Email Dumpster Diving

“Well the last time you went to see the porn material websites, my spyware ended up being activated inside your computer which ended up documenting a eye-catching video of your masturbation act simply by activating your web camera,” the letter reads. “I have got the whole recording. If perhaps you think I’m messing around, simply reply proof and I will be forwarding the particular recording randomly to 10 people you know.”

It’s the unthinkable for many, and unbearable for majority. What ended up as a 5 minutes bedroom fun has turned into a disaster. “You got a incredibly unusual taste by the way haha,” jeered the email. Wait, they couldn’t have possibly known what I clicked on… right? What did I click on..?

I recently realised that one of my very old email accounts from about 10 years ago is still working. Fancying a little nostalgia, I logged into the account –– to various spam mails. A blackmail letter caught my eye, so I thought I will dig deeper into it!

Where it all Started

Spam mails are named after the luncheon, which ostensibly comes from the shortened word ‘spiced ham’ or ‘shoulders of pork and ham’1. According to the paper “The Economics of Spam”2, spam mails can cost American firms about USD 20 billion annually. Spammers send out junk mails for all sorts of reasons, including to scam the readers and to separate them from their hard-earned cash.

My mailbox was setup in a way that spam mails are not automatically deleted. The scam mails started rolling in since March 2016 –– some good amount of time since I last used the mailbox. This signifies that my email address was somehow leaked and put on spam lists. A quick check on haveibeenpwned.com shows that my email address was part of a major data breach on 000webhost (a free web host that I used for experimenting web dev) and some unverified lists online. Since then, there has been 40 spam mails over the course of 4 years, which isn’t all that bad.

Breaches that my email address was part of.

There are only two breaches and so it is highly probable that the 2019 breach is just a repackaged version from the 000webhost data breach. Oh and by the way, steer clear of 000webhost. Apart from ridiculous support and random account deletions, they also stored passwords in plaintext! Even computer science graduates with zero experience knows to salt and hash passwords –– and only store the hashed passwords in a database. It’s hard to imagine what other poor security practices are in place.

Types of Spam Mails Received

This classification isn’t exhaustive, and is not meant to describe all the letters out there. With that said, the dubious mails I have received can be categorised according to the emotions / human weaknesses that they exploit:

  • Fear (Blackmails, Extortions)
  • Curiosity/Negligence (Phishing mails from social media sites, malware attachments)
  • Greed (Nigerian prince scams, lottery tickets, job offers)

We will solely focus on the first in this post.

BlackMails

I received a total of 3 blackmail letters.

  1. From: [email protected]
    Date: April 21, 2020
    Type: Sextortion Scam
    Ransom: $2000
    Bitcoin Address: 16Xh9X1FHwhdgfEaHBetVkbptCnofYDrHJ
𝗜 𝗮𝗺 𝗮𝘄𝗮𝗿𝗲, <redacted password>, 𝗶𝘀 𝘆𝗼𝘂𝗿 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱. 

𝗜 𝗿𝗲𝗾𝘂𝗶𝗿𝗲 𝘆𝗼𝘂𝗿 𝗳𝘂𝗹𝗹 𝗮𝘁𝘁𝗲𝗻𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝘁𝗵𝗲 𝘂𝗽 𝗰𝗼𝗺𝗶𝗻𝗴 𝟮𝟰 𝗵𝗼𝘂𝗿𝘀, 𝗼𝗿 𝗜 𝘄𝗶𝗹𝗹 𝗺𝗮𝗸𝗲 𝘀𝘂𝗿𝗲 𝘆𝗼𝘂 𝘁𝗵𝗮𝘁 𝘆𝗼𝘂 𝗹𝗶𝘃𝗲 𝗼𝘂𝘁 𝗼𝗳 𝗴𝘂𝗶𝗹𝘁 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗿𝗲𝘀𝘁 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗹𝗶𝗳𝗲𝘁𝗶𝗺𝗲. 

𝗛𝗲𝘆, 𝘆𝗼𝘂 𝗱𝗼𝗻'𝘁 𝗸𝗻𝗼𝘄 𝗺𝗲. 𝗕𝘂𝘁 𝗜 𝗸𝗻𝗼𝘄 𝗲𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴 𝗿𝗲𝗴𝗮𝗿𝗱𝗶𝗻𝗴 𝘆𝗼𝘂. 𝗬𝗼𝘂𝗿 𝗳𝗯 𝗰𝗼𝗻𝘁𝗮𝗰𝘁 𝗹𝗶𝘀𝘁, 𝗽𝗵𝗼𝗻𝗲 𝗰𝗼𝗻𝘁𝗮𝗰𝘁𝘀 𝗮𝗹𝗼𝗻𝗴 𝘄𝗶𝘁𝗵 𝗮𝗹𝗹 𝘁𝗵𝗲 𝗼𝗻𝗹𝗶𝗻𝗲 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗼𝗻 𝘆𝗼𝘂𝗿 𝗰𝗼𝗺𝗽𝘂𝘁𝗲𝗿 𝗳𝗿𝗼𝗺 𝗽𝗿𝗲𝘃𝗶𝗼𝘂𝘀 𝟭𝟭𝟯 𝗱𝗮𝘆𝘀. 

𝗔𝗻𝗱 𝘁𝗵𝗶𝘀 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝘀, 𝘆𝗼𝘂𝗿 𝘀𝗲𝗹𝗳 𝗽𝗹𝗲𝗮𝘀𝘂𝗿𝗲 𝘃𝗶𝗱𝗲𝗼, 𝘄𝗵𝗶𝗰𝗵 𝗯𝗿𝗶𝗻𝗴𝘀 𝗺𝗲 𝘁𝗼 𝘁𝗵𝗲 𝗽𝗿𝗶𝗺𝗮𝗿𝘆 𝗿𝗲𝗮𝘀𝗼𝗻 𝘄𝗵𝘆 𝗜 𝗮𝗺 𝗰𝗿𝗮𝗳𝘁𝗶𝗻𝗴 𝘁𝗵𝗶𝘀 𝘀𝗽𝗲𝗰𝗶𝗳𝗶𝗰 𝗲 𝗺𝗮𝗶𝗹 𝘁𝗼 𝘆𝗼𝘂. 

𝗪𝗲𝗹𝗹 𝘁𝗵𝗲 𝗹𝗮𝘀𝘁 𝘁𝗶𝗺𝗲 𝘆𝗼𝘂 𝘄𝗲𝗻𝘁 𝘁𝗼 𝘀𝗲𝗲 𝘁𝗵𝗲 𝗽𝗼𝗿𝗻 𝗺𝗮𝘁𝗲𝗿𝗶𝗮𝗹 𝘄𝗲𝗯𝘀𝗶𝘁𝗲𝘀, 𝗺𝘆 𝘀𝗽𝘆𝘄𝗮𝗿𝗲 𝗲𝗻𝗱𝗲𝗱 𝘂𝗽 𝗯𝗲𝗶𝗻𝗴 𝗮𝗰𝘁𝗶𝘃𝗮𝘁𝗲𝗱 𝗶𝗻𝘀𝗶𝗱𝗲 𝘆𝗼𝘂𝗿 𝗰𝗼𝗺𝗽𝘂𝘁𝗲𝗿 𝘄𝗵𝗶𝗰𝗵 𝗲𝗻𝗱𝗲𝗱 𝘂𝗽 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁𝗶𝗻𝗴 𝗮 𝗲𝘆𝗲-𝗰𝗮𝘁𝗰𝗵𝗶𝗻𝗴 𝘃𝗶𝗱𝗲𝗼 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗺𝗮𝘀𝘁𝘂𝗿𝗯𝗮𝘁𝗶𝗼𝗻 𝗮𝗰𝘁 𝘀𝗶𝗺𝗽𝗹𝘆 𝗯𝘆 𝗮𝗰𝘁𝗶𝘃𝗮𝘁𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝘄𝗲𝗯 𝗰𝗮𝗺𝗲𝗿𝗮. 
(𝘆𝗼𝘂 𝗴𝗼𝘁 𝗮 𝗶𝗻𝗰𝗿𝗲𝗱𝗶𝗯𝗹𝘆 𝘂𝗻𝘂𝘀𝘂𝗮𝗹 𝘁𝗮𝘀𝘁𝗲 𝗯𝘆 𝘁𝗵𝗲 𝘄𝗮𝘆 𝗵𝗮𝗵𝗮) 

𝗜 𝗵𝗮𝘃𝗲 𝗴𝗼𝘁 𝘁𝗵𝗲 𝘄𝗵𝗼𝗹𝗲 𝗿𝗲𝗰𝗼𝗿𝗱𝗶𝗻𝗴. 𝗜𝗳 𝗽𝗲𝗿𝗵𝗮𝗽𝘀 𝘆𝗼𝘂 𝘁𝗵𝗶𝗻𝗸 𝗜 '𝗺 𝗺𝗲𝘀𝘀𝗶𝗻𝗴 𝗮𝗿𝗼𝘂𝗻𝗱, 𝘀𝗶𝗺𝗽𝗹𝘆 𝗿𝗲𝗽𝗹𝘆 𝗽𝗿𝗼𝗼𝗳 𝗮𝗻𝗱 𝗜 𝘄𝗶𝗹𝗹 𝗯𝗲 𝗳𝗼𝗿𝘄𝗮𝗿𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝗽𝗮𝗿𝘁𝗶𝗰𝘂𝗹𝗮𝗿 𝗿𝗲𝗰𝗼𝗿𝗱𝗶𝗻𝗴 𝗿𝗮𝗻𝗱𝗼𝗺𝗹𝘆 𝘁𝗼 𝟭𝟬 𝗽𝗲𝗼𝗽𝗹𝗲 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄. 

𝗜𝘁 𝗺𝗶𝗴𝗵𝘁 𝗲𝗻𝗱 𝘂𝗽 𝗯𝗲𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗳𝗿𝗶𝗲𝗻𝗱𝘀, 𝗰𝗼 𝘄𝗼𝗿𝗸𝗲𝗿𝘀, 𝗯𝗼𝘀𝘀, 𝗺𝗼𝘁𝗵𝗲𝗿 𝗮𝗻𝗱 𝗳𝗮𝘁𝗵𝗲𝗿 (𝗜 𝗱𝗼𝗻'𝘁 𝗸𝗻𝗼𝘄! 𝗠𝘆 𝘀𝘆𝘀𝘁𝗲𝗺 𝘄𝗶𝗹𝗹 𝗿𝗮𝗻𝗱𝗼𝗺𝗹𝘆 𝗽𝗶𝗰𝗸 𝘁𝗵𝗲 𝗰𝗼𝗻𝘁𝗮𝗰𝘁 𝗱𝗲𝘁𝗮𝗶𝗹𝘀). 

𝗪𝗶𝗹𝗹 𝘆𝗼𝘂 𝗯𝗲 𝗰𝗮𝗽𝗮𝗯𝗹𝗲 𝘁𝗼 𝗹𝗼𝗼𝗸 𝗶𝗻𝘁𝗼 𝗮𝗻𝘆𝗼𝗻𝗲'𝘀 𝗲𝘆𝗲𝘀 𝗮𝗴𝗮𝗶𝗻 𝗮𝗳𝘁𝗲𝗿 𝗶𝘁? 𝗜 𝗾𝘂𝗲𝘀𝘁𝗶𝗼𝗻 𝘁𝗵𝗮𝘁... 

𝗕𝘂𝘁, 𝗶𝘁 𝗱𝗼𝗲𝘀𝗻'𝘁 𝗻𝗲𝗲𝗱 𝘁𝗼 𝗯𝗲 𝘁𝗵𝗮𝘁 𝗿𝗼𝘂𝘁𝗲. 

𝗜'𝗺 𝗴𝗼𝗶𝗻𝗴 𝘁𝗼 𝗺𝗮𝗸𝗲 𝘆𝗼𝘂 𝗮 𝟭 𝘁𝗶𝗺𝗲, 𝗻𝗼𝗻 𝗻𝗲𝗴𝗼𝘁𝗶𝗮𝗯𝗹𝗲 𝗼𝗳𝗳𝗲𝗿. 

𝗚𝗲𝘁 $ 𝟮𝟬𝟬𝟬 𝗶𝗻 𝗯𝗶𝘁𝗰𝗼𝗶𝗻 𝗮𝗻𝗱 𝘀𝗲𝗻𝗱 𝗶𝘁 𝗼𝗻 𝘁𝗵𝗲 𝗱𝗼𝘄𝗻 𝗯𝗲𝗹𝗼𝘄 𝗮𝗱𝗱𝗿𝗲𝘀𝘀: 

16Xh9X1FHwhdgfEaHBetVkbptC*nofYDrHJ 
[𝗖𝗔𝗦𝗘-𝗦𝗘𝗡𝗦𝗜𝗧𝗜𝗩𝗘, 𝗰𝗼𝗽𝘆 𝗮𝗻𝗱 𝗽𝗮𝘀𝘁𝗲 𝗶𝘁, 𝗮𝗻𝗱 𝗿𝗲𝗺𝗼𝘃𝗲 * 𝗳𝗿𝗼𝗺 𝗶𝘁] 

(𝗜𝗳 𝘆𝗼𝘂 𝗱𝗼 𝗻𝗼𝘁 𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 𝗵𝗼𝘄, 𝗴𝗼𝗼𝗴𝗹𝗲 𝗵𝗼𝘄 𝘁𝗼 𝗽𝘂𝗿𝗰𝗵𝗮𝘀𝗲 𝗯𝗶𝘁𝗰𝗼𝗶𝗻. 𝗗𝗼 𝗻𝗼𝘁 𝘄𝗮𝘀𝘁𝗲 𝗺𝘆 𝘃𝗮𝗹𝘂𝗮𝗯𝗹𝗲 𝘁𝗶𝗺𝗲) 

𝗜𝗳 𝘆𝗼𝘂 𝘀𝗲𝗻𝗱 𝗼𝘂𝘁 𝘁𝗵𝗶𝘀 '𝗱𝗼𝗻𝗮𝘁𝗶𝗼𝗻' (𝗹𝗲𝘁 𝘂𝘀 𝗰𝗮𝗹𝗹 𝘁𝗵𝗶𝘀 𝘁𝗵𝗮𝘁?). 𝗔𝗳𝘁𝗲𝗿 𝘁𝗵𝗮𝘁, 𝗜 𝘄𝗶𝗹𝗹 𝗱𝗶𝘀𝗮𝗽𝗽𝗲𝗮𝗿 𝗮𝗻𝗱 𝗻𝗲𝘃𝗲𝗿 𝗲𝘃𝗲𝗿 𝗺𝗮𝗸𝗲 𝗰𝗼𝗻𝘁𝗮𝗰𝘁 𝘄𝗶𝘁𝗵 𝘆𝗼𝘂 𝗮𝗴𝗮𝗶𝗻. 𝗜 𝘄𝗶𝗹𝗹 𝗲𝗹𝗶𝗺𝗶𝗻𝗮𝘁𝗲 𝗲𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴 𝗜 𝗵𝗮𝘃𝗲 𝗶𝗻 𝗿𝗲𝗹𝗮𝘁𝗶𝗼𝗻 𝘁𝗼 𝘆𝗼𝘂. 𝗬𝗼𝘂 𝗺𝗮𝘆 𝘃𝗲𝗿𝘆 𝘄𝗲𝗹𝗹 𝗰𝗮𝗿𝗿𝘆 𝗼𝗻 𝗹𝗶𝘃𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗻𝗼𝗿𝗺𝗮𝗹 𝗱𝗮𝘆 𝘁𝗼 𝗱𝗮𝘆 𝗹𝗶𝗳𝗲 𝘄𝗶𝘁𝗵 𝗮𝗯𝘀𝗼𝗹𝘂𝘁𝗲𝗹𝘆 𝗻𝗼 𝘀𝘁𝗿𝗲𝘀𝘀. 

𝗬𝗼𝘂 𝗵𝗮𝘃𝗲 𝟮𝟰 𝗵𝗼𝘂𝗿𝘀 𝗶𝗻 𝗼𝗿𝗱𝗲𝗿 𝘁𝗼 𝗱𝗼 𝘀𝗼. 𝗬𝗼𝘂𝗿 𝘁𝗶𝗺𝗲 𝘀𝘁𝗮𝗿𝘁𝘀 𝗼𝗳𝗳 𝗮𝘀 𝘀𝗼𝗼𝗻 𝘆𝗼𝘂 𝗿𝗲𝗮𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵 𝘁𝗵𝗶𝘀 𝗺𝗮𝗶𝗹. 𝗜 𝗵𝗮𝘃𝗲 𝗮𝗻 𝘂𝗻𝗶𝗾𝘂𝗲 𝗽𝗿𝗼𝗴𝗿𝗮𝗺 𝗰𝗼𝗱𝗲 𝘁𝗵𝗮𝘁 𝘄𝗶𝗹𝗹 𝗶𝗻𝗳𝗼𝗿𝗺 𝗺𝗲 𝗼𝗻𝗰𝗲 𝘆𝗼𝘂 𝘀𝗲𝗲 𝘁𝗵𝗶𝘀 𝗲-𝗺𝗮𝗶𝗹 𝘀𝗼 𝗱𝗼 𝗻𝗼𝘁 𝗮𝘁𝘁𝗲𝗺𝗽𝘁 𝘁𝗼 𝗮𝗰𝘁 𝘀𝗺𝗮𝗿𝘁.

What caught my eye in the first place is the last sentence –– “I have an unique program code what will inform me once you see this e-mail.” It is technically possible to include an invisible picture, or a pixel, that tracks exactly this. The picture can be hosted in their server with an unique address, such as image.jpg?id=sfd786. The additional id parameter at the end will not change the image, but the request itself will be logged by their server. If they send out unique ids to everyone, they can tell who has viewed the mails based on who loaded the picture. This is why some email clients block external images on suspicious emails.

It turns out… no, there are no HTML elements on the page. Nothing that can phone back home. (Unless it’s the spyware that they claimed to have been installed?) What’s interesting is that the text is not normal Latin characters either. To achieve a bold text without HTML <b> tags, they are using Unicode Mathematical Sans-serif Bold characters 𝗔-𝗭𝗮-𝘇.

AZaz
Latin0x410x5A0x610x7A
𝗠𝗮𝘁𝗵0x1D5D40x1D5ED0x1D5EE0x1D607
A comparison between Unicode “normal” Latin characters and “bold” Math characters.
  1. From: [email protected]
    Date: April 9, 2020
    Type: Sextortion Scam
    Ransom: $2000
    Bitcoin Address: bc1q6xe5t5c3laphayt0zhs48cl2vj7zqvuasxtp0g
Your ραsswοrd ιs <redacted password>. I kηοw α loτ mοre thηgs about yοu τhαη τhat. 

Hοw? 

I plαced a malwαre οη τhe ρorη website αηd guess what, yοu νisiτed thιs web sιτe to hανe fuη (you κηow whαt Ι meαn). Whιle you were waτching the νιdeo, yοur web browser αcted αs an RDP (Remote Desktoρ) αηd α κeylοgger, whιch ρroided me access tο yοur display screen aηd webcam. Rιghτ afτer τhat, my sofτware gατhered αll yοur cοηταcts frοm yοur Messenger, Facebοok accοunt, αnd emαil accοuητ. 

Whαt exactly dιd I dο? 

Ι made α splιt-screen νιdeο. The firsτ ρarτ recorded the νιdeo you were vιewιng (you'e gοτ αn exceptiοnal ταsτe hαha), αηd τhe next pαrτ recorded your webcam (Yep! t's you \ doιηg ηasty τhings!). 

What shοuld you dο? 

Well, Ι believe, $2000 ιs α fαιr price fοr οur lιττle secret. You'll make τhe ρaymeηt νια βιtcοin το the below address (ιf yοu dοn't know this, seαrch "how το buy Βιtcoιη" in Google). 

Βιτcoιη Address: 
bc1q6xe5t5c3laphayt0zhs48cl2vj7zqvuasxtp0g 
(It is cAsE seηsiτιve, so cορy and ρasτe iτ) 

Ιmporτaηt: 

Yοu have 24 hours τo mαke τhe ραymeητ. (I hαve α unique pixel wιτhιn τhis email message, αηd right now I kηow thατ you hαve reαd thιs emaιl). Ιf Ι doη't get the ραymeηt, I will send your νιdeο το all οf yοur conταcts, ιηcludιng relaτives, cοwοrκers, αnd so fοrth. Nοnetheless, ιf Ι do geτ ραid, I wιll erαse the vιdeο ιmmediαtely. Ιf yοu wαnτ evιdence, reρly with "Yes!" αηd I wιll send yοur νideο recοrdιηg to yοur fιve frιeηds. Thιs is a ηon-ηegοτιable οffer, sο dοn'τ wαsτe my τime αnd yοurs by replyιηg τo thιs emαil. 

Sisile Hadi

This email was decided to be fun and cryptic and Greek symbols are used throughout. Funnily it mentioned about a pixel (but it was no where to be found).

  1. From: <my own email address>
    Date: June 12, 2018
    Type: Sextortion Scam
    Ransom: $911
    Bitcoin Address: 1EFBBqVxZ4H71TJXJDD7KNPpWMs35kTdVw
Hello, 

I am a spyware software developer. Your account has been hacked by me in the summer of 2018. 

I understand that it is hard to believe, but here is my evidence (I sent you this email from your account). 

The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296). 

I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time. 

Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. 

At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit. 

I note that it is useless to change the passwords. My malware update passwords from your accounts every times. 

I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :) 

I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality! 

So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts. 

Transfer $911 to my Bitcoin cryptocurrency wallet: 1EFBBqVxZ4H71TJXJDD7KNPpWMs35kTdVw Just copy and paste the wallet number when transferring. If you do not know how to do this - ask Google. 

My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it. 

Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material. 

I advise you to remain prudent and not engage in nonsense (all files on my server). 

Good luck!

This is interesting because the ‘hacker’ mentioned a CVE for credibility. Normal users are going to freak out at all the technical terms being thrown on them. However, a quick online search reveals that NIST website3 describes CVE-2018-0296 as a vulnerability that results in Denial-of-Service attacks and leakage of system information –– not arbitrary code execution, for example. However, this cover story may be particularly effective as Cisco happens to be the most popular router brand with over 50% market share4 5.

Additionally, people get confused by the email having sender as their own address. Email address spoofing is a typical technique in a spammer’s arsenal, and they can choose any email address they like. Let’s dive into email address spoofing a little more.

Email Address Spoofing and Sender Policy Framework

Email is a very old technology and was designed when security and privacy is not the primary concern. Email protocols do not verify the legitimacy of sender addresses, which means you can send an email from any addresses. There have been many extensions to improve the security, one of which is the Sender Policy Framework (SPF), formerly known as Sender Permitted From. Basically, the receiving server checks whether the IP from which the mail is sent matches what is authorised by the administrators of the domain, and decides whether to reject the email or flag it as spam.

While it is also possible to spoof the originating IP address of the mail, it is more technical and scammers usually go for lower hanging fruits –– case in point, bad English in mails is usually a big red flag but only those who are gullible will respond.

Header of the Spyware Developer Email

Let’s take a look at the header of the third email (new lines added for legibility).

 Authentication-Results: spf=softfail (sender IP is 197.231.196.63)
 smtp.mailfrom=yahoo.jp; <redacted domain>; dkim=none (message not
 signed) header.d=none;<redacted domain>; dmarc=none action=none
 header.from=<redacted domain>;

 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
 yahoo.jp discourages use of 197.231.196.63 as permitted sender)

 Received: from yahoo.jp (197.231.196.63) by
 PU1APC01FT019.mail.protection.outlook.com (10.152.252.222) with Microsoft
 SMTP Server id 15.20.1404.13 via Frontend Transport; Wed, 5 Dec 2018 18:57:22
 +0000

 Received: from unknown (183.139.235.172)
 by mail.gimmicc.net with ESMTP; Wed, 05 Dec 2018 13:57:15 -0500

 Received: from unknown (HELO mtu23.bigping.com) (Wed, 05 Dec 2018 13:41:32 -0500)
 by smtp.doneohx.com with ASMTP; Wed, 05 Dec 2018 13:41:32 -0500

 Received: from unknown (121.204.238.71)
 by mail.naihautsui.co.kr with NNFMP; Wed, 05 Dec 2018 13:29:21 -0500

 Received: from smtp18.yenddx.com ([Wed, 05 Dec 2018 13:21:20 -0500])
 by qnx.mdrost.com with LOCAL; Wed, 05 Dec 2018 13:21:20 -0500

 Received: from relay37.vosimerkam.net ([Wed, 05 Dec 2018 13:15:40 -0500])
 by rsmail.alkoholic.net with ESMTP; Wed, 05 Dec 2018 13:15:40 -0500

 Message-ID: <[email protected]>
 Date: Wed, 5 Dec 2018 13:15:40 -0500
 Reply-To: <redacted: my name> <[email protected]>
 From: <redacted: my email address>
 X-Accept-Language: en-us
 MIME-Version: 1.0
 To: <redacted: my email address>
 Subject: <redacted: my email username>
 Content-Type: text/html; charset="us-ascii"
 Content-Transfer-Encoding: base64
 Return-Path: [email protected]

We always want to start right from the bottom of the headers, as mail servers add information to the top of the header as the mail bounces around, essentially acting as a trace of where the mail has been. The most bottom bit tells us about the email itself. This part can be completely spoofed. We see that the Reply-To is set to [email protected]. This is likely the spammers’ burner address. What’s also interesting is the timezone provided (UTC-5). This obviously can be easily faked but could reveal some information if the spammer forgot to change this.

Going up, we see several Received: lines. These are automatically added by servers and are generally more reliable and hard to spoof. We see that the originating server 🇺🇸 is relay37.vosimerkam.net, which a quick online search will tell you there are a lot of spam-related complaints. Then it passes through several countries including Netherlands 🇳🇱, China 🇨🇳, and South Africa 🇿🇦. (I am not sure why it bounces off so many servers. It could be that they have a lot more proxies and they are just rotating the IP addresses.)

Finally, the giant red flag is the IP address that is associated with yahoo.jp. The top level country code .jp definitely belongs to Japan but the IP address is from South Africa. We also see that the SPF check by my mail server has “softfail,” stating that the host yahoo.jp does not have the IP 197.231.196.63 in the SPF records. Softfail means the receiving server is not entirely sure if the mail failed the SPF test and it probably does not want to be too aggressive.

Closing Thoughts

Two of the emails are a direct result of the breach of a website, and the direct proof is the compromised password shown in the email. Apart from blaming the website for not practicing secure password storage (i.e. salting and hashing), we should ourselves not reuse passwords across multiple sites and services.

The worst that could possibly happen is a compromised email account. Emails for a lot of services are the primary way of identifying users. Imagine the password to your email account [email protected] being 123456 (which, fun fact, is the most common password for 7 consecutive years6). You then signed up to badsecurity.com with your email address and the same password. Guess what, if this site suffered a data breach, malicious actors will have direct access to your Gmail. They can start by changing your Gmail password. Then they change all the passwords of other services that you use. You are effectively locked out of your entire digital life.

The other most effective strategy that gives you a peace of mind is to physically tape or cover up the webcam. Software solutions exist where your permission is explicitly required before the webcam can be turned on, but this really is just a cat-and-mouse game. Malware can always find a way to bypass these soft methods (your webcam can even be turned on without the LED7), and so to be absolutely sure that you aren’t being spied on, put a tape or privacy slider over that webcam.

Next, shall we think about microphones secretly listening in?

References

  1. https://www.digitaltrends.com/web/why-junk-email-is-spam/
  2. https://pubs.aeaweb.org/doi/pdfplus/10.1257/jep.26.3.87
  3. https://nvd.nist.gov/vuln/detail/CVE-2018-0296
  4. https://www.sdxcentral.com/articles/news/cisco-continues-to-dominate-the-switch-router-markets/2019/03/
  5. https://www.srgresearch.com/articles/switch-router-revenues-set-new-record-cisco-market-share-still-over-50
  6. https://web.archive.org/web/20200317232900/https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
  7. https://www.washingtonpost.com/news/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/

Leave a Reply

Your email address will not be published. Required fields are marked *