Hello!
I am a hacker who has access to your operating system.
I also have full access to your account.
I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
This sort of automated nonsense does the rounds every few months, and is mostly caught by the spam filters and no one
ever sees it, but this one got through by sending it to a postmaster mailbox. Had this been to a real mailbox then
it would
have been filtered and dumped. The postmaster address is never filtered, but it is automatically processed. Email's
to various postmaster accounts are handled automatically, and bounces are logged with the mailinglist processor,
and any spam reports are posted to the HelpDesk. This one fell out because the processor didn't know what to do with
it, so it sent it on to my and it arrived in my 'look at rarely' folder.
Regardless, its worth taking a look because there is some interesting encoding employed, and I also don't want anyone
to ever fall for this nonsense. Let's look at the headers:
Return-Path:
Received: from hotstar.com (unknown [185.3.33.171])
Message-ID: <08eug80a83540t8uq38045uyaeq05h@thesaurus.com>
From: Marc Waters
Subject: Letter for you
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Nothing special there, just standard stuff sent on from a compromised account at thesaurus.com (report sent). So
let's move on to the content, which incidentally didn't fool our spam filters (I tested it), but will fool
the sort of basic spam filters that many people are using, and it does this by using special encoding. Let's look at
the content in sections, and analyse the encoding.
I've been wаtching you for a few months now.
The fact is that you were infected with malwаre through an аdult site that you visited.
If you are not familiar with this, I will explain.
Trojаn Virus gives me full аccess and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have аccess to all your contacts and all your correspondence.
Why your аntivirus did not detect mаlwаre?
Answеr: My mаlwаre uses the driver, I update its signatures every 5 hours so that your аntivirus is silent.
I made a vidеo showing how you sаtisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this vidеo to all your emаils and contacts on social networks.
I can also post access to all your e-mail corrеspondence and mеssengers that you use.
If you want to prevent this,
trаnsfer the аmount of 1300 USD (US dollаrs) to my bitcоin аddress (if you do not know how to do this, write to Google: "Buy Bitcоin").
My bitcоin address (ВТС Wallet) is:
bc1qnv0eu5e769wa385mh2z85pk4aef355jl72cqz7
After receiving the pаyment, I will delеte the vidеo and you will never hear me again.
I give you 52 hоurs (more than 2 days) to pаy.
I have a notice reading this lеtter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitÑоin аddrеss.
I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immеdiately distributed.
Best regards!
What is Cyrillic
Cyrillic is a script used in Russia, Belarus, Ukraine, Kazakhstan, and other countries to write the alphabet. It has
338 letters, 10 vowels, and 16 consonants. Cyrillic is written from left to right, and the script has no diacritics
(accents). The script is not used in English, Spanish, French, German, Italian, and many other languages. The
Cyrillic alphabet is a part of the Unicode character set, and it is used in almost all modern computers and
software.
What is Unicode
Unicode is a standard for encoding, representing, and handling text in different languages, scripts, and writing
systems. It is designed to be universal, meaning that any computer can read and write text in any language using
Unicode.
Encoding Used
The encoding used in this email is UTF-8. UTF-8 is a variable-width encoding that supports a wide range of characters,
including Cyrillic. It uses 1 to 4 bytes per character, allowing it to represent a large number of characters without
wasting any space. UTF-8 is widely used in modern programming and communication, and it is the default encoding for
most web browsers.
Basic Spam Filters
Basic Spam filters employ a number of methods to detect spam, but one of those is pattern matching. A spam filter, may for example, look for strings that look like bitcoin addresses and assign a score to that, say 0.05.
They may look for phrases like 'I am a hacker' and 'full access to your account' assigning scores to that, say 0.05.
Eventually, all these scores are added up and if it exceeds a set limit, the email is flagged as spam. It is more complex than that, there are hundreds of filters, scanning various phrases and sequences, but
essentially, this email can scrape past because:
It uses Cyrillic to obfuscate the phrases
It uses Unicode
It uses UTF-8
Let's look at how cyrillic works, at the byte level.
I've been wаtching you for a few months now.
Is actually provided as
I've been wаtching you for a few months now.
Now you can clearly see the strange а in the middle of this sentence, and that's because your web browser is not translating that into Cyrillic. HTML, the language of the web can't just take raw unicode and translate it, instead
we need to encode it correctly, so let's do that.
I've been wаtching you for a few months now.
And now it reads correctly. The 'a' is indeed a cyrillic a and not an ASCII a, but its still an 'a' so it reads ok, but the spam filter sees this.
49 27 76 65 20 62 65 65 6E 20 77 D0 B0 74 63 68 I've been w..tch
69 6E 67 20 79 6F 75 20 66 6F 72 20 61 20 66 65 ing you for a fe
77 20 6D 6F 6E 74 68 73 20 6E 6F 77 2E w months now.
This is the raw bytes of the text. The spam filter, when it sees these bytes, can't just look for specific phrases or patterns, it has to decode the bytes back into a readable form, which in this case is Cyrillic.
If its looking for 'been wаtching you for a few months', it won't find it, because that doesn't exist.
Key words like 'dollаrs' and 'bitcоin' are also encoded with cyrillic, in this case Cyrillic 'a' and Cyrillic 'o', which are encoded as U+04D0 and U+043E respectively.
So, by using Cyrillic, it can still scrape past spam filters, and in your email client it will read just fine.
Conclusion
Our Spam filter flags this up like a beacon, but many can't correctly handle unicode characters, and this causes their pattern matching to miss when it should hit.
Its important to
understand that this sort of spam is nonsense, as indicated by the fact that the 'hacker' doesn't even know what email address to sent it to, but some people
must be caught out by this, or the spammers just wouldn't waste the time.
Only really be concerned when an email arrives to your proper email address, and contains information that no one else should know, like your password(s), account names, or other confidential data.
If you receive spam like this, just delete it and get on with your day, but if you receive an email that does have private information in it, that concerns you, then raise a ticket at the HelpDesk and we'll look into it for you.
11 Votes
Comments (1)
Aaaron P
· 2024-07-23 17:27 UTC
I get these all the time and other spam threatening various bs. Always wondered why gmail didnt filter them out and now I know.
×
--- This content is not legal or financial advice & Solely the opinions of the author ---