Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Blackmail email  (Read 939 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Blackmail email
« on: July 30, 2018, 11:10:54 AM »

I got this amazing email recently:

Code: [Select]
Return-Path: <nymarysaimi@outlook.com>
Delivered-To: weaver@weavers-email.com
Received: from g-hopeless.aa.net.uk ([::1])
by g-hopeless.aa.net.uk with LMTP id QKceEwgMUVtjKgAADvaTfA
for <weaver@weavers-email.com>; Thu, 19 Jul 2018 23:09:12 +0100
Received: from g-hopeless.aa.net.uk ([::1])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
by g-hopeless.aa.net.uk with LMTP id +LttEAgMUVtnAgAADvaTfA
; Thu, 19 Jul 2018 23:09:12 +0100
Delivery-date: Thu, 19 Jul 2018 23:09:12 +0100
Received: from mail-oln040092254027.outbound.protection.outlook.com ([40.92.254.27] helo=APC01-PU1-obe.outbound.protection.outlook.com)
by g-hopeless.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
(Exim 4.89)
(envelope-from <nymarysaimi@outlook.com>)
id 1fgH6j-0001PT-Li
for weaver@weavers-email.com; Thu, 19 Jul 2018 23:09:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=neB8kBzvV38jZ7LFQNXae98I3/v5HXTkGSEGRR85ojk=;
 b=Oy78xxYpamVRVMe3fyj6cufeoe0dp+ubm0Dv96GcsgAelP4/nNa9XoR4RFhCfEYPce05PufffesDkySyhOE/XIvq8q2dLsxb0csWLVJpC0bHapLYDUV9Q3t+Yjo/KXuorkHtJXAV6NB+Ssv/r5ZX6C9qMCZSMM4pmjj6H0UHm+a9qybKewEDHc8OTeTlPL070OlyRpY4UEyedKNZieuV5mylGj04kdYRR/GG6OXjt5Krj249ZbjgGkJAdmOxjSC/98e5QGAbXlIa1E/KsxNskAm0o3SdwPs/1WAd60eqMPT3NPeUo5HCFOw9mihuC3DfObQBzHuxxQqaN3oyDvZJRA==
Received: from PU1APC01FT060.eop-APC01.prod.protection.outlook.com
 (10.152.252.59) by PU1APC01HT232.eop-APC01.prod.protection.outlook.com
 (10.152.252.213) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.952.17; Thu, 19
 Jul 2018 22:08:58 +0000
Received: from SG2PR06MB2252.apcprd06.prod.outlook.com (10.152.252.57) by
 PU1APC01FT060.mail.protection.outlook.com (10.152.253.44) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.20.952.17 via Frontend Transport; Thu, 19 Jul 2018 22:08:57 +0000
Received: from SG2PR06MB2252.apcprd06.prod.outlook.com
 ([fe80::818a:e99a:1547:608a]) by SG2PR06MB2252.apcprd06.prod.outlook.com
 ([fe80::818a:e99a:1547:608a%13]) with mapi id 15.20.0973.018; Thu, 19 Jul
 2018 22:08:57 +0000
From: Cortese Little <nymarysaimi@outlook.com>
To: "weaver@weavers-email.com" <weaver@weavers-email.com>
Subject: weaver
Thread-Topic: weaver
Thread-Index: AQHUH60WxoxKfeHAHUOmfoDlzRr0hg==
Date: Thu, 19 Jul 2018 22:08:57 +0000
Message-ID: <SG2PR06MB2252D9A1880D9525CBAC8886B3520@SG2PR06MB2252.apcprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:3EEB35E89C979548F6E54A55BE187E3D68E0B7C60327F5675D55A00ADD5CC231;UpperCasedChecksum:831645FD340F8CB44A1C947486C713ECA02C52A5F7954AABA3894BE0BA991DB2;SizeAsReceived:6786;Count:43
x-tmn: [A2Cd70fYyJ6jWpd/RKLjn0acK6eZ+d/x]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;PU1APC01HT232;7:5Y0V24mW7AwHU5kwik9M3gLl8fChi8yUgFBGv8dSnLXSDb9jaixjMP4/Lk7LoZMHz/P3v6Jx3PVdtdrfL5xXLE+pHvsNHda9tKdCxjfzPoHCYUI8/b+irB46eckLrVu2E1im1nbcoY3hP95r94yeiaFUe4FQ8U4aCBlQbQWwGQMMjRrvxiYrK6MTyHhryriBjlcdNp5xj3SP72BpY+15HuICDlzBV4g/j7qh7QauxoYKt6iBd4vnJx9+4DjSOixS
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125500)(1701031045);SRVR:PU1APC01HT232;
x-ms-traffictypediagnostic: PU1APC01HT232:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(82015058);SRVR:PU1APC01HT232;BCL:0;PCL:0;RULEID:;SRVR:PU1APC01HT232;
x-forefront-prvs: 0738AF4208
x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(189003)(199004)(6346003)(25786009)(102836004)(26005)(104016004)(82202002)(14454004)(10156002)(56003)(2351001)(5250100002)(19627235002)(426003)(99286004)(256004)(2900100001)(2501003)(7696005)(486006)(86362001)(14444005)(476003)(33656002)(68736007)(87572001)(8936002)(97736004)(6916009)(1730700003)(8676002)(81156014)(5660300001)(74316002)(551544002)(305945005)(105586002)(5640700003)(20460500001)(6436002)(55016002)(106356001)(53906005)(21314002)(42262002);DIR:OUT;SFP:1901;SCL:1;SRVR:PU1APC01HT232;H:SG2PR06MB2252.apcprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:;
received-spf: None (protection.outlook.com: outlook.com does not designate
 permitted sender hosts)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=nymarysaimi@outlook.com;
x-microsoft-antispam-message-info: auHXBqwQ1VEhZlo+7W27cU46Z1vntlGuSyz9GMEU8F1CyIGxoMu+cm4cCdlpssTZc5NG6ekX3kxXoJN5usHlAFAP97MqJXpF347yH5RdrahmawGpFdjwP78einlarAuAAE6NSkc+afojRr0AMK7kuFncaN67k4rfgm5BqB59Kwcra0dzn/sublATLpebitLz+0HFTY1/zgwfgc/aDW+nz3+jsyyhwj/l7TnyaD+hD5k=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 5dab7a8a-ebdc-4bd9-9cfd-67cde50b170b
X-MS-Exchange-CrossTenant-Network-Message-Id: 7403992b-0a78-4485-8259-08d5edc439aa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 5dab7a8a-ebdc-4bd9-9cfd-67cde50b170b
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2018 22:08:57.9173
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT232
X-Message-Linecount: 103
X-Connected-IP: 40.92.254.27:56192
X-Body-Linecount: 45
X-Message-Size: 7244
X-Body-Size: 2580
X-Received-Count: 4
X-Recipient-Count: 1
X-Local-Recipient-Count: 1
X-Local-Recipient-Defer-Count: 0
X-Local-Recipient-Fail-Count: 0
X-Spam-Score: 1.9
X-Spam-Score-Int: 19
X-Spam-Bar: +
X-Spam-Report: Spam detection software, running on the system "a-spamless.aa.net.uk", has
 processed this message and it scored (1.9 points).
  pts  rule name              description
 ---- ---------------------- --------------------------------------------------
  0.2 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 [botnet_ipinhosntame,ip=40.92.254.27,rdns=mail-oln040092254027.outbound.protection.outlook.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  1.1 LOCALPART_IN_SUBJECT   Local part of To: address appears in Subject
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                             (nymarysaimi[at]outlook.com)
  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5000]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                             domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VERIFIED          No description available.
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
  0.0 RCVD_NOT_IN_IPREPDNS   Sender not listed at
                             http://www.chaosreigns.com/iprep/
X-Spam-Mark-Threshold: 3
X-Spam-Reject-Threshold: 4
X-Spam-User: weaver@weavers-email.com
X-Spam-Flag: NO
X-Resolved-To: weaver@weavers-email.com
X-Delivered-To: weaver@weavers-email.com
X-Message-Age: 3
X-SpamSubject:
X-AA-BETA: r=v_u m2=19 m3= m4= m5= m8= m9= reqint=30
X-AA: LMTP delivered 
 am well aware facialharem one of your password. Lets get straight to purpose. You don't know me and you are most likely thinking why you're getting this email? There is no one who has paid me to investigate about you.

In fact, I actually placed a malware on the xxx streaming (sex sites) web site and do you know what, you visited this site to experience fun (you know what I mean). While you were viewing video clips, your browser started working as a Remote Desktop that has a keylogger which provided me access to your screen as well as web cam. Right after that, my software program obtained every one of your contacts from your Messenger, Facebook, and e-mail . Next I made a double-screen video. 1st part shows the video you were watching (you've got a fine taste haha . . .), and 2nd part shows the view of your web cam, yea it is u.

You do have just two solutions. Shall we study these types of choices in particulars:

1st alternative is to skip this email message. In this scenario, I am going to send your very own videotape to every single one of your personal contacts and also visualize concerning the humiliation you will definitely get. Not to mention should you be in an intimate relationship, just how it is going to affect?

Next option should be to give me $3000. I will name it as a donation. Consequently, I will immediately eliminate your video recording. You could keep on going your daily life like this never took place and you will not ever hear back again from me.

You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).

BTC Address: 1R11aYt2QWX61cEL32AAsmeSuGVYjPzrX
[case sensitive copy & paste it]

If you are making plans for going to the cop, good, this message cannot be traced back to me. I have covered my actions. I am not trying to ask you for money a whole lot, I just like to be compensated. You now have one day in order to make the payment. I've a specific pixel in this mail, and at this moment I know that you have read through this e mail. If I don't get the BitCoins, I will send out your video recording to all of your contacts including friends and family, coworkers, etc. Having said that, if I receive the payment, I will destroy the recording right away. If you want to have proof, reply with Yup! and I will certainly send your video to your 11 friends. It's a non-negotiable offer thus do not waste my personal time & yours by responding to this e mail.

Nice eh? I wonder what if anything I should do about it? This kind of stuff could scare some people to death, especially old folks.
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 741
Re: Blackmail email
« Reply #1 on: July 30, 2018, 12:30:05 PM »

Hi weaver

Report it to AA and let them deal with it.

The headers show it has come from Microsoft and is likely to be a compromised account.

Interestingly, we stopped an attack at a clients and have all files, 1 of which is a file called 187k, containing usernames and passwords for email. All major providers are listed in the file, along with proxies, PayPal so it was going to be a full blown scam.

Believe it or not, some passwords used were password and some users name eg john@ password john.

AA should report it to Outlook as well as add into their content Checker if used

Many thanks

John
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 1976
Re: Blackmail email
« Reply #2 on: July 30, 2018, 12:53:28 PM »

https://bitref.com/1R11aYt2QWX61cEL32AAsmeSuGVYjPzrX

Looks like nobody has been dumb enough yet.
Logged
BT FTTC 55/10 ECI now Huawei cab
Zyxel VMG1312-B10A bridge mode with 1508 MTU + Asus RT-AC68U running Asuswrt-Merlin

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 39360
  • Penguins CAN fly
    • DSLstats
Re: Blackmail email
« Reply #3 on: July 30, 2018, 12:59:58 PM »

I've had two of those, one of which I reported here: https://forum.kitz.co.uk/index.php/topic,21298.0.html
Logged
  Eric

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Blackmail email
« Reply #4 on: July 30, 2018, 03:01:24 PM »

I am sorry, I somehow missed your earlier post - have been very out of it at times since my fentanyl was enormously increased, and I often miss almost a whole day.
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 39360
  • Penguins CAN fly
    • DSLstats
Re: Blackmail email
« Reply #5 on: July 30, 2018, 04:02:11 PM »

Oh I wasn't chastising you :)

Just adding a bit of information to the discussion.
Logged
  Eric

Ixel

  • Kitizen
  • ****
  • Posts: 1079
Re: Blackmail email
« Reply #6 on: July 30, 2018, 05:05:19 PM »

I had an email like this recently too, I ignored it, reported it to Outlook and flagged it as spam.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Blackmail email
« Reply #7 on: July 30, 2018, 09:59:39 PM »

@Roseway - no I never thought that you were! :) I just felt daft that I had not noticed it.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Blackmail email
« Reply #8 on: August 02, 2018, 12:22:58 AM »

Andrews and Arnold directed me to this article - https://www.hoax-slayer.net/fake-blackmail-sextortion-scam-emails-using-real-passwords/

There were some very useful resources in that article, especially this tool
    https://haveibeenpwned.com
a site into which you can type your email address, and it will tell you if your email address was part of a data set involved in one of a number of known massive security breaches.

My email address was listed in seven breaches, some I had never heard of (a bit odd), but Adobe, LinkedIn and DropBox were amongst the results. The password that the bad guys quoted to me was the favourite ‘junk’ password that I use for websites that I do not care about, ones where nothing important is being done.

This is another useful article: https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/
« Last Edit: August 02, 2018, 12:38:26 AM by Weaver »
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3762
Re: Blackmail email
« Reply #9 on: August 02, 2018, 01:07:54 AM »

Just the one breach for me, which was linkedin.   I have never been convinced whether the linkedin breach was real, or whether it simply farmed data from the ensuing panic as people used “test sites”, volunteering their email,  to see if they’d been compromised.

Same reservations apply to other websites, like haveibeenpwned.  I have not the slightest doubt that website is, at present, genuine.   But it must hoard an enormous database of email addresses, if only in unallocated sectors of their server’s hdds.   Might the day come when the owners are made an offer they can’t refuse, by the bad guys?
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Blackmail email
« Reply #10 on: August 02, 2018, 01:29:35 AM »

Wherever the data in these databases was gathered from, is there the possibility that one guy got some of their data from another guy? This would mean that the ultimate origins of some users’ details found are not so certain?
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3762
Re: Blackmail email
« Reply #11 on: August 02, 2018, 08:28:12 AM »

What’s really interesting is they actually quoted one of your passwords.  So one way or another the bad guys got hold of it, either in plain text, or a crackable hashed version.  Which simply says to me, “that may happen”.

It is one reason I avoid, as far as possible, using online services that require me to create an account.   If I’m ordering goods and can’t “checkout as guest” I’ll do my best to just buy the goods elsewhere.   Every new account means me reusing a password, or creating a new password that I may later reuse.   And it means yet another organisation has a password that may one day escape...
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Blackmail email
« Reply #12 on: August 02, 2018, 12:34:35 PM »

The passwords I use are either very strong and unique or they are all the same few junk ones reused because it really does not matter if they escape. I nowadays give out unique fake personal details because none of these outfits who demand information from you has a right to really importent stuff that cannot be changed such as your birth date, mother’s maiden name and so on, stuff which can be used to do a password recovery and get past a strong password.

Also a lot of the questions asked are really annoying, very american and full of bizarre assumptions.

What is the first meal you learned to cook ? - I can’t cook.
What city did your parents meet in? - They didn’t meet in a city / How should I know?
Your favourite pet? - I loved them all
Your childhood nickname - I didn’t have one

So I fill in utter codswallop and record my answers somewhere. In fact I recently needed to use these answers with someone.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6557
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Blackmail email
« Reply #13 on: August 03, 2018, 04:12:11 AM »

It seems microsoft did take some serious action. The email came through microsoft servers. I received the following email from them:
--
Hi ,

Thank you for letting us know about the questionable email you received.

We found it violated the Microsoft Services Agreement
http://www.microsoft.com/en-us/servicesagreement/default.aspx.   The
account is now suspended.

For additional tips on dealing with online abuse, phishing scams, and
junk email in the future, please visit this page
(http://windows.microsoft.com/en-us/windows/outlook/abuse-phishing-junk-
email).

Kindly,

Ralph

Microsoft Online Safety
Logged