In another interesting collision of Sweet Element‘s world and mine, Jen asked me one morning to take a look at a really weird set of emails she received from someone inquiring about a wedding cake.
The first email that arrived was nothing out of the ordinary as it was a simple referral from weddingwire.com where Jen is an active advertiser:
Date: February 20, 2012 10:37:33 AM EST
To: Sweet Element
Subject: Denise Shevak would like information about your services!
Denise Shevak found your business directly on the vendor catalog and would like to know more about your services. Please respond to this lead within 24 hours. Here is the lead’s contact information:
Name: Denise Shevak
Phone: Not provided
Wedding Date: Apr 29, 2012
Location: Not provided
Please send me an email with information about your services.
Simple enough, right? I checked the headers on this email and it did come in from weddingwire.com’s servers, but unfortunately their server didn’t include the source IP address of the person filling out the form or anything else that could yield any clues.
Jen, followed up with an email asking for lots of additional info as “Denise” failed to include helpful information and her wedding was 2 months away. What came back was curious, to say the least.
From: “Denise Shevak” <email@example.com>
Subject: Re: Wedding Cake Inquiry
Date: Wed, February 29, 2012 3:06 am
To: Sweet Element
Thanks for responding to my posting and apology for my late response. Let’s get down to business, I would love you to take care of our wedding cake and I would want it to be 2 tiers cake for about 120 guests. I know you would really want to make the day a memorable one for me and my fiance.Attached is a preferred design of the cake. If you have an idea you could add to make the creativity more perfect.
The venue for the wedding is taking place in the apartment’s compound I’m relocating to in Bogota, New Jersey 07603. The date is 04/29/2012.Time is 11am.I am currently living HACKENSACK,NJ and still very much around but working offshore in United Kingdom. I will resume back to work next Monday. I am sure we can conclude on everything before I leave.
Please, make the cake color to be two, cream and butter color and not white as shown in the picture but I want you to design it with roses. The color of the roses has to be yellow and white. I love creativity, it’s a sign that I’m getting the best of the cake. The flavor can be 2 for each tier. (1) Vanilla and (2) Coconut.Let me know the total cost for the cake and as regard delivery, I could arrange for pick up and you could make delivery as well.
Thanks as I await your response,
Aside from the rather odd language, the one thing that really caught my attention was “HACKENSACK, NJ” standing out like a sore thumb in all caps. Why would they choose such a specific city? If you look up Sweet Element’s phone number, the area-code and prefix is for Hackensack, NJ. In reality, it’s just a phone number and the Sweet Element cake studio is actually quite a distance from Hackensack – but the scammers don’t know that. All the scammer is trying to do is establish that they are from the area and even mention the city of Bogota, NJ which is right across the Hackensack River.
So exactly what is going on here? Let’s find out.
The first thing I did was upload the attached cake photo to TinEye to see if it had shown up anywhere else, hoping to find it referenced on a blog somewhere confirming it was a scam. Nothing at the time I first looked, but I’m sure that will change soon enough as more people become aware of this particular variation of the scam and warn others.
Next, I took a look at the email headers. I’ll spare you the full, lengthy email header, but will include the most critical line below which shows the first time the message hit Yahoo’s servers:
Received: from [22.214.171.124] by web121303.mail.ne1.yahoo.com via HTTP; Wed, 29 Feb 2012 00:06:01 PST
It’s rather fortunate that, Yahoo Mail keeps the source IP address of the web client in the headers of the message and we can see that the mail originated from 126.96.36.199. Looking up this address at ip-lookup.net, we find that it originates just outside of New Jersey in the country of Nigeria. Another quick check at Project Honeypot shows a great deal of malicious activity from this node as well as many others in the same subnet.
Yeah – it’s a scam.
So how does the Nigerian Cake Scam work? A similar scam has been going on for a while now, although the story has changed a little. The scammer contacts the victim wishing to order a cake and pays for the cost of the cake plus delivery using a stolen credit card but insists on having the cake delivered by a specific delivery company that the victim is asked to wire payment to. The shipping company is the scammer. It would not surprise me to find that the United Kingdom was mentioned in the email in order to make sure the victim doesn’t have issues wiring money to a UK shipping company when the payment phase of the scam begins.
Unfortunately, I have heard of people that actually fell victim to these scams, made the cakes and prepared them for delivery only to be cheated out of their time, resources, money and are then stuck with an extra bill because the credit card processors hold vendors financially responsible for the fraudulent charges.