Sextortion Email Analysis

Blog
  • 1631812319140-iss_4109_04268-min.webp

    Sextortion emails seem to be all the rage these days with criminals. Whilst highly imaginative, they are surprisingly successful, with recipients paying to not “be exposed” by criminals, when in fact, they have nothing to hide in the first place - well, perhaps not - if you were truly innocent, then you’d simply say “knock yourself out” to any attacker… Below is my response to those burning questions

    We’ve seen “scare-mail” (the process of attempting to blackmail recipients using a variety of techniques, with the perpetrator relying on the user to pay up in order to “save their reputation”) escalate at an alarming rate over the past month. As the format of these emails is mostly the same, I thought it made sense to provide a bit more information from the most prevalent campaign we’ve seen so far. Below is the verbiage (it varies depending on who sent it), along with my advice and commentary.

    Your account is now infected! Change the password right this moment!

    DON’T. There is no need to react to this

    You may not know anything about me and you really are certainly interested for what reason you are reading this particular letter, is it right?

    WRONG. You’ve chosen me at random from a huge pool of addresses, and if I reply, you’ll know I exist, and then you’ll add me to a sucker’s list

    I’m hacker who cracked your email and devices and gadgets two months ago.

    No, you didn’t. All you’ve done is to download the APOLLO.io breach database and target random email addresses.

    It will be a time wasting to try out to msg me or alternatively try to find me, in fact it’s impossible, because I forwarded you an email from YOUR hacked account.

    No, you didn’t. All you’ve done is set the reply-to address to match the one you’re attempting to extort funds from which makes it look like you’ve hacked my account

    I build in malware software on the adult vids (porn) site and suppose that you watched this website to have a good time (think you understand what I want to say). Whilst you were taking a look at movies, your internet browser started out to act as a RDP (Remote Control) that have a keylogger which gave me authority to access your display and webcam. Afterward, my program obtained all data. You have put passcodes on the web-sites you visited, and I caught them. Surely, you’ll be able to change them, or have already modified them. Even so it doesn’t matter, my program renews needed data regularly.

    If you say so. You really haven’t though.

    What actually did I do?

    Nothing 🙂

    I compiled a backup of every your system. Of all files and contacts. I got a dual-screen movie. The first screen displays the clip you had been observing (you’ve got an interesting preferences, ha-ha…), the 2nd part shows the movie from your own web camera. What exactly should you do?

    Delete this email and move on

    So, in my view, 1000 USD is a realistic price for our very little riddle. You will do the payment by bitcoins (in case you don’t understand this, go searching “how to buy bitcoin” in Google).

    USD 1,000 ? Sounds like a bargain…. I don’t think so.

    My bitcoin wallet address: 1C242L8qAXRxudv6KBAahi81GHS5wpc8cF (It is cAsE sensitive, so copy and paste it).

    Hmm. Yes. Let’s have a look at that wallet of yours (link is safe) - https://bitref.com/1C242L8qAXRxudv6KBAahi81GHS5wpc8cF seeing as there’s nothing in there at all, you haven’t had much success, and I won’t be on your list either.

    Warning: You will have only 2 days to perform the payment. (I put an unique pixel in this message, and right now I understand that you have read through this email). To monitor the reading of a letter and the activity inside it, I set up a Facebook pixel. Thanks to them. (The stuff that is used for the authorities can help us.)

    No, you didn’t. There is no embedded pixel in this email.

    In case I fail to get bitcoins, I shall immediately direct your video files to each of your contacts, such as family members, co-workers, and many more?

    In the words of “Taken”…… “……Good Luck……”

    And there we have it. Totally fake, and designed only to incite fear and extort revenue. The only thing this message is fit for is the delete button.


  • 1 Votes
    3 Posts
    52 Views

    @DownPW absolutely. Then there’s also the cost of having to replace aging hardware - for both the production site, and the recovery location.

  • 13 Votes
    17 Posts
    113 Views

    @小城风雨多 I was a die-hard OnePlus user since the 6T, but my experience with the 9 series has left me extremely disappointed and I probably won’t go back now I have a Samsung S23+ which works perfectly.

  • 2 Votes
    1 Posts
    27 Views

    Just seen this post pop up on Sky News

    https://news.sky.com/story/elon-musks-brain-chip-firm-given-all-clear-to-recruit-for-human-trials-12965469

    He has claimed the devices are so safe he would happily use his children as test subjects.

    Is this guy completely insane? You’d seriously use your kids as Guinea Pigs in human trials?? This guy clearly has easily more money than sense, and anyone who’d put their children in danger in the name of technology “advances” should seriously question their own ethics - and I’m honestly shocked that nobody else seems to have a comment about this.

    This entire “experiment” is dangerous to say the least in my view as there is huge potential for error. However, reading the below article where a paralyzed man was able to walk again thanks to a neuro “bridge” is truly ground breaking and life changing for that individual.

    https://news.sky.com/story/paralysed-man-walks-again-thanks-to-digital-bridge-that-wirelessly-reconnects-brain-and-spinal-cord-12888128

    However, this is reputable Swiss technology at it’s finest - Switzerland’s Lausanne University Hospital, the University of Lausanne, and the Swiss Federal Institute of Technology Lausanne were all involved in this process and the implants themselves were developed by the French Atomic Energy Commission.

    Musk’s “off the cuff” remark makes the entire process sound “cavalier” in my view and the brain isn’t something that can be manipulated without dire consequences for the patient if you get it wrong.

    I daresay there are going to agreements composed by lawyers which each recipient of this technology will need to sign so that it exonerates Neuralink and it’s executives of all responsibility should anything go wrong.

    I must admit, I’m torn here (in the sense of the Swiss experiment) - part of me finds it morally wrong to interfere with the human brain like this because of the potential for irreversible damage, although the benefits are huge, obviously life changing for the recipient, and in most cases may outweigh the risk (at what level I cannot comment not being a neurosurgeon of course).

    Interested in other views - would you offer yourself as a test subject for this? If I were in a wheelchair and couldn’t move, I probably would I think, but would need assurance that such technology and it’s associated procedure is safe, which at this stage, I’m not convinced it’s a guarantee that can be given. There are of course no real guarantees with anything these days, but this is a leap of faith that once taken, cannot be reversed if it goes wrong.

  • 1 Votes
    3 Posts
    52 Views

    @DownPW yes, exactly my point.

  • 1 Votes
    3 Posts
    71 Views

    @Panda said in Wasting time on a system that hangs on boot:

    Why do you prefer to use KDE Linux distro, over say Ubuntu?

    A matter of taste really. I’ve tried pretty much every Linux distro out there over the years, and whilst I started with Ubuntu, I used Linux mint for a long time also. All of them are Debian backed anyway 😁

    I guess I feel in love with KDE (Neon) because of the amount of effort they’d gone to in relation to the UI.

    I agree about the lead and the OS statement which is why I suspect that Windows simply ignored it (although the Device also worked fine there, so it clearly wasn’t that faulty)

  • 0 Votes
    1 Posts
    145 Views

    ing_19047_01000.jpg

    The dodgy email has been around for some time - often varying in complexity. In most cases, the attempts at spoofing one of the emails is generally very poor. Ranging from incorrect fonts, colour schemes, and overall layout, most of these are really easy to spot. However, the game seems to have been “upped” somewhat over the past few months, and yesterday evening, I received this very convincing email  - supposedly from PayPal in my inbox

    Now, to the untrained eye, this could look very convincing indeed. Should we do as they ask ? Hold it right there. Let’s break down this email by first looking at the address to see who actually sent it

    Yeah, that’s not PayPal is it ? It’s some random address a somewhat nefarious individual has created in order to make it look like it’s from PayPal themselves. In most cases, you can easily mask the fake address by placing the “real” one as the “sent from” - in this instance, it looks as though PayPal sent it, but if you dig deeper, this isn’t the case.

    Another way we can see where the message originated from is to check the message headers themselves.

    The first 5-10 lines of the message header gives us insight into the origins of the message. Here’s those very lines from the message I received

    Received: from 10.200.76.142 by atlas220.free.mail.ir2.yahoo.com with HTTPS; Thu, 9 Dec 2021 22:22:26 +0000 Return-Path: <9C1pbZ6mPTYKkb0ENR1h4vEzyvGs2GiPxdcooHot@paktron.info> X-Originating-Ip: [209.85.128.103] Received-SPF: pass (domain of paktron.info designates 209.85.128.103 as permitted sender) Authentication-Results: atlas220.free.mail.ir2.yahoo.com; dkim=unknown; spf=pass smtp.mailfrom=paktron.info;

    As you can see from the last line, the domain that **ACTUALLY **sent the message was “paktron.info”, and definitely not PayPal.

    Digging even further, we can also see that “paktron.info” uses Gmail to relay it’s emails

    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:to:from:subject:message-id:mime-version :content-transfer-encoding; bh=JDzBYqxLWbyz1euLpGy5I34M1DgaEIWD1DyTSYgKsOU=; b=TfLkxbgWVIYonMrIzqbetxzD+F1D3Tf4wHm+l4svGqQH96cM0Og7XVAQtnfe2taJ8c g4T71omH7gq2AGk3zzz09RjjyE47taZhx1p5VhZWkQ93LuAnRZvszLg+QkW59SIHqBs0 bgUzEKtJN3V4pm8YX4XR8KE6+OBRs4ma6GbnOg2n0xW5RPN6WBDihA3PyYB9Ve4GOS+H DCaOlLdJcBq7ftf3ska5Jp4vOAcM/ZTJ0hgjv8ZUf7N08a7gUTcKRnykRkwn0hYUnjlh lImEHPd8S1e4lGLFPpJVMkp1EvRgRBjcPbPIOlcSCgpeBlq2MOFdywcjbHWG2ptC5g5W rP7A== X-Gm-Message-State: AOAM531L2V7LNH6Y/goIZUfnCa5gvlMbyHFvBdrK/9PBccraWnlFrqkr zwyg/3GLjdJrLPJTVWHmgzlc2QEzzZ9tlHG4hRyBao96vaifQ9enb75yoAEM5jzUDA== X-Google-Smtp-Source: ABdhPJwpppASrcH9t3k4kQJ12BODF4ra+WqBwbTQJMjq3PIk+TIemDoplAtzOjynJsvKoSe0ECKHYHQQNxu1 X-Received: by 2002:a1c:ed0a:: with SMTP id l10mr10968558wmh.140.1639088545974; Thu, 09 Dec 2021 14:22:25 -0800 (PST) Received: from notifications-317.loccitane.com ([2a04:ecc0:8:a8:4567:234f:0:1]) by smtp-relay.gmail.com with ESMTPS id m15sm75873wmg.19.2021.12.09.14.22.25

    And to confirm this, a quick “whois” will show us that the domain registrar is in fact, Google.

    Admittedly, it has privacy protection, so it’s not “Google” per se, but the domain was registered in November 2021, and is relatively new so it pretty clear it’s purpose is solely to send malicious email given that there is no web presence for it.

    If we also look at the underlying source code of the message we received, we can also see that the “Login to PayPal” button isn’t all what it seems - in fact, it wants to send us somewhere completely different - no doubt a malicious site that looks like PayPal, but in fact isn’t.

    target="_blank" href="https://l.wl.co/l?u=https%3A%2F%2Fme2.do%2FG0YhbPsc&signature=JmhXt100uR&trackingid=JijD70jaqr27E&amp=1" style="text-decoration:none;color:#ffffff !important;white-space:nowrap;">𝖫𝗈𝗀𝗂𝗇 𝗍𝗈 𝖯𝖺𝗒𝖯𝖺𝗅 </a></td>

    It’s becoming increasingly common for attackers to “hide” malicious links inside “URL Shorteners” as a attempt to mask the real link. Clicking on this link within a sandbox environment takes us here

    And if we check the URL itself against the vast variety of malicious link checkers, we can easily see that it’s not all it purports to be

    And there you have it. It’s a known “Phishing” site - so called, because it is literally “fishing” for information that you could well readily provide thinking it was your PayPal account you were logging into. Chances are that nothing would actually happen once you submitted your details, but all you’ve dine here in fact is to provide the login ID and password of your PayPal account to an attacker.

    One of the best ways of avoiding this scenario in the first place is of course to question the email being sent. For example

    Does the email address who sent it match any of PayPal’s ? Are there grammatical errors such as poor spelling, or generally bad punctuation ? If you hover your mouse over any buttons or links, most email clients will show you the link that is hiding underneath it. Does it look like PayPal ? Is the address you’ve received the email on actually registered anywhere with PayPal ?

    Protection of your PayPal account is key. One of the strongest methods of protection is to enforce two factor authentication. This essentially extends the login requirement to a username, password, and something only you have - in this case, the 6 digit code (or push notification if you use the PayPal app itself) which is only available on a device in your possession. Even if an attacker did manage to get your username and password, they still wouldn’t be able to login without the code being provided.

    Having said that, it’s not difficult to hijack a SIM card so that any attacker wanting to obtain the two factor code via SMS could actually be in a position to do so.

    That’s a topic of discussion for another post though… 🙂

    Stay safe out there - let me know if any questions.

  • 0 Votes
    1 Posts
    117 Views

    ING_19061_33691-min.jpg.webp
    Identity theft and fraud have been commonplace for a number of years, but have taken on various different forms. Several years ago, the basis of identity theft required the perpetrator to gain as much physical information as possible concerning the intended target. With the onset of personally identifiable information attributing individuals being siphoned out of businesses, and GDPR regulation landing in 2018, I thought it would be a good idea to get an article out that identifies the most common types of identity fraud, and how easily information can be obtained - not necessarily through social engineering, but from your own rubbish.

    What is needed to commit identity fraud ?

    Such information would typically be anything that could be classed as “personally identifying” – mail for example. A utility bill could be presented as proof of identity in order to obtain services or other financial gain by impersonating that individual. Most mail we receive through the postal system these days is often junk, but the odd element will contain a wealth of information that is a gold mine to an identity thief looking to commit fraud.

    Before the onset of the internet as we know it today, an identity thief had to work for this information in ways that are seldom deployed in today’s threat landscape (but still used nonetheless). Such activity meant sorting through rubbish (or trash – dependant on your locale), with the sole aim of finding material that could be used to perform impersonation. This activity has actually become simpler and cleaner over the years, mainly thanks to new recycling laws that separate the real rubbish from what an identity thief is looking for. In actual fact, all any potential thief has to do is steal the recycling bag itself – thus not only improving productivity, but also increasing the chances of extraction dramatically. Nobody is going to be that concerned about their rubbish going missing – they threw it out, so asking for it back would raise the inevitable question as to why you disposed of it in the first place if you wanted to keep it.

    Anything with your name and address on it is an excellent start, but it isn’t enough. For this to be beneficial, an identity thief would need your date of birth. You’d think that this would be difficult to obtain. In actual fact, it isn’t. Using a variety of techniques, an identity thief can extract this information from other sources such as electoral systems, census records, and most family tree research systems. The information will be buried yet available somewhere, and it just needs to be exposed. How much time an identity thief needs to invest in this activity varies dependant on the prize – nobody wants to be knee deep in rotting produce unless there is a significant reward at the end of it.

    Why is a date of birth so important ?

    Your date of birth is often required when completing loan applications (for example), and without this, an identity thief cannot procure services or gain access to a financial source easily. It’s like the missing piece of a puzzle. Without that piece, you have most of the picture, but not all of it. Any missing components required for identity theft to be possible can also be extracted from sources much closer to you than you’d think. Using a variety of techniques – most of them social – any thief can extract the required information without too much effort. The most common approach is to leverage social media.

    The identity thief pretends that they know the individual to one of your friends or associates, and is then able to engage them in conversation. The incredible fact about social media is that people tend to post a variety of information that they probably wouldn’t if they were to think twice about it, and this vulnerability is surprisingly simple to exploit. Facebook, for example, allows you to see the profiles of any other connection your new “friend” has, and vice versa. Too much information in these profiles that is on public display is the low hanging fruit that is required for identity theft to become a realistic prospect.

    As this technique relies solely on trust, and the source of the information provides the missing pieces of their own free will and volition, no crime is actually committed. Trust is the key element for this method of extraction to succeed – and in most cases, it does.

    My post box is susceptible ? Why ?

    Another simple mechanism of obtaining information is intercepting post intended for the target. This sounds like a difficult task, and for housing estates, you’d probably have to kidnap the postman in order to gain access to the mail (just kidding). However, there have been some occasions where mail has been inadvertently given to someone else impersonating the occupier of the intended address. This practice was rife at one point, and now most postal services will not hand over mail unless they can post it through the letterbox, or leave it at a designated collection point.

    And here is the real vulnerability. In apartment blocks, flats, or shared complexes, mail is typically left in mailboxes that require a key to access. The idea being that the intended recipient holds the key, and collects their mail from the mailbox. In most cases, it is a fairly simple process to either extract mail from this box via the letter opening (it sounds crazy, but you can actually get your fingers into the slot and if someone left a parcel, a letter could be sitting on top, and be within easy reach), or use brute force to break the lock and gain access this way. In the UK, personal post boxes aren’t commonplace if you live in a house, as the doors often have letter boxes designed to deliver directly into the property - enhancing security. This isn’t necessarily the same for multi-dwelling apartments, but in most cases, each door has it’s own letterbox. I recently had a new door fitted to the front of my house, and it had no place for a letterbox. Based on this, I decided to purchase a wall mounted post box. Despite being made of metal and looking sturdy, it was simple to gain direct entry to without the keys through the opening at the top. This was designed to accept parcels and standard letters, but in most cases (for me anyway), was wide enough for a hand to reach inside and intercept mail. Not sure what I’m getting at ? Have a look at the below

    The picture above is my (hairy) hand and arm inserted into my own post box - it’s a little difficult to see the full effect, but it does give you a clear indicator of how simple this method of retrieving mail actually is. Various fraud and identity theft instances have been reported over the years, and the extraction point is often identified as the mailbox. As outrageous as it sounds, an identity thief could (and this has actually happened in the past):

    Apply for a loan in your name Intercept your post for the application form Sign this as you, and return the form Wait for the loan to be approved Collect the requested loan amount from the account they setup in your name Not repay the loan, leaving you responsible for the total amount as far as the lender is concerned.

    Once an identity thief has access to your personal information. they can then use this to create new identities to sell onto others. And it is not just the living that have been subjected to this type of fraud. The deceased are often the target of identity theft, as there is generally nobody to question or challenge this, unless a relative receives a demand for payment of an outstanding debt that has been accrued since they passed away. As simple as it sounds, a thief just needs to review the obituaries in the local newspaper to identify a potential target. This will contain the name, age, and in several cases, the date born – or a simple mechanism of retrieving this information.

    Given the relatively simple steps above, you are able to see how identity theft works. Not so complex after all, is it ? So how can we prevent it, or at the very best, lessen it’s impact ?

    Arrange for your bank statements and utility bills to be sent to you electronically, and not by post Regularly check your bank accounts for unauthorised or unexpected activity. Perform frequent credit checks to ensure that you are not being denied credit or being blacklisted – either of these is a sign of recent identity fraud. Do not place sensitive documents in your recycling unless they have been shredded – preferably by a cross-cut device to prevent reassembly. A bag of ribbons is unappealing to an identity thief Secure your letter or post box in such a way that makes tampering very difficult, it not nearly impossible. My advice here is to abide by the law, and not make the device a booby trap if opened. Do not become complacent – exercise caution when disposing of or storing sensitive documents For the truly paranoid, there’s a galvanized incinerator. It sounds technical, but is really just a bin with a chimney, designed for burning paper and garden waste. You may need to check with your local authority before using one of these - there may be conditions governing their use in restricted areas as the smoke emitted can be quite unforgiving to drying laundry in neighbouring gardens / yards, or hazardous to breathe in dependant on proximity and the material being burnt.

    Deploying these simple techniques can reduce your chances being exposed to risk of identity theft, and you’ll be surprised at just how effective they can be.

    Remember - each of these techniques relies on the sole point of vulnerability - human nature. Don’t expose your identity unnecessarily.