Extortion Spam

by Vince
in Blog
Hits: 961

"This account has been hacked! Change your password right now!"

That's a pretty scary subject and it's one of the latest tactics used in spam emails which attempt to extort money from the recipient.  We've seen variations of this message which include the password but this one in particular does not.  

The message further states:

"You may not know me and you are probably wondering why you are getting this e mail, right?  I’m a hacker who cracked your email and devices a few months ago."

"Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account."

The message continues on about how malware infected my devices from visiting "adult" websites, a keylogger was installed, and images from my webcam and screen have been captured.  The extortion part basically states that I need to cough up $1000 in bitcoin or all of those captures will be sent to my contacts.  

We can all be hacked so we should take these messages somewhat seriously but let's pick through this one. 

"I sent you an email from YOUR hacked account."  -- If this message were sent from MY account, we probably wouldn't see another SMTP address sending it on behalf of my address, we would just see my name.





Checking "Delegates", to be certain lifeng is not listed:




No delegates listed.  

But let's take this a step further and dig into the headers.  We choose File:




Down at the bottom, we choose Properties:





And we look at this particular spot in the headers:





There are some other things wrong with the headers but let's just focus on --

Sender IP is 122.14.204.230

I'm supposedly receiving an email from MY mail server which should mean that when I lookup this Sender IP, it should resolve to my mail server:




I'm pretty sure my mail server is NOT in China.  

We knew this was a fake but what's really scary is how the English is almost there.  Not quite but almost.  When we get to a point where the message has perfect English, the sender IP is believable, and the sender uses a doppelganger domain, we'll have arrived at the next level of this back and forth.  Not with this particular avenue of attack but in the NextGen of phishing in general.  Think about it -- a perfectly worded email with a very realistic scenario without the obvious telltale signs.  That will be scary and I don't see how we're not headed in that direction.