A Follow Up To The Latest Extortion Phishing Scam Emails

You may recall that I have done a pair of stories a new extortion phishing scam that was brought to my attention. Now while the emails themselves are kind of lame. I decided to delve into them a bit more to figure out where they were coming from. One of the things that I did was look at the headers of the emails in question as they have all sorts of useful information. In the second one, I saw this:

Received: ⁨from mx.c.anonymousobserver.ga ([]:56230) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <raguel-195@c.anonymousobserver.ga>) id 1glTYW-0005Bn-25 for nerd@theitnerd.ca; Mon, 21 Jan 2019 01:59:44 -0500⁩

Received: ⁨from [] (mx.c.anonymousobserver.ga []) by mx.c.anonymousobserver.ga (Postfix) with ESMTP id 43jhwd5F8Lz502M for <nerd@theitnerd.ca>; Mon, 21 Jan 2019 06:49:04 +0000 (UTC)⁩

And in the first one, I saw this:

Received: ⁨from mx.d.anonymous-hacking.ga ([]:39250) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <leon_287@d.anonymous-hacking.ga>) id 1gkLCk-00077y-5l for nerd@theitnerd.ca; Thu, 17 Jan 2019 22:52:28 -0500⁩

Received: ⁨from [] (mx.d.anonymous-hacking.ga []) by mx.d.anonymous-hacking.ga (Postfix) with ESMTP id 43gmN72blHz4fXV for <nerd@theitnerd.ca>; Fri, 18 Jan 2019 03:17:42 +0000 (UTC)⁩

I bolded the most relevant parts of this which is the sending servers .They are different. But not as much as you would think. I then ran a whois command on both domains unsurprisingly, they came back very similar:

screen shot 2019-01-22 at 5.47.35 pmscreen shot 2019-01-22 at 5.47.53 pm

So Gabon is on the west coast of Central Africa. Located on the equator. But the key thing is that both domains appear to be registered to the “Agence Nationale des Infrastructures Numériques et des Fréquences” which according to this LinkedIn page (translated into English) does this:

The National Agency for Digital Infrastructures and Frequencies (ANINF), a government agency in Gabon, is an instrument that is part of the national strategy for digital development in Gabon.

The ANINF declines, through its sovereign missions, by the development of digital infrastructure throughout the national territory, the harmonious management of the frequency spectrum, the coherent development of e-Government applications, management and control resources related to IT, audiovisual and telecommunication investments in the Republic of Gabon.

That’s interesting. But I don’t see a government agency running an extortion phishing scam. Though anything is possible I suppose. But what this agency does serve up .ga domain names according to this page. So what I think is going on is someone is registering what are essentially “disposable” domains to run the scam. They then set up an email to send out these scam emails. That’s kind of crafty. Who’s doing this? I haven’t got a clue. But I figure that bringing this to light will make it more difficult for the whomever is behind it to try this again.


10 Responses to “A Follow Up To The Latest Extortion Phishing Scam Emails”

  1. So it is a scam then and I have nothing to worry about?

  2. I Received “Last Chance” email on Sunday from ferdinand123@f.anonymous-observer.ga

  3. I have received the same threat email yesterday again! When will they stop? I have installed anti-virus app and does that mean my computer is still not safe? It’s so disturbing.

    • No. Your system is fine. Remember that these are scam emails. They are basically using guilt to try and get you to pay them. They have nothing on you and they have no control over your computer. In other words, they are lying to you. You are doing all the right things and have nothing to worry about.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: