The French connection

Posted by identity theft tips
April 27, 2010

Last week I wrote about the appearance of Haiti earthquake-themed scams in the first week following the quake. I also promised to write about one specific such scam I saw – it started with this Email:

Haiti_earthquake_donation_scam_email-20100116

At first glance, it seems to be a heartfelt plea for help from a relative of likely victims of the earthquake. It has good, but not perfect, English, but it's not apparently from a professional organization; more a plea for help from a concerned individual. So the minor phrasing issues are perhaps understandable from a distraught relative, doubly so given the writer almost certainly is not a native English speaker. The author of this message certainly wants you to think s/he is in France, and probably a Haitian living there at that. The official languages of Haiti are Haitian Creole and French.

And there's the rub – who is the sender?

The only kind of "from" information in the entire message is in these two message header lines:

Return-Path: <Claire@mailing-shoppingday.com>
From: "AIEDA ASSOCIATION" <Claire@mailing-shoppingday.com>

Internet searches for "Claire@mailing-shoppingday.com" turned up a few reported cases of spam and nothing else. Searches for just the domain name added "spamming domain" blocklists to the previous search results.

Internet searches for "AIEDA ASSOCIATION" turned up nothing illuminating.

There was one meaningful result on that phrase that turned out to be a page mis-referencing A.P.I.E.D.A. – Association pour Intégration des Enfants Déficients Auditifs (unsurprisingly the "Association for Integration of Hearing Impaired Children" according to Google Translate). A.P.I.E.D.A. is based in Strasbourg, France, about 450km (280 miles) from Bailly Romainvilliers. Surely if it was this organization, they would have used their own address and bank account, or at least those of a staff member or supporter, and thus probably in, or much closer to, Strasbourg?

Of more interest though, there is also l'Association Internationale des Etincelles D'Amour, which goes by AIED'A (note the apostrophe). The name translates to International Association of Spark of Love. From the few items mentioning AIED'A on the web, it clearly has links to, or interests in promoting, Haitian causes. However, as far as I could tell, AIED'A does not seem to have a publicly accessible web presence, nor could I find contact information, beyond that a certain Edwin D'Haiti seems to be the moving force behind AIED'A. He lives in Paris and has quite different landline, cell and FAX numbers from those given in the donation request Email.

It seemed too great a coincidence that a Haitian-oriented group called AIED'A exists and "AIEDA ASSOCIATION" was used in this message's from address. However, at least thus far, there was insufficient evidence to suggest that AIED'A sent or commissioned the message, or was otherwise involved.

I had drawn a blank. Not speaking French, I didn't expect to get much further on my own, so I enlisted the assistance of a French colleague – Francois Paget from McAfee AVERT Labs.

Francois called the (cell) phone number from the message – "I am not available…".

Haiti_earthquake_donation_scam_email_2nd_address

Francois called the town hall of Bailly Romainvilliers (the location of the address in the spam) and nearby Bussy Saint Georges (about 10km – 6.2 miles – away and the location of a second possible address for Capital Distribution, included at the very end of the Email message, as shown above). The local officials knew nothing of the company or local efforts to raise donations for Haiti.

Searching French company registration data for "Capital Distribution", Francois found a company registered with that name on 24 September 2009 by one Ennery Belance at the Bussy Saint Georges address from the end of the message.

So, a person's name matched to the company name and address in the message – progress.

Then, in searching for that name, two things quickly became apparent. First, Ennery Belance is not a common name, at least as seen by internet search engines.

Second, most of the hits for this name are in relation to a news story from 30 April 2009. It seems that a Monsieur Ennery Belance ran afoul of the Insurance Regulatory Authority (L'Autorité de contrôle des assurances et des mutuelles) in France. According to the ruling, an insurance company manager of that name supplied false statements of professional liability insurance and finanacial security guarantees, amongst other things. (Should you be interested in the minutiae and not speak French, here is Google Translate's rendition of the ruling into English.)

So, is this the same Ennery Belance as the one apparently related to the surce of the Haiti donation spam?

Yes!

Why am I so sure?

Some of the news coverage of that ruling identifies three websites related to the infringing insurance businesses of Monsieur Belance – www.amexassurances.com, www.express-sante.com and www.assurancesvoyageurs.com. The whois data for these three domains all contain the following identical (save some capitalization differences) contact data:

BELANCE ENNERY (amex.assurances@wanadoo.FR)
+33.660486030

And the second two have whois contact addresses just down the street from the second Capital Distribution address in the Email:

1 BLD PIERRE MENDES FRANCE
BUSSY SAINT GEORGES, BUSSY SAINT GEORGES 77600
FR

Further, despite the contact address in its domain registration being different, Google Maps' Street View clearly shows the business of Amex Assurances is also at 1 Boulevard Pierre Mendès France (at its intersection with Avenue du Général de Gaulle). You can see that in this excerpted detail from Google Maps, or click the image to be taken to the location in Street View to look around for yourself:

Amex_Assurances_Street_View_detail

Further still, searching for some distinctive text from the websites at the three domains named above, turned up a fourth French "insurance company" domain. The domain capital-assurances.com is also registered by Monsieur Belance, with the 1 Boulevard Pierre Mendès France address. Finally, the contact phone number in all four of these domain registrations is "+33.660486030" – the same as the one in the spam.

So, we have matching phone numbers and addresses that very strongly tie this Email to Ennery Belance of Bussy Saint Georges and/or Bailly Romainvilliers, who appears to be a businessman in the French insurance industry.

…a businessman who has been before the French insurance industry's professional organization overseeing the good standing of it members, and censured by that organization for making untrue or fraudulent statements.

…a businessman who may be continuing to operate his insurance business(es) despite this censure.

So what do we have? Spam sent by a French insurance agent who has been censured for making false or fraudulent statements. Spam implying some form of allegiance with Haitian-aligned AIED'A.

If AIED'A is a legitimate organization – and I must stress I have found no reason whatsoever to suggest otherwise – one would hope both that it would not resort to spam to raise funds for any of its good works in Haiti (even in such an extreme event), and that it would not engage a person such as Ennery Belance appears to be, to act on its behalf.

All of which leaves us with one more question – would you buy a used car from this man?

Haiti_earthquake_donation_scam_used_car-20100116

Thanks to Francois for sharing this link, which he found through a search on the phone number from the spam, expressed in local (within France) calling format. Also, thanks to the French CERTs for also investigating this and their involvement of the French police.

Virus News

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

No comments yet.

Sorry, the comment form is closed at this time.