CSI

This evening I spent about one and a half our just laying on my bed, slumbering while listening to a Coldplay concert on the radio. Good stuff. This summer I want to lay on the grass with a cold beer, listening to good music with some friends at a music festival. So, which festivals haven’t been sold out yet?

Today I got an interesting SPAM or fraud e-mail. It’s not that I usually read my SPAM, but this time Firefox’ SPAM filter failed to bump it into the junk e-mail folder. The e-mail is from one Elizabeth Thornton with the Private Banking Division at Leadenhall Bank Limited, London. This is the e-mail:

Sincere Greetings,

My name is Elizabeth Thornton. I work with the Private Banking Division at Leadenhall Bank Limited, London. We are conducting a standard process investigation in relation to matters involving a client who shares the same name with yours (Muller Albisser) and also the circumstances surrounding investments made by this client at our bank. Our Leadenhall Banking client died in testate and nominated no next of kin to inherit the title over the investments made with our bank. The essence of this communication with you is to request you provide us information on three issues:

1-Are you aware of any relative/relation who shares your same name whose last known contact address was in Brussels ?

2-Are you aware of any investment of considerable value made by such a person at the Private Banking Division of Leadenhall Bank?

3-Can you establish beyond reasonable doubt your eligibility to assume status of next of kin to the deceased?

It is pertinent that you inform us ASAP whether or not you are familiar with this individual that we may put an end to this communication with you and our inquiries surrounding this person. You must appreciate that we are constrained from providing you with more detailed information at this point.

Please respond to this mail as soon as possible to afford us the opportunity to close this investigation. Thank you for accommodating our enquiry.

Elizabeth Thornton

For: Thomas Masters:

Director Leadenhall Private Clients.

08-06-2005 Top of Form 1

Bottom of Form 1

Interesting. E-mails like this wakes up the little Sherlock Holmes I’ve got hidden deep inside of me. First of all, there is no such thing as Leadenhall Bank Limited. At least not according to Google, and if you’re a company that can’t be found on Google, you basically don’t exist. There is, on the other hand something called Leadenhall Bank and Trust, a private bank located in Bahamas. It could be that poor Elizabeth just got the job and that she’s a little confused about exactly what company she’s working for and where she’s located. An noticeable fact is that Liz’ e-mail address and her reply-to address actually points to a domain (leadenhallfinancial.com) which is redirected to the Leadenhall Bank and Trust domain (leadenhallbahamas.com) if you try to go there with your browser.

One would think that because of this, all e-mail sent to Elizabeth would really be sent to Leadenhall Bank and Trust, but that’s not the case. Even if your web browser is redirected to their site, this doesn’t mean that your e-mail is. A DNS configuration allows you to set up different server for e-mail and web. At least from what I can remember. The web server at the leadenhallfinancial.com (Liz’ e-mail domain) could also just be using a simple HTTP redirect. Also, the e-mail from Elizabeth is sent from a BT Broadband server, and I doubt that a private bank in Bahamas would use a British mass market internet provider to handle their e-mails. Let’s dismiss poor Leadenhall Bank and Trust from the rest of this investigation. They are probably a legitimate company - or at least as legitimate as a private bank in Bahamas can be - and concentrate on the owner of Liz’ domain, one John Kendall in London.

John Kendall registered leadenhallfinancial.com on April 4 this year and it expires just a year later. It looks like John doesn’t have very high hopes for his banking business since he’s decided to hold on to the domain for just one year. There probably isn’t much information to dig up on John himself, so let’s have a closer look at his server. The domain points to 216.136.232.176, which is a server belonging to Yahoo! Small Businesses. This means that my reply to Liz’ e-mail would probably end up there, in John’s Yahoo! inbox. Yahoo! Small Businesses also do web hosting, and I guess John has set up his web hosting account to redirect to Leadenhall Bank and Trust’ site. Unfortunately, I don’t have any tools at hand which will show me what headers are sent back to the client when it tries to connect to John’s domain.

So what the hell do Mr. Kendall want to accomplish with this e-mail? Most people will just answer “no” to all of the questions in the e-mail anyway. Is he trying to validate e-mail addresses so he can SPAM them later? If this is the case, this is a damn bothersome way to do it. Or maybe he is really looking for Muller Albisser? Could it be that there is actually one Muller Albisser out there somewhere that is actually entitled to a lot of money in the real Leadenhall Bank and Trust and that John Kendall is this close to getting his dirty hands on them? He just has to kill Muller Albisser first and to find him he has bought a billion e-mail addresses and is sending out this e-mail to each and every one as a last, desperate effort. I doubt it, but it could have been a great script for a mediocre movie.

That’s cyber crime forensics for you, folks!

Good night.


Feedback

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.

Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.