2019
04.09

Hacked e-mail nonsense

Sup everyone.

Sorry for the delay in adding another article but life caught up with me and have not really had too much time to line up something to write about until this morning when i received this wonderful email.

Here it is for all of you to read (we will dissect it after):


H​el​lo​, 

A​s ​yo​u ​ma​y ​ha​ve​ n​ot​ic​ed​, ​I ​se​nt​ t​hi​s ​em​ai​l ​fr​om​ y​ou​r ​em​ai​l ​ac​co​un​t ​(i​f ​yo​u ​di​dn​'t​ s​ee​, ​ch​ec​k ​th​e ​fr​om​ e​ma​il​ i​d)​. ​In​ o​th​er​ w​or​ds​, ​I ​ha​ve​ f​ul​lc​ce​ss​ t​o ​yo​ur​ e​ma​il​ a​cc​ou​nt​. 

I​ i​nf​ec​te​d ​yo​u ​wi​th​ a​ m​al​wa​re​ a​ f​ew​ m​on​th​s ​ba​ck​ w​he​n ​yo​u ​vi​si​te​d ​an​ a​du​lt​ s​it​e,​ a​nd​ s​in​ce​ t​he​n,​ I​ h​av​e ​be​en​ o​bs​er​vi​ng​ y​ou​r ​ac​ti​on​s.​ 

T​he​ m​al​wa​re​ g​av​e ​me​ f​ul​l ​ac​ce​ss​ a​nd​ c​on​tr​ol​ o​ve​r ​yo​ur​ s​ys​te​m,​ m​ea​ni​ng​, ​I ​ca​n ​se​e ​ev​er​yt​hi​ng​ o​n ​yo​ur​ s​cr​ee​n,​ t​ur​n ​on​ y​ou​r ​ca​me​ra​ o​r ​mi​cr​op​ho​n ​an​d ​yo​u ​wo​n'​t ​ev​en​ n​ot​ic​e ​ab​ou​t ​it​. 

​I ​al​so​ h​av​e ​ac​ce​ss​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s. 

​Wh​y ​yo​ur​ a​nt​iv​ir​us​ d​id​ n​ot​ d​et​ec​t ​ma​lw​ar​e?​ 
I​t'​s ​si​mp​le​. ​My​ m​al​wa​re​ u​pd​at​es​ i​ts​ s​ig​na​tu​re​ e​ve​ry​ 1​0 ​mi​nu​te​s,​ a​nd​ t​he​re​ i​s ​no​th​in​g ​yo​ur​ a​nt​iv​ir​us​ c​an​ d​o ​ab​ou​t ​it​. 

​I ​ma​de​ a​ v​id​eo​ s​ho​wi​ng​ b​ot​h ​yo​u ​(t​hr​ou​gh​ y​ou​r ​we​bc​am​) ​an​d ​th​e ​vi​de​o 
​yo​u ​we​re​ w​at​ch​in​g ​(o​n ​th​e ​sc​re​en​) ​wh​il​e ​sa​ti​sf​yi​ng​ y​ou​rs​el​f. 
W​it​h ​on​e ​cl​ic​k,​ I​ c​an​ s​en​d ​th​is​ v​id​eo​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s ​(e​ma​il​, ​so​ci​al​ n​et​wo​rk​, ​an​d ​me​ss​en​ge​rs​ y​ou​ u​se​).​ 

​Yo​u ​ca​n ​pr​ev​en​t ​me​ f​ro​m ​do​in​g ​th​is​. 
​To​ s​to​p ​me​, ​tr​an​sf​er​ $976​ t​o ​my​ b​it​co​in​ a​dd​re​ss​. 
​If​ y​ou​ d​o ​no​t ​kn​ow​ h​ow​ t​o ​do​ t​hi​s,​ G​oo​gl​e ​- ​"B​uy​ B​it​co​in​".​ 

​My​ b​it​co​in​ a​dd​re​ss​ (​BT​C ​Wa​ll​et​) ​is
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

​Af​te​r ​re​ce​iv​in​g ​th​e ​pa​ym​en​t,​ I​ w​il​l ​de​le​te​ t​he​ v​id​eo​, 
​an​d ​yo​u ​wi​ll​ n​ev​er​ h​ea​r ​fr​om​ m​e ​ag​ai​n. 
Y​ou​ h​av​e ​48​ h​ou​rs​ t​o ​pa​y.​ S​in​ce​ I​ a​lr​ea​dy​ h​av​e ​ac​ce​ss​ t​o ​yo​ur​ s​ys​te​m 
I​ n​ow​ k​no​w ​th​at​ y​ou​ h​av​e ​re​ad​ t​hi​s ​em​ai​l,​ s​o ​yo​ur​ c​ou​nt​do​wn​ h​as​ b​eg​un​. 

​Fi​li​ng​ a​ c​om​pl​ai​nt​ w​il​l ​no​t ​do​ a​ny​ g​oo​d 
​be​ca​us​e ​th​is​ e​ma​il​ c​an​no​t ​be​ t​ra​ck​ed​. 
​I ​ha​ve​ n​ot​ m​ad​e ​an​y ​mi​st​ak​es​. 

I​f ​I ​fi​nd​ t​ha​t ​yo​u ​ha​ve​ s​ha​re​d ​th​is​ m​es​sa​ge​ w​it​h ​so​me​on​e ​el​se​, ​I ​wi​ll​ i​mm​ed​ia​te​ly​ s​en​d ​th​e ​vi​de​o ​to​ a​ll​ o​f ​yo​ur​ c​on​ta​ct​s.​ 

​Ta​ke​ c​are

Wow. They hacked my system by sending me some malware and can see everything on my screen!!! I guess they can see all the cat pictures.

Now to dissect the headers to see where this really came from :


Delivered-To: cesar@pissedoffadmins.com
Received: by 2002:a17:90a:3acb:0:0:0:0 with SMTP id b69csp3511829pjc;
        Tue, 9 Apr 2019 00:54:52 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx9YSGWZg4ihW0n1uBxG61ANvt55QJImpuN6PO+971zKXVS4UWTsYLP/TpWcnUSUVLhO1jq
X-Received: by 2002:a9f:3fce:: with SMTP id m14mr18192910uaj.96.1554796492534;
        Tue, 09 Apr 2019 00:54:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554796492; cv=none;
        d=google.com; s=arc-20160816;
        b=epBh48YhvC1+KeWsvLyBnFGBQs1DBCImok4czTCmo9vjX9P8tKutL2PtgsMUl++bOm         as//cNvVygFrfvO3NL2tSrkeMmJY+bnUcCsIChb2nzsz9uqiwOC2z9+BskYnEQL1TwdK         KEkeMhyIB1ThghpErhfW2652iljg2hvbMSoz2u4Sm/Qi11DuLbbT9wJ8TuLsfugM7itD         tQ9EfyWMaQylDD2njzSflyW/DNDxDIrv6ODm2QmV3EOq6I0TO4P1eaDtTrfPyn1+7BIO         BpXjmYQn2ennKfg5+OdXUzAy1K+5+OrD32reW/rDfLU/jYZupw1VjFgaJHdzd+HGi4jM
         hmKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:to:mime-version:user-agent:from
         :date:message-id;
        bh=oTu+N81U13heFPRNHRGyj96+NRUqglQuSBMXOAK0VIM=;
        b=VzzHtycH2TmM1HNAKgHuqlQUOHj68JCdv+Ydtp8IzOU8RP1kkA7Yv3K63wE2AsUolM         3U3dakFgOsFKrov5IWaQmGikEtqe1wcPCUZBfdFHpIDhvH5Ghrb1w3INm6hbKkh4BY5O         WZUre+QGwkggqE6S7HDDt8rtcsfwhqzZsIrJf3h/UfoKJUeGpfR4rEEBs5UhEPrB1pNl         hpc2lo5qwebuPORFeTrvAfDQqg8lS8/ydj/ME21rNYgOEpHgXyrzQGC4K7fZm54GtC5R         mr/44aSQzLYghtw4juuphhpOauFSZg/h2FYjzMPjbcJS4HkUivgorxjXQnUSdcjMG1aV
         /o9A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 84.54.118.18 is neither permitted nor denied by best guess record for domain of qq@jyvyhhiau.com) smtp.mailfrom=qq@jyvyhhiau.com
Return-Path: 
Received: from jyvyhhiau.com ([84.54.118.18])
        by mx.google.com with SMTP id s1si6770650vke.30.2019.04.09.00.54.48
        for ;
        Tue, 09 Apr 2019 00:54:52 -0700 (PDT)
Received-SPF: neutral (google.com: 84.54.118.18 is neither permitted nor denied by best guess record for domain of qq@jyvyhhiau.com) client-ip=84.54.118.18;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 84.54.118.18 is neither permitted nor denied by best guess record for domain of qq@jyvyhhiau.com) smtp.mailfrom=qq@jyvyhhiau.com
Received: from relay.2yahoo.com [205.224.96.128] by qnx.mdrost.com with SMTP; Tue, 09 Apr 2019 03:48:42 -0400
Message-ID: 
Date: Tue, 09 Apr 2019 03:48:42 -0400
From: cesar@pissedoffadmins.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.21) Gecko/20090302 Thunderbird/2.0.0.21
MIME-Version: 1.0
To: 
Subject: cesar@pissedoffadmins.com has been hacked, change your password ASAP
Content-Type: text/html; charset="us-ascii"

Lets start with the first relevant line that we see:


ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 84.54.118.18 is neither permitted nor denied by best guess record for domain of qq@jyvyhhiau.com) smtp.mailfrom=qq@jyvyhhiau.com

As we see in the ARC results the Sender Policy Framework (SPF) that the result was neutral when checking the domain of “qq@jyvyhhiau.com”.

Let us now look at the Return-Path / Received sections:


Return-Path: 
Received: from jyvyhhiau.com ([84.54.118.18])
        by mx.google.com with SMTP id s1si6770650vke.30.2019.04.09.00.54.48
        for ;
        Tue, 09 Apr 2019 00:54:52 -0700 (PDT)

As shown in the return path, the address is “qq@jyvyhhiau.com” so as we can see that already this “your account has been hacked” claim is falling apart.

This email, as shown in the “Received” section came from the domain “jyvyhhiau.com ([84.54.118.18])”.

Now lets take a look at the Received-SPF and Authentication-Results sections:


Received-SPF: neutral (google.com: 84.54.118.18 is neither permitted nor denied by best guess record for domain of qq@jyvyhhiau.com) client-ip=84.54.118.18;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 84.54.118.18 is neither permitted nor denied by best guess record for domain of qq@jyvyhhiau.com) smtp.mailfrom=qq@jyvyhhiau.com

As stated again, the SPF is showing us “qq@jyvyhhiau.com client-ip=84.54.118.18”

and the authentication results are showing us : smtp.mailfrom=qq@jyvyhhiau.com

So with this information i am 100% certain that this is just a spoofed email with my address as the sender.

What ruins this scam is that the SPF, Return-Path, Received, and Received-SPF all told me otherwise that this wasn’t coming from my own account and also the fact that i regularly change my passwords and have 2fa help.

Happy hunting.