Announcement - Bitcoin blackmail scam

Dear clients,

Our team notice there is an increase of scamming with the following similarity subject globally.


“account target@domain.com is compromised”     


Reference:

US-CERT (United States Computer Emergency Readiness Team)

FBI (Federal Bureau of Investigation)

Intego (Security company)


We received similar scams as well on last week. Let's go through some of the header & content.


A) Email header + content

Any email divided into an Email header and Email body.

Email header record every single relay point of the email went through before reaching your mailbox.     

It is like how you trace your parcel from courier express when you purchase something online. 

    

 Received: from [12.12.12.123] (UnknownHost [12.12.12.123]) by mail.domain.com with SMTP;
    Thu, 26 Oct 2018 06:17:21 +0800
 Message-ID: <xxxxxx>
 From: <target@domain.com>
 To: <target@domain.com>
 Subject: account target@domain.com is compromised
 Date: 26 Oct 2018 06:00:12 +0800 


Suspicious 1:

I'm a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it. Of course you can will change it, or already changed it.
But it doesn't matter, my malware updated it every time. Do not try to contact me or find me, it is impossible, since I sent you an email from your account.


Analysis

If you have my email account password, why not you direct  authenticate/relay over the mail server but need to send from a third party host [12.12.12.123] then pretend that you know my password?  


Suspicious 2:

Through your email, I uploaded malicious code to your Operation System.
 I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
 Also I installed a Trojan on your device and long tome spying for you.
 You are not my only victim, I usually lock computers and ask for a ransom.
 But I was struck by the sites of intimate content that you often visit.


Analysis

The spammer seems trying to put in pressure.  


If he/she is a real hacker who gotten “full access” to my laptop/desktop then he/she should deploy a ransomware but not perform a scam and wait for me to take the bait.


Suspicious 3:

So, when you had fun on piquant sites (you know what I mean!) I  made screenshot with using my program from your camera of yours device.
After that, I combined them to the content of the currently viewed site.
There will be laughter when I send these photos to your contacts! BUT I'm sure you don't want it.


Analysis
My spoiled camera already stop working for a period of time and the most frequent website i view is exabytes.com, now you really make me laugh, i get your  joke! LoL


Suspicious 4:

Therefore, I expect payment from you for my silence.
I think $852 is an acceptable price for it! Pay with Bitcoin.
My BTC wallet: 1DVU5Q2HQ4srFNSSaWBrVNMtL4pvBkfP5w If you do not know how to do this - enter into Google "how to transfer money to a bitcoin wallet". It is not difficult.
After receiving the specified amount, all your data will be  immediately destroyed automatically. My virus will also remove itself  from your operating system.


Analysis

It seems that you care more than me about the data leak and also provide me the steps how to make payment through Bitcoin.


This is also why we call it a "Bitcoin blackmail scam" =)


Suspicious 5:

My Trojan have auto alert, after this email is read, I will be know it!
I give you 2 days (48 hours) to make a payment. If this does not  happen - all your contacts will get crazy shots from your dark secret  life!And so that you do not obstruct, your device will be blocked (also  after 48 hours)


Analysis

Spammer! I read the similar mail from you last week, you did not keep track on that?


Email actually got a function “Read receipts” and why you need to spend time write a Trojan to track?     

Suspicious 6:

Do not be silly!
Police or friends won't help you for sure ... p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites. I hope for your prudence.
Farewell.

 

Analysis

Finally, I saw a meaningful line in the whole content…Yes, Do not be silly with such scam and I will sure help my friends and clients by spreading out this information ^^ 

    

Bye Mr. Spammer and good try.


B) Domain Spoofing

Any domain in this internet can be a victim of domain spoofing.


We deploy SPF record to all shared hosting domains that use our DNS as default to reduce the damage of email spoofing.


The damage only can be reduce through the deploying of SPF, DKIM and DMARC but no technology at the moment that able to prevent domain spoofing.


Please feel free to contact our team by providing them the full email header via https://support.exabytes.com or drop a mail into support@exabytes.com if you need a further analysis.


How to get full email header?

Client here


Best Regards,


Support Team,
......................................

Technical Department