Scheckbetrug

[Investi]

Eine interessante und im Hotelleriebereich gängige Betrugsmasche ist folgende:

header:

01: Return-Path: <md997290 [at] gmail.com>
02: X-Original-To: xxx [at] xxxxxx.de
03: Delivered-To: poor [at] spamvictim.tld
04: Received: from mail-vc0-f193.google.com (unknown [209.85.220.193])
05: 	by tgs-server.de (Postfix) with ESMTP ID: [ID filtered]
06: 	for <poor [at] spamvictim.tld>; Thu, 12 Mar 2015 xx:xx:xx +0100 (CET)
07: Received: by mail-vc0-f193.google.com with SMTP ID: [ID filtered]
08:         for <poor [at] spamvictim.tld>; Thu, 12 Mar 2015 xx:xx:xx -0700 (PDT)
09: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
10:         d=gmail.com; s=20120113;
11:         h=mime-version:reply-to:date:message-id:subject:from:to:content-type;
12:         bh=QudLUPjs3ZfVUtXu96i4AFV1OoOgIc5GKbH13F6NOuw=;
13:         b=VWGwyoYwnVU2FIZ8lxdtKJFV6Tq7NiPlCt4mOBHoTJ5Z0hTnIDaTT78um0La5gv32v
14:          I+acLBUQVfCYEzO8ma3LxnJMCxuWgBLpyzfT//HPrnIwdgLPx6obwy50Wmi/BNmWAIHq
15:          0XKtLQ93znDAqGEbGVwVTIQP6571r7GbtSL2O9vrWFuFx6dvfPKBzmGU8+JkuLIco8Zf
16:          6buaSY6SdlohuruIrD/v9elNbwUR81qHKgZP6rXcTrWgiQaUf/qXdITvNTxNkrXxGSL+
17:          btLF2M4PXv7Im4qa6HfTh03tz0a3gBEfENV8IN5A3+mo4qGZqeSe3gKEBnLWAulIZ0bw
18:          q8Qw==
19: MIME-Version: 1.0
20: X-Received: by 10.52.12.169 with SMTP ID: [ID filtered]
21:  Thu, 12 Mar 2015 xx:xx:xx -0700 (PDT)
22: Received: by 10.52.143.234 with HTTP; Thu, 12 Mar 2015 xx:xx:xx -0700 (PDT)
23: Reply-To: micultralases-roberts [at] yandex.com
24: Date: Thu, 12 Mar 2015 xx:xx:xx +0000
25: Message-ID: [ID filtered]
26: Subject: WE NEED ACCOMMODATION
27: From: Richard Griffiths <md997290 [at] gmail.com>
28: To: undisclosed-recipients:;
29: Content-Type: multipart/alternative; boundary=485b397dd6357c256905111c8c37
30: Old-X-EsetID: [ID filtered]
31: Old-X-EsetID: [ID filtered]
32: X-EsetScannerBuild: 23032
33: X-ESET-AntiSpam: OK;0;calc;2015-03-12 xx:xx:xx;1503122045470025;2397
34: X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1426189547;VERSION=2129;MFE-VER=36
35: Old-X-EsetID: [ID filtered]
36: Old-X-EsetID: [ID filtered]
37: Old-X-EsetID: [ID filtered]
38: X-EsetID: [ID filtered]

Greetings,

My name is Dr Richard Griffiths Your city is our destination for our wedding anniversary this year .We are two Couples coming for our wedding anniversary Is it possible to book 2 rooms or AN apartment that can sleep 4 guests(2 couples) all adults. Please check your availability and get back to me

Proposed Check-in-date: 16th May 2015
Proposed Check-out-date: 30th May 2015
Total number of NIGHT: 14
Total Number of persons: 4 adults
Rooms: 2 double rooms or an apartment

Kindly tabulate the prices of your 2 DOUBLE ROOMS OR APARTMENTS that will sleep 4 persons. Please offer discounts on your prices if possible

I awaits your timely reply

Dr Richard Griffiths
BSc MB ChB MRCP PhD
Consultant in Medical Oncology
Clatterbridge Cancer
Centre NHS Foundation Trust
Clatterbridge Road,
Bebington, Wirral,
C H63 4JY
England
Mobile contact:00447421165771

Nach Bestätigung der Verfügbarkeit der angefragten Unterkünfte sowie Mitteilung des Preises erreicht einen folgende Mail:

header:

01: Return-Path: <micultralases-roberts [at] yandex.com>
02: X-Original-To: <poor [at] spamvictim.tld>
03: Delivered-To: poor [at] spamvictim.tld
04: Received: from forward18.mail.yandex.net (unknown [95.108.253.143])
05: 	by tgs-server.de (Postfix) with ESMTP ID: [ID filtered]
06: 	for <poor [at] spamvictim.tld>; Mon, 16 Mar 2015 xx:xx:xx +0100 (CET)
07: Received: from web9g.yandex.ru (web9g.yandex.ru [95.108.252.109])
08: 	by forward18.mail.yandex.net (Yandex) with ESMTP ID: [ID filtered]
09: 	for <poor [at] spamvictim.tld>; Mon, 16 Mar 2015 xx:xx:xx +0300 (MSK)
10: Received: from 127.0.0.1 (localhost [127.0.0.1])
11: 	by web9g.yandex.ru (Yandex) with ESMTP ID: [ID filtered]
12: 	Mon, 16 Mar 2015 xx:xx:xx +0300 (MSK)
13: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail;
14: 	t=1426519727; bh=13GpRsOJz1VDO3OOU5F6MU2wt6RltOdtB/xfFXnD9as=;
15: 	h=From:To:In-Reply-To:References:Subject:Date;
16: 	b=eimexsN9f4BmTNnBWpr/FDIeW1COdS9NpEGqe4X3c3JKH6O7zXG6Upl40sWibSx7O
17: 	 v8WI81nVbng2Cfk3vcgpT7ouG9UD3YXqb/Lbn/oaQaY/spxRIgUebwcu/LWfbklOg7
18: 	 yk+EjYxZ1vrMTsxhZU0sbvFbyMtvHHzsA3dSyLAo=
19: Received: by web9g.yandex.ru with HTTP;
20: 	Mon, 16 Mar 2015 xx:xx:xx +0300
21: From: Richard Griffiths <micultralases-roberts [at] yandex.com>
22: To: "xxx" <<poor [at] spamvictim.tld>>
23: In-Reply-To: <9DE56A63ACE840B59462A827047E32BC [at] FENSTER>
24: References: <CAHFr_0QUxUfrX5qAy=e7Bwpwi5PSxHjXxNUaGTNH9sXiZhmypA [at] mail.gmail.com>
25: 	<9DE56A63ACE840B59462A827047E32BC [at] FENSTER>
26: Subject: BOOKING CONFIRMATION
27: MIME-Version: 1.0
28: Message-ID: [ID filtered]
29: X-Mailer: Yamail [ http://yandex.ru ] 5.0
30: Date: Mon, 16 Mar 2015 xx:xx:xx +0000
31: Content-Transfer-Encoding: base64
32: Content-Type: text/html; charset=utf-8
33: Old-X-EsetID: [ID filtered]
34: Old-X-EsetID: [ID filtered]
35: X-EsetScannerBuild: 23032
36: X-ESET-AntiSpam: OK;0;whitelist;2015-03-16 xx:xx:xx;1503161635170479;3B26
37: Old-X-EsetID: [ID filtered]
38: Old-X-EsetID: [ID filtered]
39: Old-X-EsetID: [ID filtered]
40: X-EsetID: [ID filtered]

Attention: Director/Manager,
Dear Sir/Madam,

I write with great pleasure to thank you for your kind reply, and also to inform you, that the couples have met and the prices you have offered has been accepted. We beg for your assistance as it regards payment, in order to make sure that everything is arranged before our arrival, we wish to make advance payment to confirm the booking. Our sponsor will pay for all our expenses so we want everything regarding payment to be settled before we come over for our wedding anniversary. The money will be paid into your bank account through a secured certified bank cheque, you will receive the cheque in your address as soon as possible. I want to tell you that we are making arrangement with a Tour organizer agency that will book our flight and provide us with other logistic needs during our anniversary. As I mentioned above, we are getting a direct sponsorship, so payment will come to you from our sponsors. Already they have issued out a certified Bank check of 6,740.00GBP to cover all our traveling expenses which includes accommodations, transportation,flight fair and other logistics we need during our anniversary.Since you are the first booking we have confirmed we wish to issue this cheque payment to you. Therefore when you receive the cheque deposit it into your bank account to get cash credited into your account, when the cheque clears in your bank account deduct money for the cost of your services. The remaining/balance money will be for the Tour organizer agency.(The details will be provided to you on how to transfer the remaining money to them our Tour organizer agency will issue an invoice to you for the amount they are going to receive from you and our detailed itinerary .HOPE YOU UNDERSTAND.

Kindly provide the following information for the cheque payment to be issued to you

(1) YOUR FULL NAME (As it should appear on the cheque):
(2) YOUR POSTAL ADDRESS (where to send the cheque):
(3) CONTACT TELEPHONE NUMBERS:

NOTE: WE WILL BE RESPONSIBLE FOR ANY TAX AND FEES THIS WILL ATTRACT.
Our team will highly appreciate your prompt reply, while we look forward for a memorable stay in your place.

Best regards,
Dr Richard Griffiths

Nachdem man nun die angefragten Daten nachgereicht hat, erreichen einen sowohl ein Brief mit Scheck als auch eine Mail mit folgendem Inhalt:

header:

01: Return-Path: <micultralases-roberts [at] yandex.com>
02: X-Original-To: <poor [at] spamvictim.tld>
03: Delivered-To: poor [at] spamvictim.tld
04: Received: from forward18.mail.yandex.net (unknown [95.108.253.143])
05: 	by tgs-server.de (Postfix) with ESMTP ID: [ID filtered]
06: 	for <poor [at] spamvictim.tld>; Mon, 23 Mar 2015 xx:xx:xx +0100 (CET)
07: Received: from web5g.yandex.ru (web5g.yandex.ru [95.108.252.105])
08: 	by forward18.mail.yandex.net (Yandex) with ESMTP ID: [ID filtered]
09: 	for <poor [at] spamvictim.tld>; Mon, 23 Mar 2015 xx:xx:xx +0300 (MSK)
10: Received: from 127.0.0.1 (localhost [127.0.0.1])
11: 	by web5g.yandex.ru (Yandex) with ESMTP ID: [ID filtered]
12: 	Mon, 23 Mar 2015 xx:xx:xx +0300 (MSK)
13: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail;
14: 	t=1427102124; bh=jSGHeWCVzhVzoid9RfFWGDIo7kQzwMlot06YmKCbWGg=;
15: 	h=From:To:In-Reply-To:References:Subject:Date;
16: 	b=UfvymCCVpMxWG19PLojcCdKyTEICRzGd+YnnGXImKNTpHkZFiPQvEW+n93mZUxpKn
17: 	 imdpKNnsu2qq7CB/xP/3nLRW+2yDdkajY3j5g8bHCIWsK0kUCLohJbXkxohW1vEmH5
18: 	 IamVBgcpI75DSDdyxEkuHW9TEfhzoVXWNpR/rSNk=
19: Received: by web5g.yandex.ru with HTTP;
20: 	Mon, 23 Mar 2015 xx:xx:xx +0300
21: From: Richard Griffiths <micultralases-roberts [at] yandex.com>
22: To: "xxxx" <poor [at] spamvictim.tld>
23: In-Reply-To: <0E860C9AC731491FB4B0801F631679FC [at] FENSTER>
24: References: <CAHFr_0QUxUfrX5qAy=e7Bwpwi5PSxHjXxNUaGTNH9sXiZhmypA [at] mail.gmail.com>
25: 	<9DE56A63ACE840B59462A827047E32BC [at] FENSTER> <390571426519726 [at] web9g.yandex.ru>
26: 	<0E860C9AC731491FB4B0801F631679FC [at] FENSTER>
27: Subject: CHEQUE PAYMENT NOTIFICATION!!
28: MIME-Version: 1.0
29: Message-ID: [ID filtered]
30: X-Mailer: Yamail [ http://yandex.ru ] 5.0
31: Date: Mon, 23 Mar 2015 xx:xx:xx +0000
32: Content-Transfer-Encoding: base64
33: Content-Type: text/html; charset=utf-8
34: Old-X-EsetID: [ID filtered]
35: Old-X-EsetID: [ID filtered]
36: X-EsetScannerBuild: 23032
37: X-ESET-AntiSpam: OK;0;whitelist;2015-03-23 xx:xx:xx;1503231017291307;CA98
38: X-EsetID: [ID filtered]

Greetings,

How are you today? I hope This mail meets you well? I am glad to inform you that a cheque payment has been dispatched to your address by our sponsor , According to UK postal delivery , The cheque payment will be arriving at your address any moment from now.Let me know immediately you receive the cheque. Thanks and I await your email.

Best regards,
Dr Richard Griffiths

Nach Einlösen des Schecks soll man also den überzahlten Betrag auf ein noch zu benennendes Konto des Reiseveranstalters zahlen. Es muss wohl nicht betont werden, dass der Scheck nach 14 Tagen platzt und man auf den Gast seeeeehr lange warten kann.

Warten wir mal ab, welcher Empfänger das Geld haben will.

[deekay]

Ich würde schreiben, dass der überzahlte Betrag in ein Wellnessprogramm fliesst :-) Schön Essen, Massagen etc.

[Investi]

Die Antwort dürfte nicht lange auf sich warten lassen. Das Geschäft muss ja schnell abgeschlossen werden. Ich rechne innerhalb weniger Stunden mit einer Angabe, wohin ich das zuviel empfangene Geld überweisen soll. Werde ihm dann antworten, dass ich auf Empfehlung des BKA und von Scotland Yard den Scheck auf das Konto des Yard gutschreiben liess.

[Investi]

Eine Stunde und neun Minuten hat die Antwort auf sich warten lassen.

Good Morning,

Thanks for confirming the receipt of the cheque payment proceed and deposit it in your bank account to get the cash clearance, It will take about five working days for the cash money to be credited on your account as our sponsor had facilitated the speedy clearance of the cheque into your account. The total amount on the cheque is meant to cover our entire expenses for our wedding anniversary as i told you in my previous emails. These include: the total cost of your accommodation services, the cost of the bank charges incurred in changing the cheque value from pounds to euros, the total cost of our flight ticket booking, the cost of our car hire and the cost of other logistics services which will be taken care of by our pre-paid tour operator agent.

Once you receive the money on your account, you have to deduct the total cost of our booking and the bank charges and tax and then let me know the balance left in Euros so that i will forward you the IBAN/Account of our tour operator agent in-charge of our flight ticket booking, car rental services and other logistics services for their payment.
Thanks once again for your assistance so far and i look forward to meeting you soon.
Best Regards,
Dr Richard Griffiths

Ich werde ihm am Mittwoch antworten, dass der Betrag unserem Konto gutgeschrieben wurde und ein Differenzbetrag X verfügbar ist. Mal sehen, welcher Muli sein Konto für diese Transaktion zur Verfügung gestellt hat.

[carkiller08]

Dr Richard Griffiths
BSc MB ChB MRCP PhD
Consultant in Medical Oncology
Clatterbridge Cancer
Centre NHS Foundation Trust
Clatterbridge Road,
Bebington, Wirral,
C H63 4JY
England
Mobile contact:00447421165771

Hier ging am 9. Oktober 2014 eine Betrugs-E-Mail
mit dieser Kontakt-Telefonnummer 00447421165771 ein.
Der Absender nannte sich damals

Mr.Andy Hassall
21 Moor Pl, Liverpool,
Merseyside,
L3 5QY
United Kingdom
PHONE:+447421165771

Der Text ist bis auf einen anderen
Übernachtungszeitraum identisch.

Header hierzu:

header:

01: Received: from dns.chps.ntpc.edu.tw ([163.20.13.1]) by
02: 	BAY004-MC2F51.hotmail.com with Microsoft SMTPSVC(7.5.7601.22751);
03: 	 Thu, 9 Oct 2014 xx:xx:xx -0700
04: Received: from dns.chps.ntpc.edu.tw (localhost [127.0.0.1])
05: 	by dns.chps.ntpc.edu.tw (Postfix) with ESMTP ID: [ID filtered]
06: 	Thu,  9 Oct 2014 xx:xx:xx +0800 (CST)
07: Received: from mail.chps.ntpc.edu.tw (localhost [127.0.0.1])
08: 	by dns.chps.ntpc.edu.tw (Postfix) with ESMTP ID: [ID filtered]
09: 	Thu,  9 Oct 2014 xx:xx:xx +0800 (CST)
10: From: "Andy Hassall" <mic_ultralasea [at] yahoo.co.uk>
11: Reply-To: a.hassall [at] yandex.com

Weitere Betrugs-E-Mails mit diesem Text
(andere Namen, andere Anschriften und andere Übernachtungsdaten )
liegen mir vor.

[Cc_Eckhard]

Auf keinen Fall den Scheck zur Gutschrift auf ein Konto einreichen, da dann durch die zweimalige Währungsumrechnung und die Bankgebühren für den Rückscheck erhebliche Kosten entstehen.

[schara56]

Wie hoch ist denn grob das Delta in Prozent zwischen angebotenem Preis und Schecksumme?

[Investi]

Der Übernachtungspreis liegt bei knapp 2.500,00 €.

Die Schecks platzen aber erfahrungsgemäss immer. Denen geht es nur darum, dass die Opfer das Geld zwischen Gutschrift des Schecks und Rückbelastung nach dem Platzen des Schecks überweisen. Überweisungen kann man bekanntlich nicht mehr rückgängig machen, beim Empfänger (vermutlich ein Arbeitsloser, der auf "Arbeitsangebotsmails" reingefallen ist) wird nichts mehr zu holen sein.

[Investi]

Richard hat doch tatsächlich gerade hier angerufen: 00447421554021

Wir haben ihn erstmal auf morgen früh 9 Uhr vertröstet. Wir sind ja nicht Hilton und unsere Rezeption auch nicht 24 Stunden am Tag besetzt. Mal sehen, was er morgen von uns will.

[schara56]

Der Übernachtungspreis liegt bei knapp 2.500,00 €. [...

Der Scheck läuft über umgerechnet 9.203,47 EUR.
Das sind dann 6703,47 EUR für den Scammer...