Email Dumpster Diving

“Well the last time you went to see the porn material websites, my spyware ended up being activated inside your computer which ended up documenting a eye-catching video of your masturbation act simply by activating your web camera,” the letter reads. “I have got the whole recording. If perhaps you think I’m messing around, simply reply proof and I will be forwarding the particular recording randomly to 10 people you know.”

It’s the unthinkable for many, and unbearable for majority. What ended up as a 5 minutes bedroom fun has turned into a disaster. “You got a incredibly unusual taste by the way haha,” jeered the email. Wait, they couldn’t have possibly known what I clicked on… right? What did I click on..?

I recently realised that one of my very old email accounts from about 10 years ago is still working. Fancying a little nostalgia, I logged into the account –– to various spam mails. A blackmail letter caught my eye, so I thought I will dig deeper into it!

Where it all Started

Spam mails are named after the luncheon, which ostensibly comes from the shortened word ‘spiced ham’ or ‘shoulders of pork and ham’1. According to the paper “The Economics of Spam”2, spam mails can cost American firms about USD 20 billion annually. Spammers send out junk mails for all sorts of reasons, including to scam the readers and to separate them from their hard-earned cash.

My mailbox was setup in a way that spam mails are not automatically deleted. The scam mails started rolling in since March 2016 –– some good amount of time since I last used the mailbox. This signifies that my email address was somehow leaked and put on spam lists. A quick check on haveibeenpwned.com shows that my email address was part of a major data breach on 000webhost (a free web host that I used for experimenting web dev) and some unverified lists online. Since then, there has been 40 spam mails over the course of 4 years, which isn’t all that bad.

Breaches that my email address was part of.

There are only two breaches and so it is highly probable that the 2019 breach is just a repackaged version from the 000webhost data breach. Oh and by the way, steer clear of 000webhost. Apart from ridiculous support and random account deletions, they also stored passwords in plaintext! Even computer science graduates with zero experience knows to salt and hash passwords –– and only store the hashed passwords in a database. It’s hard to imagine what other poor security practices are in place.

Types of Spam Mails Received

This classification isn’t exhaustive, and is not meant to describe all the letters out there. With that said, the dubious mails I have received can be categorised according to the emotions / human weaknesses that they exploit:

  • Fear (Blackmails, Extortions)
  • Curiosity/Negligence (Phishing mails from social media sites, malware attachments)
  • Greed (Nigerian prince scams, lottery tickets, job offers)

We will solely focus on the first in this post.

BlackMails

I received a total of 3 blackmail letters.

  1. From: [email protected]
    Date: April 21, 2020
    Type: Sextortion Scam
    Ransom: $2000
    Bitcoin Address: 16Xh9X1FHwhdgfEaHBetVkbptCnofYDrHJ
? ?? ?????, <redacted password>, ?? ???? ????????. 

? ??????? ???? ???? ????????? ??? ??? ?? ?????? ?? ?????, ?? ? ???? ???? ???? ??? ???? ??? ???? ??? ?? ????? ??? ??? ???? ?? ???? ????????. 

???, ??? ???'? ???? ??. ??? ? ???? ?????????? ????????? ???. ???? ?? ??????? ????, ????? ???????? ????? ???? ??? ??? ?????? ???????? ?? ???? ???????? ???? ???????? ??? ????. 

??? ???? ????????, ???? ???? ???????? ?????, ????? ?????? ?? ?? ??? ??????? ?????? ??? ? ?? ???????? ???? ???????? ? ???? ?? ???. 

???? ??? ???? ???? ??? ???? ?? ??? ??? ???? ???????? ????????, ?? ??????? ????? ?? ????? ????????? ?????? ???? ???????? ????? ????? ?? ??????????? ? ???-???????? ????? ?? ???? ???????????? ??? ?????? ?? ?????????? ???? ??? ??????. 
(??? ??? ? ?????????? ??????? ????? ?? ??? ??? ????) 

? ???? ??? ??? ????? ?????????. ?? ??????? ??? ????? ? '? ??????? ??????, ?????? ????? ????? ??? ? ???? ?? ?????????? ??? ?????????? ????????? ???????? ?? ?? ?????? ??? ????. 

?? ????? ??? ?? ????? ???? ???????, ?? ???????, ????, ?????? ??? ?????? (? ???'? ????! ?? ?????? ???? ???????? ???? ??? ??????? ???????). 

???? ??? ?? ??????? ?? ???? ???? ??????'? ???? ????? ????? ??? ? ???????? ????... 

???, ?? ?????'? ???? ?? ?? ???? ?????. 

?'? ????? ?? ???? ??? ? ? ????, ??? ?????????? ?????. 

??? $ ???? ?? ??????? ??? ???? ?? ?? ??? ???? ????? ???????: 

16Xh9X1FHwhdgfEaHBetVkbptC*nofYDrHJ 
[????-?????????, ???? ??? ????? ??, ??? ?????? * ???? ??] 

(?? ??? ?? ??? ?????????? ???, ?????? ??? ?? ???????? ???????. ?? ??? ????? ?? ???????? ????) 

?? ??? ???? ??? ???? '????????' (??? ?? ???? ???? ?????). ????? ????, ? ???? ????????? ??? ????? ???? ???? ??????? ???? ??? ?????. ? ???? ????????? ?????????? ? ???? ?? ???????? ?? ???. ??? ??? ???? ???? ????? ?? ?????? ???? ?????? ??? ?? ??? ???? ???? ?????????? ?? ??????. 

??? ???? ?? ????? ?? ????? ?? ?? ??. ???? ???? ?????? ??? ?? ???? ??? ???? ??????? ???? ????. ? ???? ?? ?????? ??????? ???? ???? ???? ?????? ?? ???? ??? ??? ???? ?-???? ?? ?? ??? ??????? ?? ??? ?????.

What caught my eye in the first place is the last sentence –– “I have an unique program code what will inform me once you see this e-mail.” It is technically possible to include an invisible picture, or a pixel, that tracks exactly this. The picture can be hosted in their server with an unique address, such as image.jpg?id=sfd786. The additional id parameter at the end will not change the image, but the request itself will be logged by their server. If they send out unique ids to everyone, they can tell who has viewed the mails based on who loaded the picture. This is why some email clients block external images on suspicious emails.

It turns out… no, there are no HTML elements on the page. Nothing that can phone back home. (Unless it’s the spyware that they claimed to have been installed?) What’s interesting is that the text is not normal Latin characters either. To achieve a bold text without HTML <b> tags, they are using Unicode Mathematical Sans-serif Bold characters ?-??-?.

AZaz
Latin0x410x5A0x610x7A
????0x1D5D40x1D5ED0x1D5EE0x1D607
A comparison between Unicode “normal” Latin characters and “bold” Math characters.
  1. From: [email protected]
    Date: April 9, 2020
    Type: Sextortion Scam
    Ransom: $2000
    Bitcoin Address: bc1q6xe5t5c3laphayt0zhs48cl2vj7zqvuasxtp0g
Your ραsswοrd ιs <redacted password>. I kηοw α loτ mοre thηgs about yοu τhαη τhat. 

Hοw? 

I plαced a malwαre οη τhe ρorη website αηd guess what, yοu νisiτed thιs web sιτe to hανe fuη (you κηow whαt Ι meαn). Whιle you were waτching the νιdeo, yοur web browser αcted αs an RDP (Remote Desktoρ) αηd α κeylοgger, whιch ρroided me access tο yοur display screen aηd webcam. Rιghτ afτer τhat, my sofτware gατhered αll yοur cοηταcts frοm yοur Messenger, Facebοok accοunt, αnd emαil accοuητ. 

Whαt exactly dιd I dο? 

Ι made α splιt-screen νιdeο. The firsτ ρarτ recorded the νιdeo you were vιewιng (you'e gοτ αn exceptiοnal ταsτe hαha), αηd τhe next pαrτ recorded your webcam (Yep! t's you \ doιηg ηasty τhings!). 

What shοuld you dο? 

Well, Ι believe, $2000 ιs α fαιr price fοr οur lιττle secret. You'll make τhe ρaymeηt νια βιtcοin το the below address (ιf yοu dοn't know this, seαrch "how το buy Βιtcoιη" in Google). 

Βιτcoιη Address: 
bc1q6xe5t5c3laphayt0zhs48cl2vj7zqvuasxtp0g 
(It is cAsE seηsiτιve, so cορy and ρasτe iτ) 

Ιmporτaηt: 

Yοu have 24 hours τo mαke τhe ραymeητ. (I hαve α unique pixel wιτhιn τhis email message, αηd right now I kηow thατ you hαve reαd thιs emaιl). Ιf Ι doη't get the ραymeηt, I will send your νιdeο το all οf yοur conταcts, ιηcludιng relaτives, cοwοrκers, αnd so fοrth. Nοnetheless, ιf Ι do geτ ραid, I wιll erαse the vιdeο ιmmediαtely. Ιf yοu wαnτ evιdence, reρly with "Yes!" αηd I wιll send yοur νideο recοrdιηg to yοur fιve frιeηds. Thιs is a ηon-ηegοτιable οffer, sο dοn'τ wαsτe my τime αnd yοurs by replyιηg τo thιs emαil. 

Sisile Hadi

This email was decided to be fun and cryptic and Greek symbols are used throughout. Funnily it mentioned about a pixel (but it was no where to be found).

  1. From: <my own email address>
    Date: June 12, 2018
    Type: Sextortion Scam
    Ransom: $911
    Bitcoin Address: 1EFBBqVxZ4H71TJXJDD7KNPpWMs35kTdVw
Hello, 

I am a spyware software developer. Your account has been hacked by me in the summer of 2018. 

I understand that it is hard to believe, but here is my evidence (I sent you this email from your account). 

The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296). 

I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time. 

Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. 

At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit. 

I note that it is useless to change the passwords. My malware update passwords from your accounts every times. 

I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :) 

I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality! 

So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts. 

Transfer $911 to my Bitcoin cryptocurrency wallet: 1EFBBqVxZ4H71TJXJDD7KNPpWMs35kTdVw Just copy and paste the wallet number when transferring. If you do not know how to do this - ask Google. 

My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it. 

Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material. 

I advise you to remain prudent and not engage in nonsense (all files on my server). 

Good luck!

This is interesting because the ‘hacker’ mentioned a CVE for credibility. Normal users are going to freak out at all the technical terms being thrown on them. However, a quick online search reveals that NIST website3 describes CVE-2018-0296 as a vulnerability that results in Denial-of-Service attacks and leakage of system information –– not arbitrary code execution, for example. However, this cover story may be particularly effective as Cisco happens to be the most popular router brand with over 50% market share4 5.

Additionally, people get confused by the email having sender as their own address. Email address spoofing is a typical technique in a spammer’s arsenal, and they can choose any email address they like. Let’s dive into email address spoofing a little more.

Email Address Spoofing and Sender Policy Framework

Email is a very old technology and was designed when security and privacy is not the primary concern. Email protocols do not verify the legitimacy of sender addresses, which means you can send an email from any addresses. There have been many extensions to improve the security, one of which is the Sender Policy Framework (SPF), formerly known as Sender Permitted From. Basically, the receiving server checks whether the IP from which the mail is sent matches what is authorised by the administrators of the domain, and decides whether to reject the email or flag it as spam.

While it is also possible to spoof the originating IP address of the mail, it is more technical and scammers usually go for lower hanging fruits –– case in point, bad English in mails is usually a big red flag but only those who are gullible will respond.

Header of the Spyware Developer Email

Let’s take a look at the header of the third email (new lines added for legibility).

 Authentication-Results: spf=softfail (sender IP is 197.231.196.63)
 smtp.mailfrom=yahoo.jp; <redacted domain>; dkim=none (message not
 signed) header.d=none;<redacted domain>; dmarc=none action=none
 header.from=<redacted domain>;

 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
 yahoo.jp discourages use of 197.231.196.63 as permitted sender)

 Received: from yahoo.jp (197.231.196.63) by
 PU1APC01FT019.mail.protection.outlook.com (10.152.252.222) with Microsoft
 SMTP Server id 15.20.1404.13 via Frontend Transport; Wed, 5 Dec 2018 18:57:22
 +0000

 Received: from unknown (183.139.235.172)
 by mail.gimmicc.net with ESMTP; Wed, 05 Dec 2018 13:57:15 -0500

 Received: from unknown (HELO mtu23.bigping.com) (Wed, 05 Dec 2018 13:41:32 -0500)
 by smtp.doneohx.com with ASMTP; Wed, 05 Dec 2018 13:41:32 -0500

 Received: from unknown (121.204.238.71)
 by mail.naihautsui.co.kr with NNFMP; Wed, 05 Dec 2018 13:29:21 -0500

 Received: from smtp18.yenddx.com ([Wed, 05 Dec 2018 13:21:20 -0500])
 by qnx.mdrost.com with LOCAL; Wed, 05 Dec 2018 13:21:20 -0500

 Received: from relay37.vosimerkam.net ([Wed, 05 Dec 2018 13:15:40 -0500])
 by rsmail.alkoholic.net with ESMTP; Wed, 05 Dec 2018 13:15:40 -0500

 Message-ID: <[email protected]>
 Date: Wed, 5 Dec 2018 13:15:40 -0500
 Reply-To: <redacted: my name> <[email protected]>
 From: <redacted: my email address>
 X-Accept-Language: en-us
 MIME-Version: 1.0
 To: <redacted: my email address>
 Subject: <redacted: my email username>
 Content-Type: text/html; charset="us-ascii"
 Content-Transfer-Encoding: base64
 Return-Path: [email protected]

We always want to start right from the bottom of the headers, as mail servers add information to the top of the header as the mail bounces around, essentially acting as a trace of where the mail has been. The most bottom bit tells us about the email itself. This part can be completely spoofed. We see that the Reply-To is set to [email protected]. This is likely the spammers’ burner address. What’s also interesting is the timezone provided (UTC-5). This obviously can be easily faked but could reveal some information if the spammer forgot to change this.

Going up, we see several Received: lines. These are automatically added by servers and are generally more reliable and hard to spoof. We see that the originating server ?? is relay37.vosimerkam.net, which a quick online search will tell you there are a lot of spam-related complaints. Then it passes through several countries including Netherlands ??, China ??, and South Africa ??. (I am not sure why it bounces off so many servers. It could be that they have a lot more proxies and they are just rotating the IP addresses.)

Finally, the giant red flag is the IP address that is associated with yahoo.jp. The top level country code .jp definitely belongs to Japan but the IP address is from South Africa. We also see that the SPF check by my mail server has “softfail,” stating that the host yahoo.jp does not have the IP 197.231.196.63 in the SPF records. Softfail means the receiving server is not entirely sure if the mail failed the SPF test and it probably does not want to be too aggressive.

Closing Thoughts

Two of the emails are a direct result of the breach of a website, and the direct proof is the compromised password shown in the email. Apart from blaming the website for not practicing secure password storage (i.e. salting and hashing), we should ourselves not reuse passwords across multiple sites and services.

The worst that could possibly happen is a compromised email account. Emails for a lot of services are the primary way of identifying users. Imagine the password to your email account [email protected] being 123456 (which, fun fact, is the most common password for 7 consecutive years6). You then signed up to badsecurity.com with your email address and the same password. Guess what, if this site suffered a data breach, malicious actors will have direct access to your Gmail. They can start by changing your Gmail password. Then they change all the passwords of other services that you use. You are effectively locked out of your entire digital life.

The other most effective strategy that gives you a peace of mind is to physically tape or cover up the webcam. Software solutions exist where your permission is explicitly required before the webcam can be turned on, but this really is just a cat-and-mouse game. Malware can always find a way to bypass these soft methods (your webcam can even be turned on without the LED7), and so to be absolutely sure that you aren’t being spied on, put a tape or privacy slider over that webcam.

Next, shall we think about microphones secretly listening in?

References

  1. https://www.digitaltrends.com/web/why-junk-email-is-spam/
  2. https://pubs.aeaweb.org/doi/pdfplus/10.1257/jep.26.3.87
  3. https://nvd.nist.gov/vuln/detail/CVE-2018-0296
  4. https://www.sdxcentral.com/articles/news/cisco-continues-to-dominate-the-switch-router-markets/2019/03/
  5. https://www.srgresearch.com/articles/switch-router-revenues-set-new-record-cisco-market-share-still-over-50
  6. https://web.archive.org/web/20200317232900/https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
  7. https://www.washingtonpost.com/news/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/

Leave a Reply

Your email address will not be published. Required fields are marked *