13 700usd to me asked me to furnish them with an Austrian Bank account to transfer the money. >Can you help with this,kindly? >
> >Since you are my kind,trusted and amiable host,i prefer to use your bank account for the transfer of the donor's fund > and get it from you on my arrival with meeting you in person. >Thanks very kindly in advance. >
I was munching muesli at this time and slowly realizing that something was not exactly right:
> >Sounds exactly like one of those famous nigerian scams, lol. I will Report you to cs to be in the Safe side. >Please leave me out of any Bank Operation Plans. You can open an local Bank Account right at the airport and >I am sure your Church/Organisation has contacts somewhere in Europe to help you. >
As you can see from my response i was still not completely ruling out that i was dealing here indeed with some innocent american church lady. I think it's the same feeling you have when you see a strange person in your home: You know that burglars exist but your brain searches for any other, more pleasant explanation, like that someone has confused the door and all is a harmless misunderstanding.
I had however the sense to click on Couchsurfings “report user” button and got those automatic generated email:
>from horstXXXX >Please provide more information on why you are reporting this user. >Do not remove the content below the line >Hello I think this is an nigerian Money scam. I proposed picking up guest > from airport but instead of Sending arrival time i got asked for Bank Account >to help with money Transfer. >Please Block and warn other Users of this scam, better Block whole Nigeria or Display > huge warning box for every CS request from Nigeria. >Pattern: >Fake profile >Contact via msg First >Request stay, make compliments >Don't give Details of arrival but instead ask for Bank Details >because of last Minute money Problems. >Classic! >__________________ >CS Mobile Safety Report Horst XXXX (XXXXXXX) reporting >Pastor Georgina Waters(2004803270): >http://www.couchsurfing.com/users/2004803270/profile Your request (#392867) has been received and will be reviewed by our support team as soon as possible. As ticket volumes are currently high, it may take up to three days to receive a reply from us for issues not related to member safety. Thanks for your patience while we get to your request! To add additional comments, you can reply to this email.
Up to three days sounded like a lot of time. Time enough for the scammer to continue business as usual. Either he was not taking the “report” feature very seriously or he simply did not care.
> >Well,am for real,am a woman of God with good heart.I assure you no foul play from me,am a trusted and honest lady with the heart of God. >This is pure truth from me,my dear.Have a nice time,i still hope to invite you to my hotel in Vienna when i arrive. >
At this point there I was fully awake and had no more doubt about it: I was communicating with an real Nigerian scammer.
> >You are already Reported, and I will spread warning about this scam. >
The reaction of the scammer to my “discovering” made me speechless. This guy had real high criminal work ethic, and was continuing scamming me like reading from a classic “how to scam idiots” script. Or was i scammed by an artificial intelligent scam bot already?
> >Can you kindly assist me with just 1 250usd to make my trip and get refunded on my arrival in Vienna after i have opened a >local bank account and get the money transferred into it? >
I never had such an interesting breakfast conversation…
Being a nerd, i wanted play with my new toy:
> >Please continue! Why just 1250,-? >
> >Thanks for caring.1 250usd is just okay to do my shopping and fare ticket. >Do you use Western Union Money Transfer Service? >
I think at this point, me and the scammer enjoyed both a very good time, even if for different reasons. I could not help myself and had to troll back a bit:
> >No I use Bank Account. >
My reward was some religious-philosophical insight, all the more meta because coming from a real gangster. Maybe he was a low-level computer clerk, clocking away mindless hours of doing an brain-insulting dead-end job for his criminal boss, sweating in an not air-conditioned, fly infested internet cafe? Or do even Nigerian scammers out-source the most mindless part of the work (like flirting with me) to chat-bots or 4th-world-countries? I felt like witnessing someone doing a very fine joke here while his stopwatch-wielding boss was looking over his shoulder without understanding it.
Or maybe i am hopeless romantic and the scammer was just following his sales script:
> >Thanks for your care so far.On the day we can fully trust one another,the world will be a better place for all to live in. >You may wish to send the money to me using a faster and more convenient Western Union Money Transfer Service nearest to you. >
> >I promise you am gonna refund you as soon as i open a local bank account there with you at the airport when you come to receive me >and i asked the donor organization to transfer the fund there. >God bless you and your family and i look forward to meeting and greeting your family during my stay with you. >
I wanted to lure the scammer into disclosing personal data by playing the innocent worried idiot:
> >Can you please send me a proof of your identiy, like an selfie with your Passport? I am relucant to get involved into money operations > with people I do not know personally >
And got something:
> >Its okay.Do you promise to help me? >You may kindly use this info to transfer the 1 250usd to me here through Western Union. >Name of Receiver:Georgina Waters >Country/City:Nigeria/Lagos >Zip code:23401 >
It seems that it is that easy to get money disappering, with the help of Western Union. And everyone is giving bitcoins and cash a bad name! Western Union has however a fraud report hotline
Meanwhile, i played with my new toy, hoping for some hasty mad photoshopped passport-with-face digital artwork.
> >Yes, No priblem, I am already preparing the Transfer! I just need proof that you are the same Person as in the CS profile >
> >Please make a picture of yourself (your Face) with open Passport (so that Name and nationality and Photo are visible, >best Hold them next to your Face). Just send the Pic by WhatsApp or to Email XXXXXXXXXXXXXXXXX.at >
And the new toy overexceeded my wildest dreams:
> >Thanks dear.Am assuring you you are not going to be disappointed dear. >i will tell you more about me,maybe at a special candlelight dinner in your city if you plan to take me out. >
Motivation is key here, combined with religion of course:
> >1250,- usd is really not that much and I am glad to be able to help out a nice christian lady in a difficult Situation. >I am sure god will honor good deeds and punish Bad ones, if not in this life, then in the afterlife. >
Instant reward of philosophical quality:
> >You are absolutely correct,now,i have no doubt in my mind that you have a good heart and God Almighty and indeed >humanity will handsomely reward you for this laudable and godly gesture you are about to do. >
Dangling the carrot a bit:
> >i am in 5 minutes at the western union office. please send the picture fast, so that i can make the > transfer before i have to meet my customers, i will have not much time later >
We played some kind of excuse-ping-pong:
> >Respectfully sir,can i have your e-mail address to send that? >
> >i send you 32 minutes ago, just scroll down the cs messages >
> >Its okay.Now i check. >
And i really got an email!
from: firstname.lastname@example.org Hi Horst, Shortly i will send it.Thanks in anticipation.
The main communication remained at Couchsurfing however:
> >i got an email from you, but with no photo. sadly, i have a meeting now but i will be back in 2 hours, >than i have a short break where i could go to the western union office. >later i will be with customers all day and will have no time. please hurry. >
> >But sir,you may still go ahead with the transfer i wholeheartedly assure you with the faith and trust of God, >the creator of heaven,earth and humanity that i am who i claim to be. >I need the money urgently yo do my last minute preparation. I promise to send you the photo as soon as its ready. >Trust me and do the transfer to me now before you go for your meeting. >God bless you richly. >
Meanwhile, the Couchsurfing Support team had reacted, in less than 30 minutes. I was contacted by “Florian from Couchsurfing”:
from Florian (Couchsurfing Support) Hello Horst, Thank you for contacting us about this. I've looked into it and have now taken appropriate actions, according to our policies. Please let me know if you find this type of abuse in our system again. Florian Couchsurfing Trust and Safety
i wanted to know more:
from Horst Hello Florian from CS Support. Thanks for reacting so fast. However, I do not understand what your reaction and measures is exactly, as you are extreme vague with your answer. Can you provide details about what precisely your company is doing about this kind of scam? Blocking member? Warning? Nothing? As I make articles and Seminars about Internet safety for my Students, I would love to include your official reaction. Greetings from Vienna, -Horst
and was not dissappointed:
At this point, the CS profile of the Scammer was already blocked.
And shortly after that i got a second, more strange email from the scammer:
from email@example.com Hello, I mean no harm.Kindly,have a rethink.
I did indeed, documented the whole case and use it now as teaching material for my students about internet safety.
I noticed Florian from CS support about my blogposting and got this very nice email:
from Florian Hello Horst, Thank you for the note. My boss has actually seen this already (it must have come up via a Google alert) and showed it to me earlier today. It's a very impressive documentation of a scam that hopefully most people are now aware of. I've seen similar transcript for phone scammers (where they pretend to call from Microsoft Support or something similar). I have a lot of respect for people like you who actually take the time to keep the scammers busy. Every minute that they are busy with someone like you (is time) they can't use to try and trick someone who might fall for it. In that sense, thank you for your service. Thanks again and please don't hesitate to reach out again any time! Florian Couchsurfing Trust and Safety
I have to say it, this man never gives up. I got another email!
from firstname.lastname@example.org Hello Horst, Lovely day to you,you still remember me? Today,i just remember you when i saw your cute pic here.Even though you let me down, but i forgive and forget and still want a good relationship between us. I mean no harm,am just a young christian lady. Talk to you later and have a great time.
I contacted Gmail to get the scammers email account removed, i am curious how the reaction of gmail support will be.