Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Another sextortion email SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another sextortion email
For whatever it is worth, I received this the other day:

>>>
Return-Path: <huskydog@aurens.or.jp>
X-Original-To: **REDACTED**
Delivered-To: **REDACTED**
Received: from mail.aurens.or.jp (210.229.188.4.hotcn.ne.jp [210.229.188.4])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by **REDACTED** (Postfix) with ESMTPS id 4EE679419E
for <**REDACTED**>; Mon, 4 Feb 2019 05:13:07 -0800 (PST)
Received: from [220.198.86.109.triolan.net] (unknown [109.86.198.220])
by mail.aurens.or.jp (Postfix) with ESMTP id 9D260D48D45
for <**REDACTED**>; Mon, 4 Feb 2019 22:13:04 +0900 (JST)
X-Priority: 5 (Lowest)
List-ID: 5923pbwigql395uhqla3m54it6t list
<gtbow3yejho42rnx7kjl8vg72.459983.list-id.aurens.or.jp>
List-Help: <http://vipbxkzhgrvw.com/me/qkcgk/qpcfpzlsajmw>
X-Sender: <huskydog@aurens.or.jp>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
Message-ID: <**REDACTED**>
X-Sender-Info: <huskydog@aurens.or.jp>
X-Complaints-To: <abuse@aurens.or.jp>
List-Unsubscribe:
<**REDACTED**>
X-aid: 4548793549
To: **REDACTED**
Subject: This account has been hacked! Change your password right now!
Date: Mon, 4 Feb 2019 14:13:03 +0100
X-Abuse-Reports-To: abuse@mailer.aurens.or.jp
Abuse-Reports-To: abuse@aurens.or.jp
From: <**REDACTED**>

WW91IG1heSBub3Qga25vdyBtZSBhbmQgeW91IGFyZSBwcm9iYWJseSB3b25kZXJpbmcgd2h5IHlv
dSBhcmUgZ2V0dGluZyB0aGlzIGUgbWFpbCwgcmlnaHQ/DQpJ4oCZbSBhIGhhY2tlciB3aG8gY3Jh
Y2tlZCB5b3VyIGVtYWlsIGFuZCBkZXZpY2VzIGEgZmV3IG1vbnRocyBhZ28uDQoNCkRvIG5vdCB0
cnkgdG8gY29udGFjdCBtZSBvciBmaW5kIG1lLCBpdCBpcyBpbXBvc3NpYmxlLCBzaW5jZSBJIHNl
bnQgeW91IGFuIGVtYWlsIGZyb20gWU9VUiBoYWNrZWQgYWNjb3VudC4NCkkgc2V0dXAgYSBtYWx3
YXJlIG9uIHRoZSBhZHVsdCB2aWRzIChwb3Jubykgd2ViLXNpdGUgYW5kIGd1ZXNzIHdoYXQsIHlv
dSB2aXNpdGVkIHRoaXMgc2l0ZSB0byBoYXZlIGZ1biAoeW91IGtub3cgd2hhdCBJIG1lYW4pLg0K
V2hpbGUgeW91IHdlcmUgd2F0Y2hpbmcgdmlkZW9zLCB5b3VyIGludGVybmV0IGJyb3dzZXIgc3Rh
cnRlZCBvdXQgZnVuY3Rpb25pbmcgYXMgYSBSRFAgKFJlbW90ZSBDb250cm9sKSBoYXZpbmcgYSBr
ZXlsb2dnZXIgd2hpY2ggZ2F2ZSBtZSBhY2Nlc3NpYmlsaXR5IHRvIHlvdXIgc2NyZWVuIGFuZCB3
ZWIgY2FtLg0KQWZ0ZXIgdGhhdCwgbXkgc29mdHdhcmUgcHJvZ3JhbSBvYnRhaW5lZCBhbGwgaW5m
b3JtYXRpb24uDQoNCllvdSBlbnRlcmVkIGEgcGFzc3dvcmRzIG9uIHRoZSB3ZWJzaXRlcyB5b3Ug
dmlzaXRlZCwgYW5kIEkgaW50ZXJjZXB0ZWQgaXQuDQpPZiBjb3Vyc2UgeW91IGNhbiB3aWxsIGNo
YW5nZSBpdCwgb3IgYWxyZWFkeSBjaGFuZ2VkIGl0Lg0KQnV0IGl0IGRvZXNu4oCZdCBtYXR0ZXIs
IG15IG1hbHdhcmUgdXBkYXRlZCBpdCBldmVyeSB0aW1lLg0KV2hhdCBkaWQgSSBkbz8NCg0KSSBi
YWNrdXBlZCBkZXZpY2UuIEFsbCBmaWxlcyBhbmQgY29udGFjdHMuDQpJIGNyZWF0ZWQgYSBkb3Vi
bGUtc2NyZWVuIHZpZGVvLiAxc3QgcGFydCBzaG93cyB0aGUgdmlkZW8geW91IHdlcmUgd2F0Y2hp
bmcgKHlvdeKAmXZlIGdvdCBhIGdvb2QgdGFzdGUgaGFoYSAuIC4gLiksIGFuZCAybmQgcGFydCBz
aG93cyB0aGUgcmVjb3JkaW5nIG9mIHlvdXIgd2ViIGNhbS4NCmV4YWN0bHkgd2hhdCBzaG91bGQg
eW91IGRvPw0KV2VsbCwgaW4gbXkgb3BpbmlvbiwgJDEwMDAgKFVTRCkgaXMgYSBmYWlyIHByaWNl
IGZvciBvdXIgbGl0dGxlIHNlY3JldC4gWW914oCZbGwgbWFrZSB0aGUgcGF5bWVudCBieSBCaXRj
b2luIChpZiB5b3UgZG8gbm90IGtub3cgdGhpcywgc2VhcmNoIOKAnGhvdyB0byBidXkgYml0Y29p
buKAnSBpbiBHb29nbGUpLg0KTXkgQml0Y29pbiB3YWxsZXQgQWRkcmVzczoNCjFLNEpFWTc0YzVw
dVA4NkVQS282SG1OckI1NzFrVDhrRzINCihJdCBpcyBjQXNFIHNlbnNpdGl2ZSwgc28gY29weSBh
bmQgcGFzdGUgaXQpDQoNCkltcG9ydGFudDoNCllvdSBoYXZlIDQ4IGhvdXIgaW4gb3JkZXIgdG8g
bWFrZSB0aGUgcGF5bWVudC4gKEnigJl2ZSBhIHVuaXF1ZSBwaXhlbCBpbiB0aGlzIGUgbWFpbCwg
YW5kIGF0IHRoaXMgbW9tZW50IEkga25vdyB0aGF0IHlvdSBoYXZlIHJlYWQgdGhyb3VnaCB0aGlz
IGVtYWlsIG1lc3NhZ2UpLg0KVG8gdHJhY2sgdGhlIHJlYWRpbmcgb2YgYSBtZXNzYWdlIGFuZCB0
aGUgYWN0aW9ucyBpbiBpdCwgSSB1c2UgdGhlIGZhY2Vib29rIHBpeGVsLg0KVGhhbmtzIHRvIHRo
ZW0uIChFdmVyeXRoaW5nIHRoYXQgaXMgdXNlZCBmb3IgdGhlIGF1dGhvcml0aWVzIGNhbiBoZWxw
IHVzLikgSWYgSSBkbyBub3QgZ2V0IHRoZSBCaXRDb2lucywgSSB3aWxsIGNlcnRhaW5seSBzZW5k
IG91dCB5b3VyIHZpZGVvIHJlY29yZGluZyB0byBhbGwgb2YgeW91ciBjb250YWN0cyBpbmNsdWRp
bmcgcmVsYXRpdmVzLCBjb3dvcmtlcnMsIGFuZCBzbyBvbi4NCg==
>>>

The Base64 decodes to:

>>>
You may not know me and you are probably wondering why you are getting this e mail, right?
I’m a hacker who cracked your email and devices a few months ago.

Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.
I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).
While you were watching videos, your internet browser started out functioning as a RDP (Remote Control) having a keylogger which gave me accessibility to your screen and web cam.
After that, my software program obtained all information.

You entered a passwords on the websites you visited, and I intercepted it.
Of course you can will change it, or already changed it.
But it doesn’t matter, my malware updated it every time.
What did I do?

I backuped device. All files and contacts.
I created a double-screen video. 1st part shows the video you were watching (you’ve got a good taste haha . . .), and 2nd part shows the recording of your web cam.
exactly what should you do?
Well, in my opinion, $1000 (USD) is a fair price for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
My Bitcoin wallet Address:
1K4JEY74c5puP86EPKo6HmNrB571kT8kG2
(It is cAsE sensitive, so copy and paste it)

Important:
You have 48 hour in order to make the payment. (I’ve a unique pixel in this e mail, and at this moment I know that you have read through this email message).
To track the reading of a message and the actions in it, I use the facebook pixel.
Thanks to them. (Everything that is used for the authorities can help us.) If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on.
>>>
Anonymous

Sign Up for Free or Log In to start participating in the conversation!