Why do Nigerian scammers say they are from Nigeria?

Nigerian scam is a generic term for the category of scams that always follow the same scheme: the widow/lawyer/son/exiled person has a huge sum of money blocked somewhere.  They need the help of a trusted person to exfiltrate this money.  You are this person.  Of course, you will be nicely rewarded for your help.  Obviously, if you accept to help, soon the scammer will ask a minimum fund to be able to make the paper or bribe the proper officials… Of course, at the end, no money transfer to you.   Nigerian scam is a very old trick.


As Nigerian scam is old and well-known, the question why the attackers still use such an obvious trick is a valid one.  And the basic answer that attackers may be stupid is not appropriate.  HERLEY Cormac, from Microsoft Research, provides a very convincing answer.


Scammers have also false positive.  This type of scams needs a lengthy interaction with the target.  This interaction has a cost (time, effort).   When starting the interaction, the attacker would rather like to have no false positive.  Ideally, the attacker should only start with viable targets, i.e. targets that will carry the interaction till the succesful skimming.   Intuitively, you may guess that the more gullible the target is, the higher the chance of success is.  Therefore, using such a worn-down trick filters the initial respondents.  It skims out only the most gullible persons. Thus, it lowers the rate of false positive.


Cormac analyses the typical Receiver Operator Characteristic curves that are usually used to draw the tradeoff between true and false positive of classifiers.  He checks for the optimal operating point.   He analyzes the impact of density (i.e. the ratio of viable targets) and the quality of the classifier.   Then, he applies the outcomes to the Nigerian scams.   He shows that the “dumbness” of the mail is a good classifier and that the attackers try to operate in a better overall profit.


This paper is interesting to read as it uses the usual maths for classifiers to analyze the impact of false positives on the financial gain of the attacker.  It takes also the stance that not all scams are costless to attackers.


The paper reference:

C. Herley, “Why do Nigerian Scammers Say They are from Nigeria?,” Berlin, Germany: Microsoft Research, 2012 available at http://research.microsoft.com/apps/pubs/?id=167719.

You are what you wear

Usual knowledge is that what you are wearing has some influence on the perception of your interlocutors.   When visiting a therapist, would you  trust more the one  in shorts and torn tee shirt than the one formally dressed?   But  do your clothes have some influences on your behavior?

This is what ADAM Hajo and GALINSKY Adam  explored in their paper “Enclothed cognition”.  And their findings are interesting.

Yet, the clothes we wear have power not only over others, but also over ourselves.

Clothes have influence on our behavior and even efficiency!  To prove that, they set up an experiment comparing the respective performance on completing a task between people wearing a white labcoat and people without the labcoat.   The first group performed better than the second group.

We posit that wearing clothes causes people to “embody” the clothing and its symbolic meaning.

This is even more interesting.  It is actually not the cloth itself but rather its symbolic meaning that impacts the wearer.  In another experiment, they created three groups;  the first group wore  a white labcoat that was announced to be for doctors.  The second group wore the same white labcoat but this time it was announced to be for painters.   The third group did not wear any labcoat.   The first group consistently performed better than the two other groups.   The people wearing a “painter” labcoat performed not better than people without a labcoat.

How is that related to security?   SOCIAL ENGINEERING!  We already knew that  you’d better be dressed in a way consistent with is expected from the role you are try to mimic. This helps to trick the target and to create good ground for trust;  here clearly, clothes carry a strong symbolic meaning that influences the victim.  Uniforms carry a message of order, authority and strength.  Labcoats carry a meaning of science, and expertise. ..   It seems that these clothes may also help the social engineer to  perform better his “supposed” role. 

By the way, in our daily life, could this trick help to boost our performances?


H. Adam and A.D. Galinsky, “Enclothed cognition,” Journal of Experimental Social Psychology, vol. 48, Jul. 2012, pp. 918–925 available at http://www.utstat.toronto.edu/reid/sta2201s/labcoatarticle.pdf.

Ghost in the Wires

Or the official biography of Kevin Mitnick.   In the 90s, Kevin Mitnick was known as the World Most Wanted Hacker.  He is an artist of social engineering.   His book “The Art of Deception” is a reference on the topic.

This new opus tells the history of Kevin from his youth till the day he was free.  Do you remember the “Free Kevin”  protesting movement?  Is this new book interesting?  I read with pleasure “The Art of Deception”.   It is not the case with this book.  It could have been a good thriller, but the style is not right to create suspense.  It could have been a book on the havcking mindset, but the described introspection is too shallow. It could have been  a technical book, but the rare technical descriptions are uninteresti

The main interest of the book is to have an insight of his motivations:  “Getting access to things that he was not authorized”.  Nevertheless,  “The Art of Deception” gives a better view on social engineering.    An unanswered question:  why did he need to go to jail to become an ethical hacker?

We will  keep a good description of ethical hacking.

What I do now fuels the same passion for hacking I felt during all those years of unauthorized access.  The difference can be summed up in one word: authorization.
I don’t need authorization to get in.
It’s the word that instantly transforms me from the World’s Most Wanted Hacker to one of the Most Wanted Security Experts in the world.  Just like magic.

Conclusion: This book is not mandatory on the shelves of security people.  “The Art of Deception” is mandatory.


K.D. Mitnick and W.L. Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, Little, Brown and Company, 2011

K.D. Mitnick and W.L. Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, 2003.

Predictably Irrational

“Predictably Irrational” from Dan Ariely is not a book about security (neither Sci-Fi). Thus, why do I report about it?

“Predictably Irrational” highlights that many of our reactions are not rational. Every body knows that it is true in extreme conditions. Dan Ariely demonstrates that it is also true in our daily reactions. To prove it, he describes some of the many experiments that he run.

Law 6: You’re the weakest link reminds us that human behaviour is key for security. This book helps to better understand human behaviour. For instance, a full chapter is about honesty. Great to read. This book is a tool to better understand some tricks used by social engineer.

This is related to the latest Bruce Schneier’s pet’s subject societal security.

A book to read.

SMS: Nice piece of social engineering

This morning, I received on my cellular the following SMS (translated from French):

Info: This caller tried to call you at 09:47 without leaving a message. Unknown Number in your directory > Call the 0899190721 to identify him

Obviously, this number will be surcharged. How many gullible people will fall in this trap?

It is a nice piece of social engineering. The caller has not left a message. You may want to know who called and why he called. They give a solution to answer these questions… Bingo.

The attack would have been even better if you would have had a failed call just before.

The scammers are really very creative!

H1N1 and social engineering

The spammers become extremely good at social engineering. The latest one I received is very clever.

From: Centers for Disease Control and Prevention [674651373med@cdcdelivery.gov]
To: *Security Reporting
Subject: Create your personal Vaccination Profile

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:

create personal profile

This mail is damned clever.

  • First of all, it uses basic fear motivation: the swine flu and the current actuality: vaccination.
  • Then a pinch of truth “The Vaccination is not obligatory” and then the trick “every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site” That you vaccinate or not, you have to register!!
  • Of course, the CDCs exist and the site cdc.gov also. The address inside the link of course does not point to cdc.gov but to an .im This extension belongs to the Isle of Man but can be used by any individual.
  • Grammar and orthography are OK (at least for me 🙂 ) which is often not the case

When such a mail arrives in a non personal mailbox, there is no doubt that it is a malware. But, will Joe Average detect it as such? Will he not follow the initial reactions of his reptilian brain (flu = fear, CDC = authority…)?

Social engineering is definitively a dangerous weapon.

[update: 3-dec The news about this malware is every where on the blogosphere. Here are more technical details http://blog.appriver … tribute-malware.html ]

VC2 and AMEX

The Visual Cryptogram 2 (VC2) was created by VISA in 2005 to protect against online fraud. The VC2 code is the three-digit number printed at the back of your credit card. The rationale of VC2 is that to access this code, you need to have the card insight. I always thought that the rationales to print it at the back was to avoid camera capture used with card skimmers (see for instance http://www.darknet.o … ut-atm-hacking-tips/).

It seems I was wrong, or at least that AMEX does not fear this type of skimmers. AMEX uses also a visual cryptogram. But AMEX’s VC is four-digit long and printed on the front side of credit card. I do not understand the rationale for using a different scheme (Different size, different location). In fact, I learned it the hard way. When using the first time my AMEX online, I used the three digit at the back of the card. There was one! And of course, it did not work. :Sad:

Has somebody a clue?