V. C HARACTERIZATION OF CAMPAIGNS
This section provides deeper insights into 419 scam
campaign orchestration. We present a few typical scam
campaigns and we show connections between clusters,
possibly run by the same group of scammers.
A. Scam campaign examples
Figures 4, 5, 6 show examples of scam campaigns
identified by
TRIAGE, depicted with graph visualization
tools developed in the VIS-SENSE project
1
. Those
graphs are drawn with a circular layout that represents
the various dates on which scam messages were sent.
The dates are laid out starting from 9 o’clock (far
left in the graph) and growing clockwise. Then, the
cluster nodes are drawn with a force-directed placement
algorithm. The big nodes on the graphs are mostly
phone numbers and From email addresses. Smaller
nodes represent mostly subjects and email addresses
found in the Reply-To header or the message content.
Figure 4 is an example of a campaign impersonating
a private company in South Africa, ESKOM Holdings.
The ESKOM campaign was initially a fake lottery scam
(left upper corner of Figure 4), but later switched to
a different scam, while still re-using the same phone
number. A noteworthy aspect of this campaign, shared
with some other campaigns we found, is that it relies on
few From emails addresses (i.e., the bigger nodes in the
figure). The other email addresses are used with larger
number of emails and change over time.
Another campaign, presented in Figure 5b, illustrates
the roles of email addresses and phone numbers in 419
scam over time. This campaign, that lasted for 1,5 year,
changed topic over time (every 1 to 2 months), which is
clearly visible by looking at the larger subgroups placed
around the circle. These shorter campaigns were most
probably run by the same scammers. We see that they
almost completely changed the email addresses between
different scam runs, but kept the same phone number.
The email addresses were often selected to match the
campaign topic and subjects.
Unfortunately, graphical interpretation of the cam-
paigns is not always straightforward, as can be seen on
Figure 5a. This graph was generated from a cluster of
a recent campaign of iPhone-related scams that lasted
for 1,5 years. The communication infrastructure of these
scammers is much more diverse. The campaign relies on
a large number of “disposable email addresses” that are
seldom used for a long period. As opposed to previous
examples, however, same or very similar subjects are
often reused.
1
The VIS-SENSE project: http://www.vis-sense.eu
B. Macro clusters: connecting sub-campaigns
To try to find a connection between different cam-
paigns, we searched for weaker connections between
clusters. The goal was to pinpoint possibly larger-scale
campaigns, which are made of loosely inter-connected
scam operations (i.e. different scam runs). For this
purpose we rely on email addresses and phone numbers
as other attributes are less personal. We identify clusters
that share email addresses and/or phone numbers, and
use this information to build macro-clusters. We identify
845 isolated and 195 connected clusters, where the latter
consists of 62 macro-clusters. The characteristics of
top 6 macro-campaigns are shown in Table IV. These
clusters are particularly interesting as they consists of a
set of scam campaigns that appear to be interconnected
and therefore could be orchestrated by the same people.
Such macro-clusters span through time with bursts of
different campaigns, topics and countries.
An example of such macro-campaigns is illustrated
in Figure 6. This macro-cluster consists of 6 scam
campaigns of various size that include UK and Nigerian
phone numbers. We can distinguish them in the graph
as they appear as groups with one or two bigger nodes
(phone numbers) with a tail of connected nodes (email
addresses). We notice that campaigns in this case are
well separated by phones and emails dedicated for each
campaign (or operation), and that there are only few
overlaps over time. However, there is a small node
just in the center that indicates their interconnection.
Some contact details were reused and we used that for
their correlation. These campaigns together lasted for
3,5 years. Over this time period, scammers have sent
emails using 51 distinct subjects and 8 different phone
numbers. In conclusion, we could describe this macro-
campaign as run by a group of individuals from Nigeria
that are changing contact details for each campaign
and work with several scam categories. The topics
diversity may suggest there might be a competition
among scammers as they try to cover different online
trick schemes instead of specializing in a single one.
C. Geographical distribution of campaigns
Figure 8 shows the country distribution of the top 6
macro-campaigns. The last three campaigns are based
in Africa and located in one or two countries. The first
three are more Europe-oriented with some connections
to Nigeria and Benin. These groups are competing in
“fake lottery” scam, with the second group leading
the pack and covering most of the countries. In com-
parison to previous similar study of scam campaign
geographical distribution [5], we note that we encounter
less UK and Nigerian numbers in campaigns, but at
the same time confirm that scam campaigns can be
multi-continental. The largest macro-campaign (#2) we
147