Scammer Reverse Psychology

So yesterday I received an urgent email from a good friend of mine saying the following: "My family and I came down here to Kuala Lumpur,Malaysia for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us. We’ve been to the embassy and the Police here but they’re not helping issues at all and our flight leaves in less than 3hrs from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the bills." Am freaked out at the moment. M- I saw this email was sent to all of our friends. My first thought was “Oh Shit, that sucks, what can I do to help her?” Then rational thought crept back in to my head when I remembered that M was not in Malaysia . . . Hey wait a minute. I quickly learned that M had her Hotmail and Facebook accounts hacked. So this was an obvious scam. Ok now I’m pissed. So I decide to play along. I sent back an email to “M” telling her how worried I was and asking how much I should send her. To my surprise “M” answered back: Glad you replied back,We have nothing left on us right now and we’re lucky to have our life and passports with us it would have been worse if they had made away with our passports. Well all we need now is just RM2,500 or whatever amount you can come up with, to settle the bills and take a cab to the airport. you can have it wired to my name via Western Union outlet or online i’ll have to show my passport as ID to pick it up here and i promise to pay you back as soon as we get back home. Here’s my info below. M- 30 Jalan Pandan Indah Cheras,Malaysia As soon as it has been done, kindly get back to me with the (MTCN) confirmation number. Let me know if you are heading to the WU outlet now??. I will be going offline for an hour hope you we be done before then? The Game is Afoot. But first lets put on out detective hats and see what we can find out . . . Now I am what you might call a bit of a computer nerd. Yes I wear glasses. No they have no tape on them. Yes I have slept with a real woman. And yes I understand binary and hexadecimal. So seeing that I possess all these skills I decided to put them to good use by trying to backtrack the email to its origin. One of the first things I noticed was that the English M used in the email was really good. Whoever sent this is either a native speaker or close to it. So The first thing I did was Google Map the address M gave me in Pandan Indah; though for someone supposedly trapped in Kuala Lumpir with no money, she sure is able to get to pretty fast. It turns out its a BS address, BUT there is a Post Office at Pandan Indah, and according to the Western Union site there is a Western Union store just around the corner. “M” couldn’t possibly be that stupid as to give me a real address to where they would pick up the money, but never underestimate the stupidity of people. But for now this seemed to be a dead end. Let’s look for something else. For those of you who don’t know, whenever you send an email there are a bunch of headers that are included with it that identify who sent it, where it was sent from, what email client it came from, and the route it took to get to you. You can really learn a lot from the email headers. Heres the header for the first email I got from “M” (I’m obviously going to block out any real email addresses): Delivered-To: ***@gmail.com Received: by 10.151.11.13 with SMTP id o13cs287704ybi; Tue, 30 Nov 2010 08:14:37 -0800 (PST) Received: by 10.100.109.15 with SMTP id h15mr5404649anc.184.1291133676261; Tue, 30 Nov 2010 08:14:36 -0800 (PST) Return-Path: Received: from bay0-omc3-s23.bay0.hotmail.com (bay0-omc3-s23.bay0.hotmail.com [65.54.190.161]) by mx.google.com with ESMTP id c4si16523777anc.48.2010.11.30.08.14.35; Tue, 30 Nov 2010 08:14:36 -0800 (PST) Received-SPF: pass (google.com: domain of m***@hotmail.com designates 65.54.190.161 as permitted sender) client-ip=65.54.190.161; Authentication-Results: mx.google.com; spf=pass (google.com: domain of m***@hotmail.com designates 65.54.190.161 as permitted sender) smtp.mail=m***@hotmail.com Received: from BAY157-W41 ([65.54.190.189]) by bay0-omc3-s23.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 30 Nov 2010 08:14:18 -0800 Message-ID: Return-Path: m***@hotmail.com Content-Type: multipart/alternative; boundary="_b543231b-a3f1-40c2-a031-22a8f471c6e0_" X-Originating-IP: [82.128.84.43] From: M*** Subject: My Predicament!! Date: Tue, 30 Nov 2010 16:14:18 +0000 Importance: Normal MIME-Version: 1.0 Bcc: X-OriginalArrivalTime: 30 Nov 2010 16:14:18.0029 (UTC) FILETIME=[A3B015D0:01CB90A9] Wow that’s a lot of information, and most of it was either worthless or bullshit. The first two received lines that show an ip address of 10.151.11.13 and 10.100.109.15 turned out to be bogus. Odds are these are either completely spoofed, are part of a local subnet behind a router or are zombies. In any event they proved to be worthless. Most of the other IPs are for either Google or Hotmail. But upon a second glance I noticed another header: X-Originating-IP: [82.128.84.43]. It turns out that Hotmail puts this in all their emails; I never thought I would say this, but good job Microsoft. Now this looks promising. Some of you may know that you can often determine the geographic location of a person with an IP address. If you didn’t know that, well then you do now. Welcome to the 21st Century. So I fired up the browser and went to GeoBytes.com, entered 82.128.84.43 and hit the button. One guess where it came up . . . No it’s not Kuala Lumpur Malaysia . . . SURPRISE!!! “M” is in Lagos, Nigeria. Holy shit this chick travels fast. Now here’s another trick: you can find even more about a person from their IP address, specifically who owns the ip address. There is a thing called WHOIS that is a huge database of all the Ip addresses in the world and who owns them. Normally you use this to look up domain names and who owns them but its works for IP addresses as well. So I clicked on over to AfriNic who is the registrar for Africa and get back: person: IP Admin-RIPE address: Multilinks Telecommunications Limited address: 231 Adeola Odeku Str. address: Victoria Island, Lagos, Nigeria e-mail: ipadmin@multilinks.com remarks: complaints/spam report : abuse@multilinks.com phone: +2341774000 No big surprise here, the IP address belongs to a local mobile phone company, but it does tell us something. And over the course of my discussion with “M”, I have collected additional IP addresses that all go to local telecoms. It looks like “M” like to go to cyber cafes in Lagos, and if I can collect enough of them I’ll bet I can get a geographic pattern to emerge that will narrow down where poor “M” is. Now back to our story . . . After receiving an email form “M” asking for money, I decided that I would play along and sent back an email telling “M”: Ok I sent you $450. Sorry its all I could do right now, but I know you are in a pinch. The MTCN number is: 5993705206. Please let me know when you get the money. I am looking forward to hearing all about this story when you get back. Good Luck. No I did not send any real money, I’m an idiot but come on. I made up the MTCN number. Today I received a response from “M” telling me they had been to Western Union and that the money was not there, and could I please verify. Well no shit the money didn’t arrive, but “M” is a good friend of mine and I am worried about her so I respond: I don’t know. The money should be there. I called Western Union and verified the transfer. They said it was ok. Try it again. To verify the MTCN number is: 5993705206. Where did you sleep last night? I hope you are doing ok. Did everything work out with the hotel. Please try again. And just for good measure I send a followup with: Please let me know if you have tried again. I spoke with some of the gang back here and they are all really worried about you. I have taken up a collection from them all and we will be able to send some more money soon. A little time goes by and “M” responds with: I have been to the western union again, no record on the MTCN number (5993705206) that you gave me.they said you should track it before coming back to there office. you can also track it online your self at www.westernunion.com. Is this the name you use in send the money D*** ? do you have the receipt? Wow this is just terrible, I mean my friend “M” and her family are out in the howling wilderness of kuala lumpur homeless, hungry, lonely, freezing to death, having to beg for change and eat out of garbage cans just to survive. By now they are probably shoeless covered in tattered rags against the brutal their way uphill (both ways), snow up to their knees, barefoot fighting Nazis the whole way just to get a bowl of gruel at the orphanage. WHY ARE YOU SO CRUEL GOD!!! POR QUE!!!! But I am not deterred: I WILL BRING YOU HOME “M”. So I respond: Ok. I called the place here in LA I sent the money from and they said it went through. They did ask me to confirm the address where I sent it to though? I have a receipt. Should I send it again? You still havent told me how you are doing there? How are you holding up? What did the airline say about your flight? Is there some way I can call you? So far I have collected an additional RM200 from everyone. Hang in there M*** I have also gone so far as to create a fake Western Union receipt from a blank receipt. Although I did have to use David Hasselhoff’s address as the senders address (sorry Hoff). I’ll post that when I can. In the meantime, I decided to contact some law enforcement, namely the PDRM who has an MMSC, but they don’t really seem to care. I contacted Western Union, and spoke with possibly the dumbest customer support person I have ever spoken with, but that is a whole other story in itself. I also contacted the Malaysia Consulate in Lagos Nigeria to ask for their assistance as a liaison with local Nigerian Law Enforcement officials. I haven’t heard back from them but I won’t hold my breath; the Malaysian government is not really know for actually giving a shit about its citizens but I do hope to be surprised