by

CSI.

This evening I spent about one and a half our just laying on my bed, slumbering while listening to a Coldplay concert on the radio. Good stuff. This summer I want to lay on the grass with a cold beer, listening to good music with some friends at a music festival. So, which festivals haven’t been sold out yet?

Today I got an interesting SPAM or fraud e-mail. It’s not that I usually read my SPAM, but this time Firefox’ SPAM filter failed to bump it into the junk e-mail folder. The e-mail is from one Elizabeth Thornton with the Private Banking Division at Leadenhall Bank Limited, London. This is the e-mail:

Sincere Greetings,
My name is Elizabeth Thornton. I work with the Private Banking Division at Leadenhall Bank Limited, London. We are conducting a standard process investigation in relation to matters involving a client who shares the same name with yours (Muller Albisser) and also the circumstances surrounding investments made by this client at our bank. Our Leadenhall Banking client died in testate and nominated no next of kin to inherit the title over the investments made with our bank. The essence of this communication with you is to request you provide us information on three issues:

1-Are you aware of any relative/relation who shares your same name whose last known contact address was in Brussels ?

2-Are you aware of any investment of considerable value made by such a person at the Private Banking Division of Leadenhall Bank?

3-Can you establish beyond reasonable doubt your eligibility to assume status of next of kin to the deceased?

It is pertinent that you inform us ASAP whether or not you are familiar with this individual that we may put an end to this communication with you and our inquiries surrounding this person. You must appreciate that we are constrained from providing you with more detailed information at this point.

Please respond to this mail as soon as possible to afford us the opportunity to close this investigation. Thank you for accommodating our enquiry.

Elizabeth Thornton
For: Thomas Masters:
Director Leadenhall Private Clients.
08-06-2005 Top of Form 1

Bottom of Form 1

Interesting. E-mails like this wakes up the little Sherlock Holmes I’ve got hidden deep inside of me. First of all, there is no such thing as Leadenhall Bank Limited. At least not according to Google, and if you’re a company that can’t be found on Google, you basically don’t exist. There is, on the other hand something called Leadenhall Bank and Trust, a private bank located in Bahamas. It could be that poor Elizabeth just got the job and that she’s a little confused about exactly what company she’s working for and where she’s located. An noticeable fact is that Liz’ e-mail address and her reply-to address actually points to a domain (leadenhallfinancial.com) which is redirected to the Leadenhall Bank and Trust domain (leadenhallbahamas.com) if you try to go there with your browser.

One would think that because of this, all e-mail sent to Elizabeth would really be sent to Leadenhall Bank and Trust, but that’s not the case. Even if your web browser is redirected to their site, this doesn’t mean that your e-mail is. A DNS configuration allows you to set up different server for e-mail and web. At least from what I can remember. The web server at the leadenhallfinancial.com (Liz’ e-mail domain) could also just be using a simple HTTP redirect. Also, the e-mail from Elizabeth is sent from a BT Broadband server, and I doubt that a private bank in Bahamas would use a British mass market internet provider to handle their e-mails. Let’s dismiss poor Leadenhall Bank and Trust from the rest of this investigation. They are probably a legitimate company – or at least as legitimate as a private bank in Bahamas can be – and concentrate on the owner of Liz’ domain, one John Kendall in London.

John Kendall registered leadenhallfinancial.com on April 4 this year and it expires just a year later. It looks like John doesn’t have very high hopes for his banking business since he’s decided to hold on to the domain for just one year. There probably isn’t much information to dig up on John himself, so let’s have a closer look at his server. The domain points to 216.136.232.176, which is a server belonging to Yahoo! Small Businesses. This means that my reply to Liz’ e-mail would probably end up there, in John’s Yahoo! inbox. Yahoo! Small Businesses also do web hosting, and I guess John has set up his web hosting account to redirect to Leadenhall Bank and Trust’ site. Unfortunately, I don’t have any tools at hand which will show me what headers are sent back to the client when it tries to connect to John’s domain.

So what the hell do Mr. Kendall want to accomplish with this e-mail? Most people will just answer “no” to all of the questions in the e-mail anyway. Is he trying to validate e-mail addresses so he can SPAM them later? If this is the case, this is a damn bothersome way to do it. Or maybe he is really looking for Muller Albisser? Could it be that there is actually one Muller Albisser out there somewhere that is actually entitled to a lot of money in the real Leadenhall Bank and Trust and that John Kendall is this close to getting his dirty hands on them? He just has to kill Muller Albisser first and to find him he has bought a billion e-mail addresses and is sending out this e-mail to each and every one as a last, desperate effort. I doubt it, but it could have been a great script for a mediocre movie.

That’s cyber crime forensics for you, folks!

Good night.

Write a Comment

Comment

+ 2 = 12

28 Comments

  1. You know… You could have made that whole thing up (including the talk about how these things work), and I would be none the wiser. Maybe you should do that, though… Make up a story like this and tell a whole bunch of lies about the technology involved, to see who notices. I’m guessing I wouldn’t have a clue, unless it was really basic stuff.

  2. I received the same fraud mail on July 4 and, in the course of investigating it, stumbled across your blog and reference, for which I’m grateful.

    I make it a point to report all such nigerian fraud mail and so I notified Yahoo.

    Clearly, the scumbag Kendall has visited this page as the deceased du jour is now Kristoph (homage to the previous correspondent, no doubt) rather than Muller Albisser.

  3. I just got the same email with slight changes: Return-path: (which goes to “http://www.leadenhallbahamas.com/” which seems to be a legitimate bank)

    I went to google and found your blog but just above it was this news report:
    REGULATOR SUSPENDS LEADENHALL BANK LICENSE
    July 19, 2005 Leadenhall Bank & Trust Company Limited has had its bank and trust license suspended by the Central Bank of the Bahamas and gone into Receivership.

  4. Today, the 2nd of August, I received the same mail.
    Of course with another name (Kristoph), which isn’t mine either.
    I did some research myself, before bumping in your log.
    I assume that the name of Elizabeth Thornton is misused, although she is a famous ‘fiction’ writer.
    The difference is that the real Elizabeth Thornton writes about romance and I am not interested in any romantic adventure with this Leadenhall woman.
    Especially that she is actually a bearded moron.
    In my letterhead, the reply address pointed to globalserviceshk.com, which in turn got me directly to the bahama’s.
    Curious as I am born, I am still interested in the meaning of all this.

    Good luck

    DW

  5. My Internet provider here in New Zealand, provides a spam filter, nevertheless the Elizabeth Thornton email got through to me. Curiously the source code does not reveal much.

  6. I go this email in NZ 3 August. She spelt her name incorrectly the second email. A man answered the phone – the investigation branch, because she was out of the office. Maybe on the beach. Thanks for looking it up.

  7. I just recieved the same thing for Kristoph. when i replied saying that i was not related to this person, she added my last name to the equation. wouldnt you think that if you were looking for someones relatives you ask using the last name first, not the other way around?

  8. DARN, THOUGHT I MIGHT BE ENTITLED TO A COUPLE OF MILLION JUST BY BEING RELATED TO KRISTOPH.
    As pointed out on a letter above, Elizabeth didn’t include my last name until i queried the e.mail then this was added.
    Shame about Kristophs only son being killed on a school trip.???
    Also tried to ring the contact number to no avail.
    Guess i’ll just have to carry on working for my millions.
    Cheers Julia Milley

  9. Elizabeth’s email has now been followed up by a pleading one from Thomas Masters. Shame they don’t spell properly or use accurate English when they are in such responsible positions.

  10. Naturally one loves this sort of thing, especially if there is a glimmer of truth somewhere in the story, what it did for me was give me a good reason to write down some of the family secrets and create a tale that is pluseable, also it did remind me that I did have a mother and father, and they got up to all sorts of things before getting married

  11. I got two of those letters sent to me in NZ. I am sure they are after my money, not much there at the moment, there never is. Looked up on Google Leadenhall Bank, it mentions the Bahamas, not London after all. Since when does the name Kristoph be the same name as Julia

  12. Seems that Elizabeth must have been fired and they no longer care about Mr. Albisser. I recieved the email in austin texas sept 18. Now Simon Renaud is looking for me. Maybe Ill be rich soon. I promis to spilt it with all of y’all.

  13. Thomas Masters is at it again. Kristoph must have been a complete idiot to have funds in a bankrupt bank. Masters is now asking me to send over copies of my passport or drivers license and a utility bill with proof of name and address. Mis-spellings are common place in their correspondence.

  14. Wah… Same lar like me..
    I got same as Anonymous Coward (#23)
    Thomas master at ttmasters@globlsrvicshk.com and he told me about deceased kristop..
    8,360,000.00 millions pounds..
    Then, he ask me to send him 5,350.00 pounds.. Shit man!!! fuck him… I’m so lucky not trust him..

    This is phone number.. Sure you can talk with him..
    +447862114263

  15. Hey! I’m Muller Albisser, and I want the 24 gazillion dollars.
    Uh, sorry, I’m Kristoph. Can I still have the money?
    Wait, wait … I’m Liz. Ah, no that’s not it either….
    Hang on …. if I’m Thomas Masters do I get the dough?
    Shit, it’s really hard to get scambucks.