The IT Nerd

It’s been a while since I have written about extortion phishing scams. But three new ones have appeared and one of them is potentially dangerous.

Let’s start with the dangerous one. The scumbags behind this one are now utilizing a new extortion email campaign that claims the recipient’s phone was hacked, includes a partial phone number of the recipient, and further states that they created videos using the recipient’s webcam. Here’s an example:

@It seems that, 14, *last two digits your phone-
\You may not know me and you are probably wondering why you are getting this e mail, right?-

!actually, I setup a malware on the adult vids (porno) web-site and guess what*
@you visited this site to have fun (you know what I mean).(
^While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop)(
&having a keylogger which gave me accessibility to your screen and web cam.*
@after that, my software program obtained all of your contacts, phone and email.\

_What did I do?(

!I backuped phone. All photo, video and contacts.+
!I created a double-screen video./
&1st part shows the video you were watching (you’ve got a good taste haha . . .)$
%and 2nd part shows the recording of your web cam.=

+exactly what should you do?/

#Well, in my opinion, 809$ is a fair price for our little secret.\
=You’ll make the payment by +Bitcoin% (if you do not know this$ search !how to buy bitcoin& in Google)._

-Bitcoin^ Address:

<BITCOIN ADDRESS REDACTED>

%(It is cAsE sensitive, so copy and paste it)*

%Important:
!You have 45 hours in order to make the payment.\
%(I’ve a unique pixel in this e mail, and at this moment I know that you have read through this email message)-
\If I do not get the !BitCoins+
%I will certainly send out your video recording to all of your contacts%
@Having said that, if I receive the payment, I’ll destroy the video immidiately._
)If you need evidence, reply with “Yes!*

-If I find that you have shared this message with someone else$
)the video will be immediately distributed.=

Now the person who got this email told me that the last two digits of his phone number were accurate. Thus he wondered if he had been hacked. But I can say that after examining his computer and phone, that he had not been hacked. But clearly this is a new method to convince the recipient that they have been hacked and it has replaced displaying a password to do the same thing.

The thing is, it’s really easy to get the last two digits of someone’s phone number. The most logical way that these scammers are getting these numbers is via it may password or account recovery functionality such as the one from Gmail or the one from Microsoft. There have been data leaks in the past that only contained partial phone numbers as well, But the bottom line is that you have not been hacked.

The second is aimed at companies. It’s pretty low level and not very sophisticated. Here’s a copy of what one of my clients got:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We Hacked You Infrastructure.
We Caught Possible Communication.
We Backuped Available DATA And DOCUMENTS.
That you trusting our words, we send this mail to you with YOUR account.

After analyzing documents. We see your Illegal activity. HIDING TAXES.

That we do NEXT.
I want two (2) Bitcoin

if you don’t pay fees. To my wallet Bitcoin.

<BITCOIN ADDRESS REDACTED>

We want send this Documents and Proofs to your Tax Departament.
And in this time Your network will be DDoS.
Read that in this link
https://en.wikipedia.org/wiki/Denial-of-service_attack

This is our guarantee, that you don’t clean evidence and build a protection policy.

If you don’t pay by in 7 days, attack will start.
Yours service going down permanently and price to stop will increase to Four (4) BTC,
Price will go up one (1) BTC for every day of the attack.

This is not a joke.

Our attacks are extremely powerful – sometimes over 1 Tbps per second.
And we pass CloudFlare and others remote protections!
So, no cheap protection will help.

Prevent it all with just Two (2) BTC
To my wallet Bitcoin.

<BITCOIN ADDRESS REDACTED>

Pay strict sum. This is your identification. And we will know that its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know
you cooperated.

Time started after open this mail.
To track the reading of a message and the actions in it, I use the facebook pixel.
Read that in this link
https://www.facebook.com/business/help/898185560232180?helpref=faq_content

There’s nothing here that is interesting. Such as passwords that the user has used, or a partial phone number like the previous scam. Thus this scam is purely trying to take advantage of the fact that a company might not have paid their taxes. And that they can track that you opened this email using Facebook Pixel. Which for the record when I examined the email it showed no evidence that Facebook Pixel was in use. #Fail. I seriously doubt that this will get this scammer anything.

Finally, there are new scams that utilize QR codes to direct you to their Bitcoin wallet so that you can pay them. The QR code has the amount that you have to pay as well which is kind of clever.

I took screenshots of the text that the recipient gets:

Below that is a QR Code that goes to a Bitcoin wallet . I am not reposting the QR code as I don’t want to give these scumbags any more time than I need to. Other than that, it’s the usual extortion phishing scam that we’ve seen for the last little while.

If you come across any of these scams, you know what to do. Simply delete them and move on with your life.

I was at a client location today when my iPhone rang. It was a 408 number which is out of  San Jose CA. Seeing as I have a number of companies that I deal with in that corner of the planet, I answered the phone but heard nothing on the other end. So I hung up. Ten seconds later the same number calls back. Again I answered it but again I heard nothing on the other end so I hung up. No further calls came.

Now I was tempted to phone them back. But then I remembered that I wrote about this scam which is called the “one ring” scam before and you can see that story here. But in short, the scam counts on you phoning the number back because you’ll then be billed a pile of money a minute. Now the last time I had heard of this scam, the calls were coming from the country codes of 235 (Chad), 232 (Somalia), 269 (Comoros), strangely 573 (A Missouri area code, but it is possible that it is country code 57 which is Colombia) and 267 (Botswana). So having a number coming from a US area code would be a new angle to this scam. Thus out of an abundance of caution, I reached out to my cellular provider which is TELUS with this:

Their reply came within minutes:

Now this is a great response to my question. Not only did TELUS get back to me quickly and confirm that this was likely a Wangiri or One Ring scam. But they also provided me with a resource so that I could be educated on how to protect myself. Now that is top shelf service. Kudos to TELUS for that.

In any case, since I did not phone the number back, which means that I should be in the clear. But as a just in case thing I blocked the number. Though I strongly suspect that the number was spoofed which means that blocking the number may not make any difference as the spoofed number will likely change.

I’m going to keep a close eye on my next phone bill at the end of the month to ensure that nothing in terms of spurious charges makes it way on there. And I will be on guard for further attempts to execute this scam. You should be on guard as well as clearly the “one ring” scam is back. And to help to keep you safe, I will not only point to my original story on this, but to the write up by TELUS as both have tips to protect yourself.

You may recall that I have done a pair of stories a new extortion phishing scam that was brought to my attention. Now while the emails themselves are kind of lame. I decided to delve into them a bit more to figure out where they were coming from. One of the things that I did was look at the headers of the emails in question as they have all sorts of useful information. In the second one, I saw this:

Received: ⁨from mx.c.anonymousobserver.ga ([159.203.72.137]:56230) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <raguel-195@c.anonymousobserver.ga>) id 1glTYW-0005Bn-25 for nerd@theitnerd.ca; Mon, 21 Jan 2019 01:59:44 -0500⁩

Received: ⁨from [127.0.0.1] (mx.c.anonymousobserver.ga [127.0.0.1]) by mx.c.anonymousobserver.ga (Postfix) with ESMTP id 43jhwd5F8Lz502M for <nerd@theitnerd.ca>; Mon, 21 Jan 2019 06:49:04 +0000 (UTC)⁩

And in the first one, I saw this:

Received: ⁨from mx.d.anonymous-hacking.ga ([178.128.117.242]:39250) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <leon_287@d.anonymous-hacking.ga>) id 1gkLCk-00077y-5l for nerd@theitnerd.ca; Thu, 17 Jan 2019 22:52:28 -0500⁩

Received: ⁨from [127.0.0.1] (mx.d.anonymous-hacking.ga [127.0.0.1]) by mx.d.anonymous-hacking.ga (Postfix) with ESMTP id 43gmN72blHz4fXV for <nerd@theitnerd.ca>; Fri, 18 Jan 2019 03:17:42 +0000 (UTC)⁩

I bolded the most relevant parts of this which is the sending servers .They are different. But not as much as you would think. I then ran a whois command on both domains unsurprisingly, they came back very similar:

So Gabon is on the west coast of Central Africa. Located on the equator. But the key thing is that both domains appear to be registered to the “Agence Nationale des Infrastructures Numériques et des Fréquences” which according to this LinkedIn page (translated into English) does this:

The National Agency for Digital Infrastructures and Frequencies (ANINF), a government agency in Gabon, is an instrument that is part of the national strategy for digital development in Gabon.

The ANINF declines, through its sovereign missions, by the development of digital infrastructure throughout the national territory, the harmonious management of the frequency spectrum, the coherent development of e-Government applications, management and control resources related to IT, audiovisual and telecommunication investments in the Republic of Gabon.

That’s interesting. But I don’t see a government agency running an extortion phishing scam. Though anything is possible I suppose. But what this agency does serve up .ga domain names according to this page. So what I think is going on is someone is registering what are essentially “disposable” domains to run the scam. They then set up an email to send out these scam emails. That’s kind of crafty. Who’s doing this? I haven’t got a clue. But I figure that bringing this to light will make it more difficult for the whomever is behind it to try this again.

It seems that the person who sent me this extortion phishing email got a follow up to that. And it isn’t particularly creative. And like the last one a warning as some contents may be a bit graphic for some:

LAST WARNING [EMAIL ADDRESS REDACTED] !

You have the last chance to save your social life – I am not kidding!!

I give you the last 72 hours to make the payment before I send the video with your masturbation to all your friends and associates.

The last time you visited a erotic website with young Teens, you downloaded and installed the software I developed.

My program has turned on your camera and recorded your act of Masturbation and the video you were masturbating to.

My software also downloaded all your email contact lists and a list of your Facebook friends.

I have both the ‘[FILENAME REDACTED].mp4’ with your masturbatio and a file with all your contacts on my hard drive.

You are very perverted!

If you want me to delete both files and keep your secret, you must send me Bitcoin payment. I give you the last 72 hours.

If you don’t know how to send Bitcoins, visit Google.

Send 2000 USD to this Bitcoin address immediately:

[BITCOIN ADDRESS REDACTED]

(copy and paste)

1 BTC = 3470 USD right now, so send exactly 0.581065 BTC to the address above.

Do not try to cheat me!

As soon as you open this Email I will know you opened it.

This Bitcoin address is linked to you only, so I will know if you sent the correct amount.

When you pay in full, I will remove both files and deactivate my software.

If you don’t send the payment, I will send your masturbation video to ALL YOUR FRIENDS AND ASSOCIATES from your contact list I hacked.

Here are the payment details again:

Send 0.581065 BTC to this Bitcoin address:

—————————————-

[BITCOIN ADDRESS REDACTED]

—————————————-

You саn visit the police but nobody will help you.

I know what I am doing.

I don’t live in your country and I know how to stay anonymous.

Don’t try to deceive me – I will know it immediately – my spy ware is recording all the websites you visit and all keys you press.

If you do – I will send this ugly recording to everyone you know, including your family.

Don’t cheat me! Don’t forget the shame and if you ignore this message your life will be ruined.

I am waiting for your Bitcoin payment.

Raguel

Anonymous Hacker

P.S. If you need more time to buy and send 0.581065 BTC, open your notepad and write ’48h plz’. I will consider giving you another 48 hours before I release the vid, but only when I really see you are struggling to buy bitcoin.

Now I know it’s the same slimeball or group of slimeballs behind this because both emails came from the same domain which is d.anonymous-hacking.ga. Except that the domain doesn’t exist. So that’s a lie. I’ll be doing some work to find out the real source of this today and post an update. The rest of this email is a near carbon copy of the last one. Except that it is signed as follows:

Raguel

Anonymous Hacker

If you post your name, how can you be anonymous? I get it is likely a fake name. But that seems pretty dumb as it affects the credibility of this email. Seeing as its not credible, it’s yet another scam email that you should delete should you receive it. Expect an update when I trace back where these slimeballs are from.

UPDATE: Another thing that I noted is that the the above email and the one that came before it have different Bitcoin addresses in them. So that makes the sentence “This Bitcoin address is linked to you only, so I will know if you sent the correct amount.” is another lie as you would think they would be the same. It also further highlights that this email is bogus.

UPDATE #2: Here is an update to this story with additional details.

A lot of the extortion phishing emails that people send me are well crafted. This isn’t one of them. Here we go with this latest one:

Dear Maureen Prigent

Now we аre reаllу clоsе-  ( uQH  ) frоm vps numero:3447
_____________________________________________________________

Wе will nоt laugh аt уоur weaknеsses. Rеаd this lettеr attеntivеlу. Mу сrew will not ruin уоur lifе if yоu go tо а dеаl with us.

You cаn find a lоt of vаrious rulеs аbоut seсuritу on thе intеrnet: using vpn , download aсtual аntivirus bаsе; hide web сameras with a adhesivе tаpe… In your оpinion it is nоt neсessary.

I cоunted morе than 900 victims that were infeсtеd bу my private сomputеr wоrm.

It was implеmented оn fаked sitе with flash plug-in. Usеrs instаlled everything and didnt surmise something bad, as you knоw this plug-in shоuld bе installed on all deviсеs tо plаy vidеo files.

Yоu wеrе not eхceptiоn and now alsо havе big prоblеms.

My built-in pаrser rеsponded tо уour requests for pоrn sites. Dirесtlу аftеr the plaу buttоn was pushеd thе maliсious sоft асtivаted thе wеb-cаmera to catсh yоu саressing yоur bоdy. Latеr mу virus sent the link of thе video thаt уou opеned оn yоur сomputer. With fоrmgrabber demolished historу and got аll passwords frоm yоur social mediа that werе visited sinсе lаst Monday. I mаdе а соpу of thе сontасt list of уour friеnds, cоllеgues and relаtivеs.

Lеt’s sum up the results: I got vid with уоu paying with уourself, contасt list with уour friends, соlleguеs and rеlativesаnd rеcord which yоu оpened on the cоmputеr.

You cаn help уоurself just send mе 500 unitеd stаtеs dоllars in btс сrуptоcurrenсy.
Pay hеre –

[BITCOIN ADDRESS REDACTED]

Think better: bе a star аmоng friends оr pау this little sum not tо lоse уоur hаbitual life.
Yоu cаn сomplаin cоps, but thеу саn not find us. I use bоt nеtwоrk, alsо we livе аbrоаd. IP in a heаder is nоt mine.
If уou hаvе sоme prоblеms write mе bаck.
Think twice.

I can’t even begin to describe how bad this is. Forget the grammar which is horrific and shambolic. The name that I left intact at the start of the email isn’t even the name of the person who sent me this email. There’s nothing here that would convince anyone one to pay up. Whomever came up with this email is really, really, stupid. At the end of the day, this is yet another scam email that you should delete should you receive it. And to those who wrote this email, I have a message for you. You suck.

I have yet another extortion phishing email that I would like to share with you. This particular one is not very sophisticated and not all that good. Which illustrates that the people behind it aren’t all that bright. But it may still fool someone into handing over their hard earned money to a low rent loser who doesn’t deserve it. So here it is. And a warning. This particular email may be a bit graphic for some:

THIS IS NOT A JOKE – I AM DEAD SERIOUS!

Hi perv,

The last time you visited a p0rnographic website with teens, you downloaded and installed software I developed.

My program has turned on your camera and recorded the process of your masturbation.

My software has also downloaded all your email contact lists and a list of your friends on Facebook.

I have both the ‘[NAME OF USER REDACTED].mp4’ with your masturbation as well as a file with all your contacts on my hard drive.  

You are very perverted!

If you want me to delete both the files and keep the secret, you must send me Bitcoin payment. I give you 72 hours for payment.

If you don’t know how to send Bitcoins, visit Google.

Send 2.000 USD to this Bitcoin address immediately:          

[BITCOIN ADDRESS REDACTED]

(copy and paste)

1 BTC = 3,580 USD right now, so send exactly 0.564038 BTC to the address provided above.

Do not try to cheat me!

As soon as you open this Email I will know you opened it.

 This Bitcoin address is linked to you only, so I will know if you sent the correct amount.

When you pay in full, I will remove the files and deactivate my program.

If you don’t send the payment, I will send your masturbation video to ALL YOUR FRIENDS AND ASSOCIATES from your contact list I hacked.

Here are the payment details again:

Send 0.564038 BTC to this Bitcoin address:

—————————————-

[BITCOIN ADDRESS REDACTED]

—————————————-

You саn visit police but nobody will help you. I know what I am doing.

I don’t live in your country and I know how to stay anonymous.

Don’t try to deceive me – I will know it immediately – my spy ware is recording all the websites you visit and all keys you press. If you do – I will send this ugly recording to everyone you know, including your family.

Don’t cheat me! Don’t forget the shame and if you ignore this message your life will be ruined.

I am waiting for your Bitcoin payment.

If you need more time to buy and send 0.564038 BTC, open your notepad and write ’48h plz’. I will consider giving you another 48 hours before I release the vid       

Anonymous Hacker

So, they’re trying to use the same playbook of using shame and embarrassment to get you to pay up. The low rent losers behind this email don’t offer up any proof and it looks like a form letter of sorts as the name of the video is the user name of the email address that this email was sent to. The only thing different is that they use explicit language and introduce the implication that the victim was looking at teen porn which is illegal in most places on Earth, or at least frowned upon. But beyond all of this, this is yet another scam email that you should delete should you receive it. And a message for the low rent losers behind this scam email. Your email is a #fail and nobody will fall for it. Especially after this post starts to circulate.

UPDATE: These same scumbags sent the reader in question a second email. Click here to see it.