"International Institute of Rural Reclamation"

Talk about the Nigerian 4-1-9 scam in all its many variations, such as bogus checks sent from Nigeria to purchase used cars in the U.S. and many other variations of this scam.
Unidyne
Admiral of the Quatloosian Seas
Admiral of the Quatloosian Seas
Posts: 292
Joined: Sat Mar 07, 2009 3:56 am
Location: Great Basin Bioregion

"International Institute of Rural Reclamation"

Postby Unidyne » Mon Jul 18, 2016 4:11 am

Okay, got two e-mails (supposedly) from this group, with identical messages but different names and message titles. Both say the following:

To whom it may concern,

Please check the attached swift copy of payment and kindly confirm receipt of payment with your bank.

Regards,


(No, I didn't open the attachment!)

One is entitled "Confirmation Slip" sent from a "Firew Kefyalew", but signed "Mr Firew Mekonnen, U.S. Office
Accounting Department, International Institute of Rural Reconstruction". The differences in the names got my attention.

The second was entitled "Payment Slip" and sent and signed by "Mr Getachew Tamiru".

The web address listed in the e-mails (iirr.org) is for a group that provides educational and farming assistance to impoverished regions, and both messages had US mailing addresses and telephone numbers. Anyone know anything about this?

ADDENDUM: I ran "Please check the attached swift copy of payment and kindly confirm receipt of payment with your bank." in a web-search and found a number of warnings from CISCO about the attachment being a Trojan Horse for malicious software.

https://tools.cisco.com/security/center ... rtId=40056
Irony: The Ayn Rand® Institute (ARI) is a 501(c)(3) nonprofit organization.

User avatar
KickahaOta
Pirate Captain
Pirate Captain
Posts: 203
Joined: Tue Jul 02, 2013 8:45 pm

Re: "International Institute of Rural Reclamation"

Postby KickahaOta » Wed Jul 27, 2016 6:55 pm

One of my servers has been getting bombarded with these messages, with a randomly-chosen selection of From: addresses and message bodies. Doesn't appear to be any kind of actual 419 effort, just an attempt to get a keylogger or ransomware on the box if the recipient opens the attachment.

User avatar
NYGman
Admiral of the Quatloosian Seas
Admiral of the Quatloosian Seas
Posts: 1607
Joined: Thu Sep 20, 2012 7:01 pm
Location: New York, NY

Re: "International Institute of Rural Reclamation"

Postby NYGman » Wed Jul 27, 2016 7:29 pm

If I downloaded it and opened it on my Raspberry Pi, would that allow me to checkout the payload, without infecting my network, or would I need to sandbox it first?
The Hardest Thing in the World to Understand is Income Taxes -Albert Einstein

Freedom's just another word for nothing left to lose - As sung by Janis Joplin (and others) Written by Kris Kristofferson and Fred Foster.

User avatar
KickahaOta
Pirate Captain
Pirate Captain
Posts: 203
Joined: Tue Jul 02, 2013 8:45 pm

Re: "International Institute of Rural Reclamation"

Postby KickahaOta » Thu Jul 28, 2016 6:47 pm

I'd be reluctant to give any advice other than "Nuke the site from orbit", because I've seen multiple payload types used in this same attack wave. Some are macro-enabled Office documents; some are Windows scripting files; some are other ZIPped-up nonsense.


Return to “Nigerian 4-1-9 Forum”

Who is online

Users browsing this forum: Linkdex [Bot] and 1 guest