Email Threats and Extortion - A review

The Curious Codex

             11 Votes  
100% Human Generated
2024-07-23 Published, 2024-10-28 Updated
1331 Words, 7  Minute Read

The Author
GEN UK Blog

Adam Jones (Infrastructure)

Adam has been with the firm since 2001.

 

Introduction

Hello!
I am a hacker who has access to your operating system.
I also have full access to your account.

I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
emailthreats

This sort of automated nonsense does the rounds every few months, and is mostly caught by the spam filters and no one ever sees it, but this one got through by sending it to a postmaster mailbox. Had this been to a real mailbox then it would have been filtered and dumped. The postmaster address is never filtered, but it is automatically processed. Email's to various postmaster accounts are handled automatically, and bounces are logged with the mailinglist processor, and any spam reports are posted to the HelpDesk. This one fell out because the processor didn't know what to do with it, so it sent it on to my and it arrived in my 'look at rarely' folder.

Regardless, its worth taking a look because there is some interesting encoding employed, and I also don't want anyone to ever fall for this nonsense. Let's look at the headers:

Return-Path: 
Received: from hotstar.com (unknown [185.3.33.171])
Message-ID: <08eug80a83540t8uq38045uyaeq05h@thesaurus.com>
From: Marc Waters 
Subject: Letter for you
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Nothing special there, just standard stuff sent on from a compromised account at thesaurus.com (report sent). So let's move on to the content, which incidentally didn't fool our spam filters (I tested it), but will fool the sort of basic spam filters that many people are using, and it does this by using special encoding. Let's look at the content in sections, and analyse the encoding.

I've been wаtching you for a few months now.
The fact is that you were infected with malwаre through an аdult site that you visited.

If you are not familiar with this, I will explain.
Trojаn Virus gives me full аccess and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have аccess to all your contacts and all your correspondence.

Why your аntivirus did not detect mаlwаre?

Answеr: My mаlwаre uses the driver, I update its signatures every 5 hours so that your аntivirus is silent.

I made a vidеo showing how you sаtisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this vidеo to all your emаils and contacts on social networks.
I can also post access to all your e-mail corrеspondence and mеssengers that you use.

If you want to prevent this,
trаnsfer the аmount of 1300 USD (US dollаrs) to my bitcоin аddress (if you do not know how to do this, write to Google: "Buy Bitcоin").
My bitcоin address (ВТС Wallet) is:

bc1qnv0eu5e769wa385mh2z85pk4aef355jl72cqz7

After receiving the pаyment, I will delеte the vidеo and you will never hear me again.
I give you 52 hоurs (more than 2 days) to pаy.
I have a notice reading this lеtter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitсоin аddrеss.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immеdiately distributed.

Best regards!

What is Cyrillic

Cyrillic is a script used in Russia, Belarus, Ukraine, Kazakhstan, and other countries to write the alphabet. It has 338 letters, 10 vowels, and 16 consonants. Cyrillic is written from left to right, and the script has no diacritics (accents). The script is not used in English, Spanish, French, German, Italian, and many other languages. The Cyrillic alphabet is a part of the Unicode character set, and it is used in almost all modern computers and software.

What is Unicode

Unicode is a standard for encoding, representing, and handling text in different languages, scripts, and writing systems. It is designed to be universal, meaning that any computer can read and write text in any language using Unicode.

Encoding Used

The encoding used in this email is UTF-8. UTF-8 is a variable-width encoding that supports a wide range of characters, including Cyrillic. It uses 1 to 4 bytes per character, allowing it to represent a large number of characters without wasting any space. UTF-8 is widely used in modern programming and communication, and it is the default encoding for most web browsers.

Basic Spam Filters

Basic Spam filters employ a number of methods to detect spam, but one of those is pattern matching. A spam filter, may for example, look for strings that look like bitcoin addresses and assign a score to that, say 0.05. They may look for phrases like 'I am a hacker' and 'full access to your account' assigning scores to that, say 0.05.

Eventually, all these scores are added up and if it exceeds a set limit, the email is flagged as spam. It is more complex than that, there are hundreds of filters, scanning various phrases and sequences, but essentially, this email can scrape past because:

  • It uses Cyrillic to obfuscate the phrases
  • It uses Unicode
  • It uses UTF-8

Let's look at how cyrillic works, at the byte level.

I've been wаtching you for a few months now.

Is actually provided as

I've been wаtching you for a few months now.

Now you can clearly see the strange а in the middle of this sentence, and that's because your web browser is not translating that into Cyrillic. HTML, the language of the web can't just take raw unicode and translate it, instead we need to encode it correctly, so let's do that.

I've been wаtching you for a few months now.

And now it reads correctly. The 'a' is indeed a cyrillic a and not an ASCII a, but its still an 'a' so it reads ok, but the spam filter sees this.

49 27 76 65 20 62 65 65 6E 20 77 D0 B0 74 63 68    I've been w..tch
69 6E 67 20 79 6F 75 20 66 6F 72 20 61 20 66 65    ing you for a fe
77 20 6D 6F 6E 74 68 73 20 6E 6F 77 2E             w months now.   

This is the raw bytes of the text. The spam filter, when it sees these bytes, can't just look for specific phrases or patterns, it has to decode the bytes back into a readable form, which in this case is Cyrillic. If its looking for 'been wаtching you for a few months', it won't find it, because that doesn't exist.

Key words like 'dollаrs' and 'bitcоin' are also encoded with cyrillic, in this case Cyrillic 'a' and Cyrillic 'o', which are encoded as U+04D0 and U+043E respectively.

So, by using Cyrillic, it can still scrape past spam filters, and in your email client it will read just fine.

Conclusion

Our Spam filter flags this up like a beacon, but many can't correctly handle unicode characters, and this causes their pattern matching to miss when it should hit.

Its important to understand that this sort of spam is nonsense, as indicated by the fact that the 'hacker' doesn't even know what email address to sent it to, but some people must be caught out by this, or the spammers just wouldn't waste the time.

Only really be concerned when an email arrives to your proper email address, and contains information that no one else should know, like your password(s), account names, or other confidential data.

If you receive spam like this, just delete it and get on with your day, but if you receive an email that does have private information in it, that concerns you, then raise a ticket at the HelpDesk and we'll look into it for you.


             11 Votes  
100% Human Generated

Comments (1)

Aaaron P · 2024-07-23 17:27 UTC
I get these all the time and other spam threatening various bs. Always wondered why gmail didnt filter them out and now I know.

×

--- This content is not legal or financial advice & Solely the opinions of the author ---


Index v1.028 Standard v1.114 Module v1.062   Copyright © 2024 GEN Partnership. All Rights Reserved, Content Policy, E&OE.   ^sales^  0115 933 9000  Privacy Notice   271 Current Users, 311 Hits