Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

A sextortion e-mail from...IT support?!

Published: 2021-07-28
Last Updated: 2021-07-28 06:34:05 UTC
by Jan Kopriva (Version: 1)
1 comment(s)

E-mails claiming that their author has recorded the recipient through a webcam while they were "in flagrante delicto" enjoying a visit to some pornographic site, and will publish the recording unless the recipient pays them, have been with us for quite a while now. Over time, these messages haven’t changed much. It is no wonder – since the “hook” they use is fairly timeless and nearly universal in nature, the same messages can be effective for a long time without any substantial modifications.

One can, however, still find small, interesting additions or new approaches in some sextortion messages from time to time. A good example of this was a message that was delivered to our ISC mailbox a couple of weeks ago.

Although at first glance, the message does look like any other sextortion scam, a closer look shows that its author came up with an interesting spin on the usual ransom request.

In the text, the sender claims to work for an IT service company (strictly speaking, they claim to “word” for the company, but we can probably safely assume that that was a typo, and the scammer didn’t try to make the recipient believe that they were working as a wordsmith), which was engaged by recipient’s e-mail provider. This was supposed to give the sender access to the e-mail provider’s user database and – among other information – “online traffic” of individual users.

This then supposedly allowed them to create a list of people – including the recipient – who frequented pornographic websites. The creation of the list was then allegedly followed by infection of the recipient’s computer with spyware using a malicious e-mail link, after which the usual webcam recording was supposed to take place. The rest of the message is fairly generic, as you may judge for yourself…

 


Greetings!

I have got two not really pleasant news for you.
I have been monitoring your internet activities for some time by now.

The only person to blame in this situation is you, since you are a big fan of adult websites and also have got an uncontrollable desire to indulge yourself with another orgasm.
Simply speaking, all your porn websites search requests have become a key to access your device.
The thing is that I word in a company that provides services related to security and performance of email providers, including isc.sans.edu as well.

During the pandemic outbreak a lot of providers have faced difficulties in maintaining a huge number of staff in their offices and so they have decided to use outsourcing instead.
While working remotely from home, I have got unlimited abilities to access the user databases.

I can easily decrypt passwords of users, access their chat history and online traffic with help of cookie-files.
I have decided to analyse users traffic related to adult websites and adult content.
I was truly shocked to discover that nearly 75% of users regularly access porn websites or participates in sex chats.

I have filtered out the worst perverts from the list. Yeah, you are one of them. Not everyone chooses to watch such hardcore videos… Basically, I have infected your device with one of the best Trojan viruses in the market. It was relatively easy, since I have access to your email address (handlers@isc.sans.edu).
It was sufficient to prepare one of your routine emails asking you to click the harmful link…

My spyware functions as a driver. Hence, I can fully control your device and have access to your microphone, camera, cursor and set of symbols.
Generally speaking, your device is some sort of my remote PC.
Since this spyware is driver-based, then I can constantly update its signatures, so that no antivirus can detect it.
While digging through your hard drive, I have saved your entire contact list, social media access, chat history and media files.

One week ago, I have montaged a videoclip, which shows you masturbating on one side of the screen and on the other side a porn video that you were watching at that moment of time – recently this type of exotic stuff is really popular on the internet!
Don’t worry, I will need just a few mouse clicks in order to share this video with your entire contact list and upload it to some porn website, like Bigle.
I believe that you would not like this to happen, since a long holiday season is just about to start soon – just imagine the number of silly jokes and loud laughter that would get provoked by your video all over the neighbourhood bars and pubs…

I am offering a simple and reasonable solution:
All you need to do is transfer an amount equivalent to $1150 (USA Dollars) to my bitcoin wallet and we both forget about this silly story forever.
All your data and this video will be deleted by me once and for all. You have my honest word!
You’ve got to agree, this amount is really insignificant. Just imagine how much time and resources I have spent to get this done… If you don’t know how to operate the cryptocurrency – you can always search for assistance online. It is that simple.

Here is my bitcoin wallet (BTC): bc1qfnx5388zl4c4hpcdsjxj0tgcn2gd8pyrljg6s6

You have exactly 2 days (48 hours) from the moment of opening this email.
I can easily track when you have opened this email (my software will notify me about it). Once you complete the transaction – I will be able to see and confirm that.
Please, do not try replying me via this email – there is no point in that (as you can see the email is sent from your address).

Remember that there is no point to complain anywhere, since I cannot be found (Bitcoin system is anonymous and I am also using I2P network in order to access your device).
I have considered all the small details.
In case, if 48 hours after you have opened this email, I still don’t receive the required amount of money, then your videoclip will be automatically sent to all your contact list and uploaded to public websites.

Good luck and please don’t hate me too much!

This is life! You are merely out of luck this time.
Who knows, maybe next time you will get lucky at something else…


 

Although the “I work for an IT service provider who has access to your data at work and that’s how I’ve decide to target you” is certainly an interesting addition to the usual sextortion scam (and might, perhaps, be worth mentioning during a security awareness training), it doesn’t seem to have made this specific message more effective… At least going by the “0.00000000 BTC” that was received by the address mentioned in the message at the time of writing[1].

[1] https://www.blockchain.com/btc/address/bc1qfnx5388zl4c4hpcdsjxj0tgcn2gd8pyrljg6s6

-----------
Jan Kopriva
@jk0pr
Alef Nula

Keywords: Phishing Sextortion
1 comment(s)

Apple Patches for CVE-2021-30807

Published: 2021-07-27
Last Updated: 2021-07-28 03:50:02 UTC
by Yee Ching Tok (Version: 1)
0 comment(s)

Apple has released another update (previous update was only about 5 days ago) to address CVE-2021-30807 that was discovered by an anonymous researcher. This update resolves an issue with IOMobileFrameBuffer which could allow an application to execute arbitrary code with kernel privileges [1], [2]. This issue may have been actively exploited.

As Apple has indicated that this issue may have been actively exploited, it is recommended that affected devices be updated as soon as possible.

Update: Technical details for CVE-2021-30807 can be found here [3].

References:
[1] https://support.apple.com/en-us/HT212622
[2] https://support.apple.com/en-us/HT212623
[3] https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/

-----------
Yee Ching Tok, ISC Handler
Personal Site
Twitter

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Apple Patches for CVE-2021-30807
Jul 28th 2021
10 hours ago by Yee Ching (0 comments)

Failed Malspam: Recovering The Password
Jul 26th 2021
1 day ago by DidierStevens (0 comments)

Wireshark 3.4.7 Released
Jul 25th 2021
3 days ago by DidierStevens (0 comments)

Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability
Jul 24th 2021
3 days ago by Bojan (0 comments)

Agent.Tesla Dropped via a .daa Image and Talking to Telegram
Jul 24th 2021
4 days ago by Xme (0 comments)

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II)
Jul 23rd 2021
5 days ago by Yee Ching (0 comments)

Lost in the Cloud: Akamai DNS Outage
Jul 22nd 2021
5 days ago by Johannes (0 comments)

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 month ago by Rick (0 replies)

API port data
created Apr 25th 2021
3 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
4 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
5 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
6 days ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 weeks ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
3 weeks ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
4 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)