Blackmail scam from India

Email setup and troubleshooting
Post Reply
User avatar
HyRax
Posts: 9
Joined: Tue Dec 16, 2008 7:03 am
Location: Sydney
Contact:

Blackmail scam from India

Post by HyRax » Sun Dec 23, 2018 10:55 am

Received a blackmail email scam attempt this week:

Email subject:

Code: Select all

Security Alert. You account has been hacked. Password must be need changed.

Email body:

Code: Select all

Hello!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account: On moment of hack your account has password: MYPASSWORD

You say: this is the old password!
Or: I will change my password at any time!

Yes! You're right! 
But the fact is that when you change the password, my trojan always saves a new one!

I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this, transfer the amount of $768 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 17zmnmqEUCesNz6UgXGbRk7fKnu8iq1q2J

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best wishes!

The email headers are:

Code: Select all

Return-path: <MYADDRESS@exemail.com.au>
Envelope-to: MYADDRESS@exemail.com.au
Delivery-date: Sun, 23 Dec 2018 03:37:16 +1100
Received: from chestnut2.exetel.com.au ([220.233.0.75])
    by chestnut.exetel.com.au with esmtp (Exim 4.89)
    (envelope-from <MYADDRESS@exemail.com.au>)
    id 1gakH6-0000D5-J2
    for MYADDRESS@exemail.com.au; Sun, 23 Dec 2018 03:37:16 +1100
Received: from ipmx2.po.exetel.com.au ([220.233.2.146] helo=mscip02.mailsentry.net.au)
    by chestnut2.exetel.com.au with esmtp (Exim 4.89)
    (envelope-from <MYADDRESS@exemail.com.au>)
    id 1gakH6-0006Kr-Gd
    for MYADDRESS@exemail.com.au; Sun, 23 Dec 2018 03:37:16 +1100
Received: from unknown (HELO [43.239.207.167]) ([43.239.207.167])
    by mscip02.mailsentry.net.au with ESMTP; 23 Dec 2018 03:37:14 +1100
Date: 18 Dec 2018 23:09:55 +0400
From: <MYADDRESS@exemail.com.au>
X-Priority: 3
Message-ID: <981113848.201812182324@exemail.com.au>
To: "MYPASSWORD" <MYADDRESS@exemail.com.au>
Subject: Security Alert. You account has been hacked. Password must be need changed.
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

The sending IP orginates from an ISP in India:

Code: Select all

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '43.239.204.0 - 43.239.207.255'

% Abuse contact for '43.239.204.0 - 43.239.207.255' is 'admin@ganeshaisipl.in'

inetnum: 43.239.204.0 - 43.239.207.255
netname: GIS
descr: Ganesha Internet Services India Private Limited
admin-c: BB509-AP
tech-c: CD743-AP
country: IN
mnt-by: MAINT-IN-IRINN
mnt-irt: IRT-GIS-IN
mnt-routes: MAINT-IN-GIS
status: ASSIGNED PORTABLE
last-modified: 2015-08-17T07:27:03Z
source: APNIC

irt: IRT-GIS-IN
address: street No 7, Ward no 8, Ekta Nagri , Mandi , Dabwali,Mandi Dabwali,Haryana-125104
e-mail: admin@ganeshaisipl.in
abuse-mailbox: admin@ganeshaisipl.in
admin-c: BB509-AP
tech-c: CD743-AP
auth: # Filtered
mnt-by: MAINT-IN-GIS
last-modified: 2015-07-09T08:30:08Z
source: APNIC

role: Company Director
address: street No 7, Ward no 8, Ekta Nagri , Mandi , Dabwali,Mandi Dabwali,Haryana-125104
country: IN
phone: +91 9354270316
e-mail: admin@ganeshaisipl.in
admin-c: BB509-AP
tech-c: BB509-AP
nic-hdl: CD743-AP
mnt-by: MAINT-IN-GIS
last-modified: 2015-07-09T08:29:48Z
source: APNIC

person: Bharat Bhusan
address: street No 7, Ward no 8, Ekta Nagri , Mandi , Dabwali,Mandi Dabwali,Haryana-125104
country: IN
phone: +91 9354270316
e-mail: admin@ganeshaisipl.in
nic-hdl: BB509-AP
mnt-by: MAINT-IN-GIS
last-modified: 2015-07-09T08:29:29Z
source: APNIC

% Information related to '43.239.204.0/22AS58965'

route: 43.239.204.0/22
descr: Ganesha Internet Services India Private Limited
origin: AS58965
mnt-by: MAINT-IN-IRINN
mnt-routes: MAINT-IN-ANJANI
last-modified: 2018-04-09T06:43:34Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US4)

Normally I don't give these kinds of email a second thought, but in this instance, the email body also contained a password that I ONLY use with Exetel Mail (where MYPASSWORD is shown above).

Since I have only used this password here (not even on these forums), it is not possible to have used it by accident on a scam website as I rarely ever use the Webmail interface and always go to it directly rather than via link.

The email of course describes obtaining my password via malware installation, but I don't use Windows at all or traditional email clients for capture of my password to have occurred, so it seems that they may have somehow obtained it from an Exetel system directly, with the only other external access being a well-established mainstream-name email app on my phone.

I noticed, for example, that they never obtained and showed my Email display name. It's just the email address and the password only.

I also notice that Webmail is now using Roundcube. The last time I logged in to webmail some months ago, it was using Squirrel Mail - I'm wondering if the passwords database may have been compromised in that switch (whenever it occurred)?

Anyway, aside from the password concern, I'm posting this so others are aware of the scam as blackmail before Christmas is never fun for those more easily influenced by such messages.

Cheers.
I was going to procrastinate, but I put it off...

KrishanK
Exetel Staff
Posts: 64
Joined: Thu Jan 04, 2018 7:56 pm
Location: Sydney

Re: Blackmail scam from India

Post by KrishanK » Sun Dec 23, 2018 9:29 pm

We opened a new ticket with the reference no: 14005654 and raised it with our System Administrators with regards to your query.

You will be notified accordingly once via an email once an update is available.

zarb
Posts: 1
Joined: Tue Jan 01, 2019 8:51 pm

Re: Blackmail scam from India

Post by zarb » Tue Jan 01, 2019 9:49 pm

I have received exactly the same email to one of my Exetel email accounts.

My windows pc is regularly scanned for malware and none is ever found.

Strangely the password specified in the email was my mobile phone number - which I never use as a password!

User avatar
KavindaS
Forum Admin
Posts: 1945
Joined: Wed Dec 23, 2009 3:59 pm
Location: Sydney

Re: Blackmail scam from India

Post by KavindaS » Wed Jan 02, 2019 8:03 pm

zarb wrote:
Tue Jan 01, 2019 9:49 pm
I have received exactly the same email to one of my Exetel email accounts.

My windows pc is regularly scanned for malware and none is ever found.

Strangely the password specified in the email was my mobile phone number - which I never use as a password!
The email you received appears to be a phishing scam and has not been sent by Exetel.

Please mark it as spam and delete the message any attachments.

Post Reply