A Follow Up To The Latest Extortion Phishing Scam Emails
You may recall that I have done a pair of stories a new extortion phishing scam that was brought to my attention. Now while the emails themselves are kind of lame. I decided to delve into them a bit more to figure out where they were coming from. One of the things that I did was look at the headers of the emails in question as they have all sorts of useful information. In the second one, I saw this:
Received: from mx.c.anonymousobserver.ga ([159.203.72.137]:56230) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <raguel-195@c.anonymousobserver.ga>) id 1glTYW-0005Bn-25 for nerd@theitnerd.ca; Mon, 21 Jan 2019 01:59:44 -0500
Received: from [127.0.0.1] (mx.c.anonymousobserver.ga [127.0.0.1]) by mx.c.anonymousobserver.ga (Postfix) with ESMTP id 43jhwd5F8Lz502M for <nerd@theitnerd.ca>; Mon, 21 Jan 2019 06:49:04 +0000 (UTC)
And in the first one, I saw this:
Received: from mx.d.anonymous-hacking.ga ([178.128.117.242]:39250) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <leon_287@d.anonymous-hacking.ga>) id 1gkLCk-00077y-5l for nerd@theitnerd.ca; Thu, 17 Jan 2019 22:52:28 -0500
Received: from [127.0.0.1] (mx.d.anonymous-hacking.ga [127.0.0.1]) by mx.d.anonymous-hacking.ga (Postfix) with ESMTP id 43gmN72blHz4fXV for <nerd@theitnerd.ca>; Fri, 18 Jan 2019 03:17:42 +0000 (UTC)
I bolded the most relevant parts of this which is the sending servers .They are different. But not as much as you would think. I then ran a whois command on both domains unsurprisingly, they came back very similar:
So Gabon is on the west coast of Central Africa. Located on the equator. But the key thing is that both domains appear to be registered to the “Agence Nationale des Infrastructures Numériques et des Fréquences” which according to this LinkedIn page (translated into English) does this:
The National Agency for Digital Infrastructures and Frequencies (ANINF), a government agency in Gabon, is an instrument that is part of the national strategy for digital development in Gabon.
The ANINF declines, through its sovereign missions, by the development of digital infrastructure throughout the national territory, the harmonious management of the frequency spectrum, the coherent development of e-Government applications, management and control resources related to IT, audiovisual and telecommunication investments in the Republic of Gabon.
That’s interesting. But I don’t see a government agency running an extortion phishing scam. Though anything is possible I suppose. But what this agency does serve up .ga domain names according to this page. So what I think is going on is someone is registering what are essentially “disposable” domains to run the scam. They then set up an email to send out these scam emails. That’s kind of crafty. Who’s doing this? I haven’t got a clue. But I figure that bringing this to light will make it more difficult for the whomever is behind it to try this again.
January 22, 2019 at 6:15 pm
So it is a scam then and I have nothing to worry about?
January 22, 2019 at 6:32 pm
You have nothing to worry about.
January 24, 2019 at 12:21 am
Nothing happens when the time is due?
January 24, 2019 at 8:48 am
Nothing ever happens with any of these scams.
January 24, 2019 at 12:24 am
Btw, I have downloaded spyhunter and found something called “trojan” and a bunch other malware, I guess it’s how they got our info.
January 24, 2019 at 8:49 am
My research has suggested that they come from data breaches and the resulting lists of email addresses that start to get sold on the dark web after such breaches. By the way, might I suggest that you run a second AV app such as MarwareBytes to confirm that you don’t have anything else on your system.
January 23, 2019 at 10:03 am
[…] #2: Here is an update to this story with additional […]
January 24, 2019 at 3:08 pm
I Received “Last Chance” email on Sunday from ferdinand123@f.anonymous-observer.ga
March 12, 2019 at 5:13 am
I have received the same threat email yesterday again! When will they stop? I have installed anti-virus app and does that mean my computer is still not safe? It’s so disturbing.
March 12, 2019 at 6:29 am
No. Your system is fine. Remember that these are scam emails. They are basically using guilt to try and get you to pay them. They have nothing on you and they have no control over your computer. In other words, they are lying to you. You are doing all the right things and have nothing to worry about.
January 21, 2020 at 1:36 pm
Should I be concerned with the degree to which they had my password correct?
January 21, 2020 at 1:39 pm
They likely got it through a data breach of some sort where passwords were leaked and are hoping that you used the same password on other sites. I would see what your exposure is by going to https://haveibeenpwned.com/ and entering your email address. I would also change the password of any site that uses that password as a precaution.
January 21, 2020 at 1:46 pm
Okay thanks. I’ll do that now.
January 21, 2020 at 2:06 pm
I figured that it was a hoax since I really can’t remember visiting a teen website. :-/ The password part is what had me concerned though. have I been Pwned has a pretty substantial list of sites I was pwned in. What a pain in the butt. I’d best get busy. Thanks again.
January 21, 2020 at 2:06 pm
No worries. Glad I could help!