Archive for Scam

A Follow Up To The Senior Who Was A Victim Of A Tech Support Scam

Posted in Commentary with tags on February 19, 2021 by itnerd

Earlier this week I detailed the story of a senior who fell victim to a tech support scam. These sorts of scams infuriate me as they target people who don’t know any better, or in this case they target people who are unable to defend themselves. Now there is good news, some areas for concern, and some bad news to report.

  • Let’s start with the good news. I did a second examination of her computer and found nothing “bad” on her computer and it appears to be working fine. Thus I have to assume that that after the scammer installed the remote access software, they put on “a dog and pony show” to convince her that her computer had serious issues.
  • Now to the areas of concern:
    • She got a phone call from what sounds like to me to be an automated system saying her credit card had two charges put on it and she mentioned something about having to press one or two to approve or reject the transaction. She was unable to really give me a better description than that. So I recommended that she call or visit her bank and have them review her transaction history with her to make sure that they did not somehow get her credit card details.
    • One concern of mine was that they might have stolen documents and files off her computer. The remote access software had no logs for me to look at. So I am unable to answer that question and the possibility that she might be a victim of identity theft might still be on the table.
    • The bad news is that she didn’t have call display, and any other details that she provided to me were on the scant side. So I am unable to report this to the relevant authorities (more on that in a second) as there is simply not enough for them to work with. Thus these scumbags continue to roam free without having the relevant authorities hunting them down, or yours truly naming and shaming them.

One other thing, the scammer did call back. But she hung up on them and avoided engaging with them.

So that leads to me to what you should do if you encounter this scam.

Fact: Microsoft, Apple, or Google would never call you to say that your computer is broken and it needs to be fixed. And I do mean NEVER. The exception might be your ISP as there’s a minute possibility that your ISP would call you if your computer has been infected with malware that could be sending out something from your computer. If a caller claims to be from your ISP, ask for the caller’s name, where his or her office is located, and for the office telephone number. Ask why you’re being contacted by telephone, what the issue with your computer is and how the ISP could tell it was your PC specifically that had a problem. If a call sounds legit, hang up and call the ISP yourself, then ask for the tech support department or for the person who called you specifically. Use a phone number listed on your ISP’s website or on your bill, not a number that the caller gave you. That way, you could confirm or deny if this is legit.

Now, if you get a call from a scammer. The best way to deal with them is to hang up. That’s it. Hang up and move on with your life. You can’t get scammed if you do not engage. But let’s say you did actually fall for this. You need to act fast. First, shut down the computer. Then do this:

  1. First download and install legitimate antivirus software. Then, run a scan to see if anything has been left behind. Then change the passwords on the user accounts on your PC. You don’t have passwords on the user accounts? You should precisely for this reason. If you don’t feel comfortable doing any of these items, call an IT expert for help.
  2. If you gave the scammer your credit card number, then you really need to act fast. Call your credit card provider and either reverse the charges or cancel the card.  Then you should also contact one of the three credit-reporting agencies. Namely Equifax, Experian or TransUnion and ask them to place a free 90-day credit alert on your file. For the record, Experian doesn’t operate in Canada but the other two do. The agency you contact will alert the others and you’ll be notified if someone tries to do something in your name.
  3. Report it. Microsoft has a Web page dedicated to reporting tech-support scams. The U.S. Federal Trade Commission has a website for fielding complaints, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada.

As you can see, getting hit by a scammer is not a trivial matter. You need to be on your toes to avoid this sort of thing. If you are, then you should never have to worry about the negative effects of being scammed. I’ll continue to document these sorts of scams, and where possible I will name and shame the scumbags behind them. Plus I will provide details so that hopefully you will never be a victim.

I Find Myself Involved In Dealing With Another Tech Support Scam

Posted in Commentary with tags on February 17, 2021 by itnerd

Frequent readers of this blog know that I have documented a couple of tech support scams in the past. For those who are not familiar with this scam, someone claiming to be from Microsoft or Apple, or perhaps an ISP claiming that your computer is broken in some way. They will then convince you to connect to them remotely so that they can control your computer and fix whatever problem they claim you have.While doing this, they will ask you for a credit card number at the very least, or at worst they will steal information off your computer so that they can commit some form of identity theft. And that doesn’t take into account the possibility that they will simply trash your computer in some way. Clearly these guys are scumbags and I truly feel that they are the lowest forms of life on Earth that need to be exterminated.

In any case, this past Monday I got an email from a 90 year old client of mine with cognitive issues who got one of these calls and completely got sucked into letting them connect to her computer and do their evil work. I dropped everything that I was doing and raced over there to see what damage was done after telling her to turn off the PC.

Upon arriving at her home, I interviewed her to find out what the sequence of events were. She apparently got a call from the scammers who were claiming to be from Microsoft and over the next half hour she fumbled her way to getting them connected to her computer. During that process the scammers got frustrated and abusive, which from my research isn’t a surprise as they want to get in, scam you and get out as quickly as possible. Then for the next hour they showed her all the “errors” that her computer. Then they made an appointment for the next day to fix all these “errors”. But due to her cognitive issues, she couldn’t give me many details. So I went about investigating her PC to see if I can figure out what they did.

I’m going to stop here for a moment and rant for a bit because scams like this makes me very, very angry. Because of her cognitive issues, she’s the perfect target for this sort of scam. I say that because according to her she has a “Microsoft” computer and from her perspective if someone from “Microsoft” calls her to help her, she should listen to them and do what they say. I’ll explain why that isn’t true in a bit. And because of her cognitive issues, I can’t get the usual amount of information for me to hunt down the scumbags behind this and expose them to the world. Which means that the people behind this one might have gotten away with this. The key word being might as I will do everything in my power to figure out who these scumbags are and expose them for what they are.

In any case, from what I can tell, they had the client download a piece of software called AnyDesk which is a commercially available piece of software that is typically used for remote access by IT help desks to help people in a company or for individuals to access a computer in their office from home. Using commercially available software is pretty typical behavior for these scammers as it adds some legitimacy to their scumbag activities and is not going to get flagged by antivirus software. I found a copy of AnyDesk in her download folder, and combined with some notes that she took and a Windows 7 (as she runs Windows 7) virtual machine, I was able to reverse engineer what they did to connect.

When you first run the application, you see this:

In the top left you will see a number which is 511 553 741. This is the code that the scammers use to connect to her computer from their copy of the software. I know this because on her notes, there was a set of numbers that I am guessing that she wrote down and then repeated to the scumbags.

The next box of interest is the “Set password unattended access…”. On her notes, I saw “can12345” which is not the most original password that I have seen. But this I assume that this is meant to set up her computer so that they can come into the computer, look around and steal stuff at will assuming the computer was on. I also noted that they had configured the program to take total control of the computer do anything they wanted. 

The final box of interest is the “Install AnyDesk” box. I am going to guess that once the scammers connected, they pressed this button so that AnyDesk would be live and connected to the Internet without requiring a user to do anything. To make sure that they couldn’t do anything on that front, I uninstalled AnyDesk. I also examined the computer in a variety of ways and found no evidence that they did anything else. No backdoors, no viruses, nothing. Though I am going to be doing a second look at the computer today to make sure that there’s no other issues lurking to cause trouble. But based on my initial look at her computer I think that they might have done some sort of “dog and pony show” to make her think that there were major problem with her computer and to suck her into letting them do more.

One that that really got my interest is that they did not ask for her credit card details or her banking info. This is strange as when I typically come across these scams, the scammers try to get these details up front. I can only see three possibilities for this: 

  • They were going to get these details in their appointment that they scheduled for the next day. Which I told her to hang up on them when they called.
  • They were looking for details for identity theft.
  • Both of the above.

When I examine her computer again today, I will take a second look for evidence of any of this. I will post an update with what happens. But in the here and now, let me give you some advice in terms of avoiding being a victim of one of these scams. When I covered previous tech support scams that I investigated, I posted this advice which is still true today. But if you take away nothing else from this, remember that you will never, ever get a call from Apple, Google, or Microsoft to fix your computer. It will not happen. Thus if you get a call like this, hang up. That is guaranteed to make sure you are not a victim.

Expect a further update on this later today. As mentioned above, I am taking a second look to see if these scumbags did anything else, and I will be trying again to see if I can identify who they are so that I can name and shame them.

Do Not Fall For This Canada Emergency Response Benefit Text Message Scam

Posted in Commentary with tags on May 1, 2020 by itnerd

There’s a text scam involving the new Canada Emergency Response Benefit (CERB) that is meant to help Canadians who lose their job due to the COVID-19 pandemic that has turned our planet upside down. I first started to hear about it when the Canada Emergency Response Benefit was rolled out, but today this hit home for me as I got one of these scam messages. I took a screen shot of it for you:

I blanked out the URL that was included in the message. But when I clicked it, it took me to a site that asked me to pick my bank and asked me to enter my banking credentials. Clearly this is a phishing scam as no Canadian Government agency would ever ask you for any personal information in this manner. I did some research and I found that some versions of this scam also ask you for your SIN (Social Insurance Number) and your passport number. There’s even a variant that tries to install malware on your computer. That makes this scam highly dangerous. Thus if you get one of these messages, delete it and don’t click on the link and keep yourself safe.

The Extortion Phishing Email Scam Is Back…. Here’s How You Can Avoid Being A Victim

Posted in Commentary with tags on March 16, 2020 by itnerd

Over the last few days, I have been getting one of those extortion phishing emails that I have written about in the past. In short it claims to know one of my passwords, and it claims to have embarrassing videos of me that were gained via a hack of my computer that will get sent to friends and family if I don’t pay the scammers in Bitcoin. In other words, it’s the usual scam that has been around for a while now. Here”s the email with some info changed to protect my privacy:

 

Subject: <My Name> <One of my Passwords>

Yοur ρasswοrd ιs <One of my Passwords>. Ι knοw a lοτ mοre thngs abοut yοu τhaη thατ.

How?

I ρlαced a malwαre oη τhe pοrη websiτe αηd guess what, yοu νisιted thιs web siτe το hανe fuη (you kηοw whaτ I meaη). While yοu were waτchιηg τhe νιdeο, your web browser αcted αs αη RDP (Remοte Deskτορ) αnd α keylogger, whιch ρroided me access tο yοur displαy screen αηd webcam. Rιght αfter τhατ, my sοfτware gathered αll yοur conτacτs from yοur Messenger, Faceboοk αccοunt, αηd email αccοuητ.

Whaτ exacτly did Ι dο?

I mαde a spliτ-screeη νιdeο. The fιrst ρart recοrded τhe νιdeo you were vιewiηg (yοu’e got αn exceρτional ταsτe haha), αnd τhe next parτ recorded yοur webcαm (Yeρ! t’s yοu \ dοiηg nαsτy τhings!).

What should you dο?

Well, Ι belιeνe, $2000 is α faιr prιce for our lιτtle secreτ. Yοu’ll maκe τhe paymeηt νιa βιτcoin τo the belοw αddress (if yοu dοη’τ know this, search “hοw το buy Βιtcοin” in Goοgle).

Βιtcoin Address:

REDACTED Bitcoin Address
(It is cAsE seηsiτινe, sο cοpy αηd ρaste ιt)

Ιmpοrτaητ:

You haνe 24 hours to mαke τhe paymenτ. (Ι hαve α uηique pιxel wιthiη thιs emαil message, aηd rιght now I know τhat yοu have read this emαιl). Ιf I don’t get τhe ρaymeηt, Ι wιll seηd your νιdeο το all of your cοnτacts, includiηg relaτιves, cowοrκers, aηd so forτh. Noηetheless, ιf I do get pαid, I wιll erase τhe video immediaτely. If you wαnt eνιdeηce, reρly wιτh “Yes!” αnd Ι will send your νιdeο recordιηg τo yοur fινe frieηds. This is α nοη-negotιable offer, so don’t wasτe my τιme and yοurs by reρlyiηg to this emαil.

<Alleged Name Of Hacker>

 

Now the email shows up in your inbox under multiple names with multiple email addresses and different bitcoin wallet addresses. And they may show up in your inbox four or five time a day. But the content is always the same. Including the weird letters in the text that you might have noticed. Now the password that they reference is likely to be one of your passwords. And they likely got it from a data breach that comprised email names, email addresses and passwords. You can find out which data breach by going to haveibeenpwned.com and typing in your email address. It will likely come back with the fact that you’ve been part of a data breach that includes your email address and password. But that’s all they know about you. The hope of the losers behind this scam is that this will be enough to get you to pay up.

The problem for the scammers is that this version of the extortion phishing scam will likely be ineffective.  I say that because they will literally spam you to the point that these emails will go straight to your junk filter after a while. By that I mean you may get five or six of these a day. With that sort of volume a corporate or ISP email filter will eventually catch on and filter these out. Or your email application may do the same thing, assuming that you don’t mark the first one that you get as junk, which means that every one of these emails after that one will just get tossed into your junk or spam email folder. The net result is that you’ll never see these emails. Thus making their scam ineffective. But if  you do see one or more of these emails pop up in your inbox, do yourself a favor and delete them. Something that I wish that I could do to the losers behind this scam and in the process make the world a better place.

Having said all of that, if you’re concerned about an email like this, and if you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. Another thing I am strongly suggesting to my clients is that they change the passwords to things like email, online banking and the like as a preventative measure. That way if they get an email like this, they will know it is fake immediately.

Only about 1% of people who get an email like this pay up Thus these losers want you to be the 1% of people who fall for something like this because they make lots of money off that 1%. Don’t fall for this. Never respond to an email like this. Never pay up. Just ignore them and make sure that whatever password that they have isn’t in use by any of your online accounts. They are losers and don’t deserve your attention or more importantly your money.

 

SIM Swap Scams – How To Protect Yourself

Posted in Commentary with tags , on March 12, 2020 by itnerd

Right now the newest way for scammers to separate you from your money is the SIM swap scam. Here’s how the scam works.

  • A fraudster gathers personal details about the victim, either by use of phishing emails, by buying them from organised criminals, or by directly socially engineering the victim.
  • Once the fraudster has obtained these details, they then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone.
  • Once this happens the victim’s phone will lose connection to the network and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via text or telephone calls sent to the victim, and thus to circumvent any security features of accounts that are associated with the phone. Be they bank accounts, social media accounts, etc.

There have been a growing number of cases of this scam happening in Canada, US and other places. I have heard of bank accounts being drained and the take over of social media accounts. The most famous of these is the take over of Twitter CEO Jack Dorsey’s Twitter account a few months ago.

Clearly this is a scam that you need to keep an eye on due to the impact that it can have on your life. The question is, how do you protect yourself from being a victim? To help with that, I reached out to TELUS as they have programs to help Canadians protect themselves online. Most notably TELUS Wise. They were kind enough to point me to a number of tools on their website that can help guide consumers on how to protect themselves from scams in general. But they also provided a few tips specific to SIM swap scams:

  • Limit the amount of personal information about you online. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information.
  • Don’t add your phone number to any online accounts where it is not necessary.
  • Use strong and unique passwords for each of your accounts.
  • Set up authentication methods that aren’t text based only.
  • If you think something is awry and/or if you can’t make or receive phone calls on your device, contact your wireless provider immediately.
  • Report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501. Notify your bank and credit card companies. Contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

Besides the above, one other thing that I do recommend is that you set up a PIN or a security code with your wireless provider. That way if someone tries to access your account to try and pull off a SIM swap, they’ll run into a brick wall as they won’t have the PIN. TELUS offers this security feature (In fact, when I signed up with TELUS, I had to come up with a PIN on the spot), and I have to assume that other wireless providers do as well. Thus you should contact them to see how you can set this up on your account.

SIM swap scams are on the rise. But the good news is that by taking the above steps, you can reduce the risk that you will be a victim.

 

 

Here’s What To Expect From Today’s Rollout Of Tech To Block Nuisance Calls

Posted in Commentary with tags , on December 19, 2019 by itnerd

Today is the day that Canadian telcos at the request of the CRTC are to start blocking scam/nuisance calls. Or at least try to do so as I am dubious that this will really solve the issue. But pushing my own skepticism aside, here’s a quick primer as to what to expect from this effort.

What telcos like Bell and Rogers are going to do starting today is automatically block calls based on the caller ID information using the following criteria.

  • Numbers with more than 15 digits.
  • Numbers that can’t be dialed (such as a string of letters or 000-000-0000).

The net result is that calls from those types of numbers will no longer make your phone ring. Telus is doing something entirely different though.

As an alternative, telcos can offer subscribers “filtering services” that provide more advanced call-management features, which is what Telus is doing for its wireless customers. I was looking for details on that from Telus and couldn’t find anything online. Thus I  reached out to them for more information and this is what I got back via their Twitter support team:

Now here’s why any of these measures  isn’t going to make much of a difference from where I sit. This is only going to stop the low skilled scammers who for whatever reason can’t spoof numbers. Meaning that they don’t forge their Caller ID information to make it look like the call is coming from a real number such as a government agency or the police in order to make you more likely to answer the call. And the majority of nuisance calls that most of us get are spoofed. Thus all that these efforts are likely to do is to thin the herd of scumbags just a tiny bit. Now spoofed numbers are to be addressed by the end of September of 2020 by the rollout of additional tech to stop spoofing. But as I’ve written about previously, I am still dubious that even those efforts will make nuisance calls go away. But one could argue that any effort to cut down on the number of nuisance calls is better than making zero effort whatsoever.

I’d love to know if you notice a difference in terms of the number of nuisance calls that you get. Please leave a comment with your observations or reach out to me on Twitter with what you see.

 

 

THREE New Extortion Phishing Scams Are In The Wild

Posted in Commentary with tags on April 28, 2019 by itnerd

It’s been a while since I have written about extortion phishing scams. But three new ones have appeared and one of them is potentially dangerous.

Let’s start with the dangerous one. The scumbags behind this one are now utilizing a new extortion email campaign that claims the recipient’s phone was hacked, includes a partial phone number of the recipient, and further states that they created videos using the recipient’s webcam. Here’s an example:

@It seems that, 14, *last two digits your phone-
\You may not know me and you are probably wondering why you are getting this e mail, right?-

!actually, I setup a malware on the adult vids (porno) web-site and guess what*
@you visited this site to have fun (you know what I mean).(
^While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop)(
&having a keylogger which gave me accessibility to your screen and web cam.*
@after that, my software program obtained all of your contacts, phone and email.\

_What did I do?(

!I backuped phone. All photo, video and contacts.+
!I created a double-screen video./
&1st part shows the video you were watching (you’ve got a good taste haha . . .)$
%and 2nd part shows the recording of your web cam.=

+exactly what should you do?/

#Well, in my opinion, 809$ is a fair price for our little secret.\
=You’ll make the payment by +Bitcoin% (if you do not know this$ search !how to buy bitcoin& in Google)._

-Bitcoin^ Address:

<BITCOIN ADDRESS REDACTED>

%(It is cAsE sensitive, so copy and paste it)*

%Important:
!You have 45 hours in order to make the payment.\
%(I’ve a unique pixel in this e mail, and at this moment I know that you have read through this email message)-
\If I do not get the !BitCoins+
%I will certainly send out your video recording to all of your contacts%
@Having said that, if I receive the payment, I’ll destroy the video immidiately._
)If you need evidence, reply with “Yes!*

-If I find that you have shared this message with someone else$
)the video will be immediately distributed.=

Now the person who got this email told me that the last two digits of his phone number were accurate. Thus he wondered if he had been hacked. But I can say that after examining his computer and phone, that he had not been hacked. But clearly this is a new method to convince the recipient that they have been hacked and it has replaced displaying a password to do the same thing.

The thing is, it’s really easy to get the last two digits of someone’s phone number. The most logical way that these scammers are getting these numbers is via it may password or account recovery functionality such as the one from Gmail or the one from Microsoft. There have been data leaks in the past that only contained partial phone numbers as well, But the bottom line is that you have not been hacked.

The second is aimed at companies. It’s pretty low level and not very sophisticated. Here’s a copy of what one of my clients got:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We Hacked You Infrastructure.
We Caught Possible Communication.
We Backuped Available DATA And DOCUMENTS.
That you trusting our words, we send this mail to you with YOUR account.

After analyzing documents. We see your Illegal activity. HIDING TAXES.

That we do NEXT.
I want two (2) Bitcoin

if you don’t pay fees. To my wallet Bitcoin.

<BITCOIN ADDRESS REDACTED>

We want send this Documents and Proofs to your Tax Departament.
And in this time Your network will be DDoS.
Read that in this link
https://en.wikipedia.org/wiki/Denial-of-service_attack

This is our guarantee, that you don’t clean evidence and build a protection policy.

If you don’t pay by in 7 days, attack will start.
Yours service going down permanently and price to stop will increase to Four (4) BTC,
Price will go up one (1) BTC for every day of the attack.

This is not a joke.

Our attacks are extremely powerful – sometimes over 1 Tbps per second.
And we pass CloudFlare and others remote protections!
So, no cheap protection will help.

Prevent it all with just Two (2) BTC
To my wallet Bitcoin.

<BITCOIN ADDRESS REDACTED>

Pay strict sum. This is your identification. And we will know that its you.
AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know
you cooperated.

Time started after open this mail.
To track the reading of a message and the actions in it, I use the facebook pixel.
Read that in this link
https://www.facebook.com/business/help/898185560232180?helpref=faq_content

There’s nothing here that is interesting. Such as passwords that the user has used, or a partial phone number like the previous scam. Thus this scam is purely trying to take advantage of the fact that a company might not have paid their taxes. And that they can track that you opened this email using Facebook Pixel. Which for the record when I examined the email it showed no evidence that Facebook Pixel was in use. #Fail. I seriously doubt that this will get this scammer anything.

Finally, there are new scams that utilize QR codes to direct you to their Bitcoin wallet so that you can pay them. The QR code has the amount that you have to pay as well which is kind of clever.

I took screenshots of the text that the recipient gets:

6a0133f264aa62970b0240a44295f3200c-800wi.png

Below that is a QR Code that goes to a Bitcoin wallet . I am not reposting the QR code as I don’t want to give these scumbags any more time than I need to. Other than that, it’s the usual extortion phishing scam that we’ve seen for the last little while.

If you come across any of these scams, you know what to do. Simply delete them and move on with your life.

It Seems That One Ring Scams Are Back

Posted in Commentary with tags on March 22, 2019 by itnerd

I was at a client location today when my iPhone rang. It was a 408 number which is out of  San Jose CA. Seeing as I have a number of companies that I deal with in that corner of the planet, I answered the phone but heard nothing on the other end. So I hung up. Ten seconds later the same number calls back. Again I answered it but again I heard nothing on the other end so I hung up. No further calls came.

Now I was tempted to phone them back. But then I remembered that I wrote about this scam which is called the “one ring” scam before and you can see that story here. But in short, the scam counts on you phoning the number back because you’ll then be billed a pile of money a minute. Now the last time I had heard of this scam, the calls were coming from the country codes of 235 (Chad), 232 (Somalia), 269 (Comoros), strangely 573 (A Missouri area code, but it is possible that it is country code 57 which is Colombia) and 267 (Botswana). So having a number coming from a US area code would be a new angle to this scam. Thus out of an abundance of caution, I reached out to my cellular provider which is TELUS with this:

Their reply came within minutes:

Now this is a great response to my question. Not only did TELUS get back to me quickly and confirm that this was likely a Wangiri or One Ring scam. But they also provided me with a resource so that I could be educated on how to protect myself. Now that is top shelf service. Kudos to TELUS for that.

In any case, since I did not phone the number back, which means that I should be in the clear. But as a just in case thing I blocked the number. Though I strongly suspect that the number was spoofed which means that blocking the number may not make any difference as the spoofed number will likely change.

I’m going to keep a close eye on my next phone bill at the end of the month to ensure that nothing in terms of spurious charges makes it way on there. And I will be on guard for further attempts to execute this scam. You should be on guard as well as clearly the “one ring” scam is back. And to help to keep you safe, I will not only point to my original story on this, but to the write up by TELUS as both have tips to protect yourself.

A Follow Up To The Latest Extortion Phishing Scam Emails

Posted in Commentary with tags on January 22, 2019 by itnerd

You may recall that I have done a pair of stories a new extortion phishing scam that was brought to my attention. Now while the emails themselves are kind of lame. I decided to delve into them a bit more to figure out where they were coming from. One of the things that I did was look at the headers of the emails in question as they have all sorts of useful information. In the second one, I saw this:

Received: ⁨from mx.c.anonymousobserver.ga ([159.203.72.137]:56230) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <raguel-195@c.anonymousobserver.ga>) id 1glTYW-0005Bn-25 for nerd@theitnerd.ca; Mon, 21 Jan 2019 01:59:44 -0500⁩

Received: ⁨from [127.0.0.1] (mx.c.anonymousobserver.ga [127.0.0.1]) by mx.c.anonymousobserver.ga (Postfix) with ESMTP id 43jhwd5F8Lz502M for <nerd@theitnerd.ca>; Mon, 21 Jan 2019 06:49:04 +0000 (UTC)⁩

And in the first one, I saw this:

Received: ⁨from mx.d.anonymous-hacking.ga ([178.128.117.242]:39250) by [RECEIVING EMAIL SERVER REDACTED] with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <leon_287@d.anonymous-hacking.ga>) id 1gkLCk-00077y-5l for nerd@theitnerd.ca; Thu, 17 Jan 2019 22:52:28 -0500⁩

Received: ⁨from [127.0.0.1] (mx.d.anonymous-hacking.ga [127.0.0.1]) by mx.d.anonymous-hacking.ga (Postfix) with ESMTP id 43gmN72blHz4fXV for <nerd@theitnerd.ca>; Fri, 18 Jan 2019 03:17:42 +0000 (UTC)⁩

I bolded the most relevant parts of this which is the sending servers .They are different. But not as much as you would think. I then ran a whois command on both domains unsurprisingly, they came back very similar:

screen shot 2019-01-22 at 5.47.35 pmscreen shot 2019-01-22 at 5.47.53 pm

So Gabon is on the west coast of Central Africa. Located on the equator. But the key thing is that both domains appear to be registered to the “Agence Nationale des Infrastructures Numériques et des Fréquences” which according to this LinkedIn page (translated into English) does this:

The National Agency for Digital Infrastructures and Frequencies (ANINF), a government agency in Gabon, is an instrument that is part of the national strategy for digital development in Gabon.

The ANINF declines, through its sovereign missions, by the development of digital infrastructure throughout the national territory, the harmonious management of the frequency spectrum, the coherent development of e-Government applications, management and control resources related to IT, audiovisual and telecommunication investments in the Republic of Gabon.

That’s interesting. But I don’t see a government agency running an extortion phishing scam. Though anything is possible I suppose. But what this agency does serve up .ga domain names according to this page. So what I think is going on is someone is registering what are essentially “disposable” domains to run the scam. They then set up an email to send out these scam emails. That’s kind of crafty. Who’s doing this? I haven’t got a clue. But I figure that bringing this to light will make it more difficult for the whomever is behind it to try this again.

A Reader Gets A Second Extortion Phishing Email From The Same Group Of Slimeballs

Posted in Commentary with tags on January 21, 2019 by itnerd

It seems that the person who sent me this extortion phishing email got a follow up to that. And it isn’t particularly creative. And like the last one a warning as some contents may be a bit graphic for some:

LAST WARNING [EMAIL ADDRESS REDACTED] !

You have the last chance to save your social life – I am not kidding!!

I give you the last 72 hours to make the payment before I send the video with your masturbation to all your friends and associates.

The last time you visited a erotic website with young Teens, you downloaded and installed the software I developed.

My program has turned on your camera and recorded your act of Masturbation and the video you were masturbating to.

My software also downloaded all your email contact lists and a list of your Facebook friends.

I have both the ‘[FILENAME REDACTED].mp4’ with your masturbatio and a file with all your contacts on my hard drive.

You are very perverted!

If you want me to delete both files and keep your secret, you must send me Bitcoin payment. I give you the last 72 hours.

If you don’t know how to send Bitcoins, visit Google.

Send 2000 USD to this Bitcoin address immediately:

[BITCOIN ADDRESS REDACTED]

(copy and paste)

1 BTC = 3470 USD right now, so send exactly 0.581065 BTC to the address above.

Do not try to cheat me!

As soon as you open this Email I will know you opened it.

This Bitcoin address is linked to you only, so I will know if you sent the correct amount.

When you pay in full, I will remove both files and deactivate my software.

If you don’t send the payment, I will send your masturbation video to ALL YOUR FRIENDS AND ASSOCIATES from your contact list I hacked.

Here are the payment details again:

Send 0.581065 BTC to this Bitcoin address:

—————————————-

[BITCOIN ADDRESS REDACTED]

—————————————-

You саn visit the police but nobody will help you.

I know what I am doing.

I don’t live in your country and I know how to stay anonymous.

Don’t try to deceive me – I will know it immediately – my spy ware is recording all the websites you visit and all keys you press.

If you do – I will send this ugly recording to everyone you know, including your family.

Don’t cheat me! Don’t forget the shame and if you ignore this message your life will be ruined.

I am waiting for your Bitcoin payment.

Raguel

Anonymous Hacker

P.S. If you need more time to buy and send 0.581065 BTC, open your notepad and write ’48h plz’. I will consider giving you another 48 hours before I release the vid, but only when I really see you are struggling to buy bitcoin.

Now I know it’s the same slimeball or group of slimeballs behind this because both emails came from the same domain which is d.anonymous-hacking.ga. Except that the domain doesn’t exist. So that’s a lie. I’ll be doing some work to find out the real source of this today and post an update. The rest of this email is a near carbon copy of the last one. Except that it is signed as follows:

Raguel

Anonymous Hacker

If you post your name, how can you be anonymous? I get it is likely a fake name. But that seems pretty dumb as it affects the credibility of this email. Seeing as its not credible, it’s yet another scam email that you should delete should you receive it. Expect an update when I trace back where these slimeballs are from.

UPDATE: Another thing that I noted is that the the above email and the one that came before it have different Bitcoin addresses in them. So that makes the sentence “This Bitcoin address is linked to you only, so I will know if you sent the correct amount.” is another lie as you would think they would be the same. It also further highlights that this email is bogus.

UPDATE #2: Here is an update to this story with additional details.