Code: Select all
Security Alert. You account has been hacked. Password must be need changed.
Code: Select all
Hello! As you may have noticed, I sent you an email from your account. This means that I have full access to your account: On moment of hack your account has password: MYPASSWORD You say: this is the old password! Or: I will change my password at any time! Yes! You're right! But the fact is that when you change the password, my trojan always saves a new one! I've been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence. Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use. If you want to prevent this, transfer the amount of $768 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”). My bitcoin address (BTC Wallet) is: 17zmnmqEUCesNz6UgXGbRk7fKnu8iq1q2J After receiving the payment, I will delete the video and you will never hear me again. I give you 48 hours to pay. I have a notice reading this letter, and the timer will work when you see this letter. Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes. If I find that you have shared this message with someone else, the video will be immediately distributed. Best wishes!
The email headers are:
Code: Select all
Return-path: <MYADDRESS@exemail.com.au> Envelope-to: MYADDRESS@exemail.com.au Delivery-date: Sun, 23 Dec 2018 03:37:16 +1100 Received: from chestnut2.exetel.com.au ([220.127.116.11]) by chestnut.exetel.com.au with esmtp (Exim 4.89) (envelope-from <MYADDRESS@exemail.com.au>) id 1gakH6-0000D5-J2 for MYADDRESS@exemail.com.au; Sun, 23 Dec 2018 03:37:16 +1100 Received: from ipmx2.po.exetel.com.au ([18.104.22.168] helo=mscip02.mailsentry.net.au) by chestnut2.exetel.com.au with esmtp (Exim 4.89) (envelope-from <MYADDRESS@exemail.com.au>) id 1gakH6-0006Kr-Gd for MYADDRESS@exemail.com.au; Sun, 23 Dec 2018 03:37:16 +1100 Received: from unknown (HELO [22.214.171.124]) ([126.96.36.199]) by mscip02.mailsentry.net.au with ESMTP; 23 Dec 2018 03:37:14 +1100 Date: 18 Dec 2018 23:09:55 +0400 From: <MYADDRESS@exemail.com.au> X-Priority: 3 Message-ID: <firstname.lastname@example.org> To: "MYPASSWORD" <MYADDRESS@exemail.com.au> Subject: Security Alert. You account has been hacked. Password must be need changed. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit
The sending IP orginates from an ISP in India:
Code: Select all
% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '188.8.131.52 - 184.108.40.206' % Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' inetnum: 22.214.171.124 - 126.96.36.199 netname: GIS descr: Ganesha Internet Services India Private Limited admin-c: BB509-AP tech-c: CD743-AP country: IN mnt-by: MAINT-IN-IRINN mnt-irt: IRT-GIS-IN mnt-routes: MAINT-IN-GIS status: ASSIGNED PORTABLE last-modified: 2015-08-17T07:27:03Z source: APNIC irt: IRT-GIS-IN address: street No 7, Ward no 8, Ekta Nagri , Mandi , Dabwali,Mandi Dabwali,Haryana-125104 e-mail: firstname.lastname@example.org abuse-mailbox: email@example.com admin-c: BB509-AP tech-c: CD743-AP auth: # Filtered mnt-by: MAINT-IN-GIS last-modified: 2015-07-09T08:30:08Z source: APNIC role: Company Director address: street No 7, Ward no 8, Ekta Nagri , Mandi , Dabwali,Mandi Dabwali,Haryana-125104 country: IN phone: +91 9354270316 e-mail: firstname.lastname@example.org admin-c: BB509-AP tech-c: BB509-AP nic-hdl: CD743-AP mnt-by: MAINT-IN-GIS last-modified: 2015-07-09T08:29:48Z source: APNIC person: Bharat Bhusan address: street No 7, Ward no 8, Ekta Nagri , Mandi , Dabwali,Mandi Dabwali,Haryana-125104 country: IN phone: +91 9354270316 e-mail: email@example.com nic-hdl: BB509-AP mnt-by: MAINT-IN-GIS last-modified: 2015-07-09T08:29:29Z source: APNIC % Information related to '188.8.131.52/22AS58965' route: 184.108.40.206/22 descr: Ganesha Internet Services India Private Limited origin: AS58965 mnt-by: MAINT-IN-IRINN mnt-routes: MAINT-IN-ANJANI last-modified: 2018-04-09T06:43:34Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US4)
Normally I don't give these kinds of email a second thought, but in this instance, the email body also contained a password that I ONLY use with Exetel Mail (where MYPASSWORD is shown above).
Since I have only used this password here (not even on these forums), it is not possible to have used it by accident on a scam website as I rarely ever use the Webmail interface and always go to it directly rather than via link.
The email of course describes obtaining my password via malware installation, but I don't use Windows at all or traditional email clients for capture of my password to have occurred, so it seems that they may have somehow obtained it from an Exetel system directly, with the only other external access being a well-established mainstream-name email app on my phone.
I noticed, for example, that they never obtained and showed my Email display name. It's just the email address and the password only.
I also notice that Webmail is now using Roundcube. The last time I logged in to webmail some months ago, it was using Squirrel Mail - I'm wondering if the passwords database may have been compromised in that switch (whenever it occurred)?
Anyway, aside from the password concern, I'm posting this so others are aware of the scam as blackmail before Christmas is never fun for those more easily influenced by such messages.