Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Extortion Phishing: So, closer to the point. You surfed the internet with роrn, which I’ve placed with the virus…

with one comment

A series of extortion emails have gone out this last month that caught my eye. The phish are simple straight forward attempts at extorting users by claiming they had been hacked and watched surfing porn. The phishers then demand that the user pay a certain amount of bitcoins to them and all their trouble will go away. Basically it is the equivalent of the old “Say, that’s a nice family you have there, it’d be a shame if something happened to it” routine familiar to anyone who has seen a mafia movie. I had a user get one and so I began the usual looking around to see if more came in and what the deal was with it. Once I began Googling key words and phrases I saw that this had been making the rounds since at least August 14th and that this last round had actually made some money for the extortionists.

I then began the usual OSINT on the domain that the emails came from after collecting as much info as I could from Reddit and other places where people had mentioned the extortion attempts. What I came up with is an arcology of malware and phishing that seem to tie back to one individual in Ukraine who may be the nexus of it all. Before I go down the OSINT rabbit hole though, I just want to take a moment to consider this threat and the psychology of it. One might think that if you got this email you would just laugh it off and then trash it. Some people though had guilty minds or had in fact been surfing “the porn”, as we all do mind you, (come on you all do and you know it!) so they got worried and they actually paid this guy off to make it all go away and this is interesting to me. Do those who paid really think that an extortionist, once successful at getting them to pay them will just walk away after such an easy exploit?

*shakes head*

You fools…

Anywho, it seems that even a non exploit exploit of just threatening a user’s browsing habits with “I am gonna email all your contacts with your pron habits” is can work and potentially give the attacker some pin money at least. So I tracked the emails and the IP’s that these came from to Ukraine. Specifically to a subnet of systems owned by one guy: Roman Shurbarev.

From: return@aukcion.org

Received: from nat5.aukcion.org (nat5.aukcion.org [188.225.27.25])

As you can see there are porn like sites in there…

The domain owner of not only the domain in question that was set up as a mailer for these phish but also a string of other domains that he owns connected to other malware and phish sites and activities that include, wait for it… Wait… Ransomware! Yup, this guy has it all goin on! Now, when I started poking at the system that this all came from I ran an Nmap and the shit is tight, there were no open ports and the firewall as filtering everything so I kinda doubt that this guy has been popped and being used as a relay for these. So I went on to profile all his domains and got the following malware connections:

 

PICK A MALWARE! ANY MALWARE!

So yeah, this guy has many bad connections but not anything directly connected to his domains themselves that I could see, at least in the sense that they were hosting the malware or being used as a C2. Now though I would like to talk about the money. These poor fools who actually paid this scammer have netted him about .28794615 Bitcoins which is about 80516.75 Rubles or $1,375.29 dollars as of yesterday when I looked. The money has been moved around a lot from the series of wallets used in this extortion scheme:

156eSKJU22jHHUEr6zznqMiDyR1L7DFFPY
1FJND3abrT4TjwijUbfYPD8jogCFeSbL
1Pku8VSnjgZePRt8yLF3QWfUYMTAjhA3io
1DGgLh6xeDmasCBHaLEQXwJ7C9gEvpYvWr
12pRJwZfZKi3RZa2eFijVCjmjCbB1YcXXXrA
15YhkTnuTprtPDRsdxiE2y8sMqiSmLPx2g
17qDi9fFG8C7a4mmTBBjsV7QmUN9QUBScZ
1H6DRf3XvHYudc7g6RvCiMbunHHKpbjhD2
1Nu2hju7Bs4vkUw2xyqi4E3ktSgx2VJEJq
13HSMufjTvzGJKoHdSQsLiJbsPcQcVMf4K <— 7 transactions


 

 

 

It ain’t Wannacry money but it would buy some shit in Ukraine I guess. There has been some movement of money around so I am wondering if they are trying to mixmaster or what. I did not go down that rabbit hole so if you all want to go right ahead. As for me I thought that this post should be put out there for others to see the actor, the act, and maybe as a PSA to put a stop to it. So, here are the other variations on the theme. The emails all pretty much say the same thing with some variations on “I see you have been surfing porn because I infected your machine with porn!” and ask for the money;

So there you have it. You don’t have to be anyone special, you don’t have to be 1337 to scam people with an email…

Yay internet!

K.

Written by Krypt3ia

2017/09/01 at 11:51

Posted in Extortion, Phishing

One Response

Subscribe to comments with RSS.

  1. from Russia with love . . . got this today
    =======

    Good Morning my victim.

    I am from a group of hackers from Iran.I use your working email because I think that it will be checked.

    Few times ago our squad hacked web-site with porn and after you pressed on a play your device began recording your screen and turning on cam to capture you self-abusing.So I believe you recognize which data Ive got.In addition, this program started your device work as remote desktop with plenty of possibilities like keylogger,parser etc. Eventually, my software picked all information,particulary all your contacts from messengers,e-mails,social networks.

    To safe your reputation you have to pay 290 united states dollars using bitcoins (cryptocurrensy). 198o6BKTY4xhkuM9bQXDmn1ZbyMkkdzYQK

    You should copy and past it. If I receive this sum we will be silent.Use internet to understand how to buy bitcoins. I can offer you this exchanger: coinbase .com.If you have a problem with this, you can search the nearest ATM for bitcoin at coin atm radar.

    I give you only 1 day from the time you read our message to finish a transaction.Dont try to play with us we use anonymous bot system, also I do not live in your country.If you want proofs I can share everything to 7 your contacts after that you will be given their links. So you will ask them if they have received something or not.

    For some questions just reply.Good luck,AmAZinGcRackeR$.

    jimlongo663795547

    2018/01/31 at 16:44


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: