From: "GORD CH"<email@example.com>
Date: Tue, 21 Nov 2017 10:44:24 +0900
I have important transaction for you as next of kin to claim US$8.37m email me at firstname.lastname@example.org so I can send you more details
This one suddenly flagged itself up as “interesting” as a result of a couple of comments being made, more on that later.
The Email itself is pretty basic text only, not pretending to look like anything official. It lacks details of why this person is contacting you but I am not here to evaluate the scammers Emailing abilities.
The contact address email@example.com can be found elsewhere on line, such as Anti-Fraud International where this chap, Gordon Chang, seems to have a page all to himself, albeit with a variety of Email addresses. There is a match with ours at the bottom of the page, an Email dating back to June 2017.
The Email we received was from firstname.lastname@example.org and appears to have genuinely been sent via their mail servers. This would indicate that this is a hacked account being using by the spammers. Note that they have added a “reply-to” address. This is the address used when the receiver clicks “reply” and it is not immediately obvious that they are replying to a Yahoo address.
The Spammer left us a few clues to his identity. They generated the Email from their local PC. They used Outlook Express 6, indicating that they are still on Windows XP, possibly Windows Me, 2000 or even 98!
The IP address indicates a Japan origin. Although they could have been using a VPN, the time zone of the Email backs up the Japanese origin.
Then we had a couple of comments. They used two different Email addresses, one was a Yahoo, the other was Bank of China, probably to make it appear that they were comments from two independent people. They sent both comments from the same IP, which happened to be a US based address. I suspect this would be a VPN as USA would be have been during the early hours of the morning when the comments were posted.