"International Institute of Rural Reclamation"

Talk about the Nigerian 4-1-9 scam in all its many variations, such as bogus checks sent from Nigeria to purchase used cars in the U.S. and many other variations of this scam.
Unidyne
Admiral of the Quatloosian Seas
Admiral of the Quatloosian Seas
Posts: 292
Joined: Sat Mar 07, 2009 2:56 am
Location: Great Basin Bioregion

"International Institute of Rural Reclamation"

Post by Unidyne »

Okay, got two e-mails (supposedly) from this group, with identical messages but different names and message titles. Both say the following:
To whom it may concern,

Please check the attached swift copy of payment and kindly confirm receipt of payment with your bank.

Regards,
(No, I didn't open the attachment!)

One is entitled "Confirmation Slip" sent from a "Firew Kefyalew", but signed "Mr Firew Mekonnen, U.S. Office
Accounting Department, International Institute of Rural Reconstruction". The differences in the names got my attention.

The second was entitled "Payment Slip" and sent and signed by "Mr Getachew Tamiru".

The web address listed in the e-mails (iirr.org) is for a group that provides educational and farming assistance to impoverished regions, and both messages had US mailing addresses and telephone numbers. Anyone know anything about this?

ADDENDUM: I ran "Please check the attached swift copy of payment and kindly confirm receipt of payment with your bank." in a web-search and found a number of warnings from CISCO about the attachment being a Trojan Horse for malicious software.

https://tools.cisco.com/security/center ... rtId=40056
Irony: The Ayn Rand® Institute (ARI) is a 501(c)(3) nonprofit organization.
KickahaOta
Admiral of the Quatloosian Seas
Admiral of the Quatloosian Seas
Posts: 344
Joined: Tue Jul 02, 2013 7:45 pm

Re: "International Institute of Rural Reclamation"

Post by KickahaOta »

One of my servers has been getting bombarded with these messages, with a randomly-chosen selection of From: addresses and message bodies. Doesn't appear to be any kind of actual 419 effort, just an attempt to get a keylogger or ransomware on the box if the recipient opens the attachment.
User avatar
NYGman
Admiral of the Quatloosian Seas
Admiral of the Quatloosian Seas
Posts: 2272
Joined: Thu Sep 20, 2012 6:01 pm
Location: New York, NY

Re: "International Institute of Rural Reclamation"

Post by NYGman »

If I downloaded it and opened it on my Raspberry Pi, would that allow me to checkout the payload, without infecting my network, or would I need to sandbox it first?
The Hardest Thing in the World to Understand is Income Taxes -Albert Einstein

Freedom's just another word for nothing left to lose - As sung by Janis Joplin (and others) Written by Kris Kristofferson and Fred Foster.
KickahaOta
Admiral of the Quatloosian Seas
Admiral of the Quatloosian Seas
Posts: 344
Joined: Tue Jul 02, 2013 7:45 pm

Re: "International Institute of Rural Reclamation"

Post by KickahaOta »

I'd be reluctant to give any advice other than "Nuke the site from orbit", because I've seen multiple payload types used in this same attack wave. Some are macro-enabled Office documents; some are Windows scripting files; some are other ZIPped-up nonsense.