Yes, that’s Phishing (ph) as opposed to Fishing (f); Both use a hook, some bait and wait for something or someone to take said bait in hopes of landing a prize. The latter will hopefully result in a meal, whereas the former definitely leads to trouble.

I use a cloud-based anti-spam service – Avast CloudCare Antispam – formally known as AVG CloudCare Antispam. It’s a really good service and quite a few of my clients are also users of said service. Anyway, this morning while I was checking the messages in my quarantine I noticed there was a message from the FBI! And no… they don’t email people; at least not people outside their organization. There are two government agencies that you should never expect to get email from because they don’t use it to contact people they want to talk to: The IRS and the FBI. (The IRS does have mailing lists for newsletters and such, but you have to be a subscriber to these things.)

Anyway, I saw this message sitting there in my quarantine and I just couldn’t help myself; I had to preview the message and see what it said. As I read the message I started laugh and as I thought about it I laughed a little harder. So, I released the message and waited a few seconds for it to pop into my inbox. I just had to have a copy of this message. I figured it was relatively safe since there were no links in the message and no images attached to the message.

Because of what I do for a living I am suspicious by nature of emails that stick out like a sore thumb. Hell! this one sticks out like a flaming case of hemorrhoids on the southern end of a north-bound rhino.

Once I had the message open I had a look at the email message headers and sure enough the message did not originate from Dallas, TX as it says in the message. No, it came from much further south. At least it did as far as the message headers are concerned; Argentina to be exact. Now, I know it’s likely that the message itself could have been mischievously routed through a vulnerable system to make it appear that the message originated there, but no matter. I got the IP address of the sending server, put in the IP filter blocking all traffic from that area of the internet and it’s all good.

So, I’ll share the message contents and following that the message header information. While the grammar isn’t that bad the actual content shows a real lack of creativity and intelligence.

The Message

Federal Bureau of Investigation
Intelligence Field Unit Dallas Fortworth
International Airport, Texas.

Hello,

I am Assistant Special Agent Incharge Eric Jackson from the Federal Bureau of Investigation (FBI) Intelligence Field Unit, we Intercepted two consignment boxes at Dallas Fortworth International Airport, Texas, the boxes were scanned but found out that it contained large sum of money and also some backup documents which bears your name as the Beneficiary/Receiver of the money, Investigation carried out on the diplomat that accompanied the boxes into the United States, said that he was to deliver the fund to your residence as overdue payment owed to you by the Federal Government of Nigeria through the security company in the United Kingdom.

Meanwhile, we cross check all legal documents in the boxes but we found out that your consignment was lacking an important document and we cannot release the boxes to the diplomat until the document is found, right now we have no other choice than to confiscated your consignment.

According to Internal Revenue Code (IRC) in Title 26 also contain reporting requirement on a Form 8300, Report of Cash Payment Over $10,000 Received in a Trade or Business, money laundering activity may violate 18 USC 1956, 18 USC 1957, 18 USC 1960, and provision of Title 31, and 26 USC 6050I of the United States Code (USC), this section will discuss only those money laundering and currency violation under the jurisdiction of IRS, your consignment lacks proof of ownership certificate from the joint team of IRS and IRC, therefore you need to reply back immediately for direction on how to procure this certificate to enable us relieved the charge of evading the law on you, which is a punishable offense in the United States.

You are required to reply back within 72hours for normalization and release of your consignment boxes for onward delivery to your address, also you are instructed to desist from further contact with any bank(s) or person(s) in Nigeria or the United kingdom or any part of the world regarding your payment because your consignment has been confiscated by the Federal Bureau here in the United States.

Yours In Service,
Agent Eric Jackson,
Assistant Special Agent Incharge
FBI- Dallas Area Division.

The message headers (sanitized for security)

Received: from antispam.avgcloud.net (xxx.xxx.xxx.xxx) by myexch.mydomain.lcl
 (xxx.xxx.xxx.xxx) with Microsoft SMTP Server (TLS) id 14.3.361.1; Mon, 13 Nov 2017
 13:08:41 -0500
Received: (qmail 27086 invoked from network); 13 Nov 2017 17:41:26 -0000
Received: from unknown (HELO e1e-avg-web-01.avgcloud.local) (xxx.xxx.xxx.xxx)
 by 0 (rfx-qmail) with SMTP; 13 Nov 2017 17:41:26 -0000
Received: by e1e-avg-web-01.avgcloud.local (Reflexion email security
 v8.40.3) with SMTP; Mon, 13 Nov 2017 18:08:41 +0000 (UTC)
Received: (qmail 30715 invoked from network); 12 Nov 2017 03:18:07 -0000
Received: from unknown (HELO NMGEX01.NMG.COM) (68.195.241.147) by 0
 (rfx-qmail) with SMTP; 12 Nov 2017 03:18:07 -0000
Received: from User ([181.10.234.34]) by NMGEX01.NMG.COM with Microsoft
 SMTPSVC(6.0.3790.4675); Sat, 11 Nov 2017 22:18:06 -0500
Reply-To: <fbinfo@mail333.com>
From: FBI- Dallas Area Division <smith@instantmail.me>
Subject: FROM FEDERAL BUREAU OF INVESTIGATION (FBI)
Date: Sun, 12 Nov 2017 00:25:24 -0300
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
BCC:
Return-Path: smith@instantmail.me
Message-ID: <NMGEX013N2FWsoLsMZY0009bdd1@NMGEX01.NMG.COM>
X-OriginalArrivalTime: 12 Nov 2017 03:18:07.0092 (UTC) FILETIME=[DC124B40:01D35B64]
X-Rfx-Message-Id: 2190240614/1552817323/0001
X-Rfx-Recipient-Address: ooops@myemailaddress.com
X-MS-Exchange-Organization-AuthSource: myexch.mydomain.lcl
X-MS-Exchange-Organization-AuthAs: Anonymous

For those wondering… the IP address above that appears in red is the IP address of the sending mail server. So, if you’re really interested following is the whois information for that IP address:

Whois Information

whois 181.10.234.34
[Querying whois.arin.net]
[Redirected to whois.lacnic.net]
[Querying whois.lacnic.net]
[whois.lacnic.net]

% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2017-11-13 16:11:02 (BRST -02:00)

inetnum: 181.10.234.32/29 <-- IP Address Netblock that is now blocked
status: reallocated
owner: ROSSETTI CARLOS A.
ownerid: AR-RCAR2-LACNIC
responsible: LUIS BARO
address: GRAL PAZ, 629,
address: - CORDOBA -
country: AR               <-- Country code for Argentina
phone: +054 0347 2425825 []
owner-c: ADA
tech-c: ADA
abuse-c: ADA
created: 20160826
changed: 20160826
inetnum-up: 181.0/12

nic-hdl: ADA
person: Administrador Abuse
e-mail: abuse@TA.TELECOM.COM.AR
address: Alicia Moreau de Justo, 50, -
address: 1107 - Ciudad Aut▒noma de Buenos Aires -
country: AR
phone: +54 11 49684000 []
created: 20030211
changed: 20110316

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.