Mandela’s Millions

In December, we registered ‘Nigerian’ mailings exploiting the theme of Nelson Mandela’s death to trick users. The same topic is still inspiring spam mailings in January – but this time there are some differences in the content – the intro and the author’s signature. At first glance there seemed to be nothing in common between the emails.

For example, the first email was written on behalf of Mandela’s granddaughter while the author of the second message claimed to be the chairman of one of Mandela’s funds. These names were identified in the ‘From’ field and in the signature at the end of the message. The supposed granddaughter from the first email wrote about a fund whose chairman turns out to be the author of the second email. The remaining text of both messages was identical down to the last letter.

‘Nigerian’ scammers used their traditional trick of informing the user that before his death Nelson Mandela had given instructions to distribute $20 million from the fund to randomly selected people around the world, and of course the recipient of the email was among the ten lucky people. For more information about this windfall, the victim had to contact the author of the email. In the ‘granddaughter’ message the contact address was different from the sender’s address; the ‘chairman’ suggested no alternative contacts. Yet another specific feature of the mass mailing was the scammers’ attempt to link their ‘Nigerian letters’to the recent holidays: Christmas and New Year were mentioned both in the subject and at the end of the email.

Mandela’s Millions

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox