Extortion Phishing: So, closer to the point. You surfed the internet with роrn, which I’ve placed with the virus…
A series of extortion emails have gone out this last month that caught my eye. The phish are simple straight forward attempts at extorting users by claiming they had been hacked and watched surfing porn. The phishers then demand that the user pay a certain amount of bitcoins to them and all their trouble will go away. Basically it is the equivalent of the old “Say, that’s a nice family you have there, it’d be a shame if something happened to it” routine familiar to anyone who has seen a mafia movie. I had a user get one and so I began the usual looking around to see if more came in and what the deal was with it. Once I began Googling key words and phrases I saw that this had been making the rounds since at least August 14th and that this last round had actually made some money for the extortionists.
I then began the usual OSINT on the domain that the emails came from after collecting as much info as I could from Reddit and other places where people had mentioned the extortion attempts. What I came up with is an arcology of malware and phishing that seem to tie back to one individual in Ukraine who may be the nexus of it all. Before I go down the OSINT rabbit hole though, I just want to take a moment to consider this threat and the psychology of it. One might think that if you got this email you would just laugh it off and then trash it. Some people though had guilty minds or had in fact been surfing “the porn”, as we all do mind you, (come on you all do and you know it!) so they got worried and they actually paid this guy off to make it all go away and this is interesting to me. Do those who paid really think that an extortionist, once successful at getting them to pay them will just walk away after such an easy exploit?
*shakes head*
You fools…
Anywho, it seems that even a non exploit exploit of just threatening a user’s browsing habits with “I am gonna email all your contacts with your pron habits” is can work and potentially give the attacker some pin money at least. So I tracked the emails and the IP’s that these came from to Ukraine. Specifically to a subnet of systems owned by one guy: Roman Shurbarev.
From: return@aukcion.org
Received: from nat5.aukcion.org (nat5.aukcion.org [188.225.27.25])
As you can see there are porn like sites in there…
The domain owner of not only the domain in question that was set up as a mailer for these phish but also a string of other domains that he owns connected to other malware and phish sites and activities that include, wait for it… Wait… Ransomware! Yup, this guy has it all goin on! Now, when I started poking at the system that this all came from I ran an Nmap and the shit is tight, there were no open ports and the firewall as filtering everything so I kinda doubt that this guy has been popped and being used as a relay for these. So I went on to profile all his domains and got the following malware connections:
PICK A MALWARE! ANY MALWARE!
So yeah, this guy has many bad connections but not anything directly connected to his domains themselves that I could see, at least in the sense that they were hosting the malware or being used as a C2. Now though I would like to talk about the money. These poor fools who actually paid this scammer have netted him about .28794615 Bitcoins which is about 80516.75 Rubles or $1,375.29 dollars as of yesterday when I looked. The money has been moved around a lot from the series of wallets used in this extortion scheme:
156eSKJU22jHHUEr6zznqMiDyR1L7DFFPY
1FJND3abrT4TjwijUbfYPD8jogCFeSbL
1Pku8VSnjgZePRt8yLF3QWfUYMTAjhA3io
1DGgLh6xeDmasCBHaLEQXwJ7C9gEvpYvWr
12pRJwZfZKi3RZa2eFijVCjmjCbB1YcXXXrA
15YhkTnuTprtPDRsdxiE2y8sMqiSmLPx2g
17qDi9fFG8C7a4mmTBBjsV7QmUN9QUBScZ
1H6DRf3XvHYudc7g6RvCiMbunHHKpbjhD2
1Nu2hju7Bs4vkUw2xyqi4E3ktSgx2VJEJq
13HSMufjTvzGJKoHdSQsLiJbsPcQcVMf4K <— 7 transactions
It ain’t Wannacry money but it would buy some shit in Ukraine I guess. There has been some movement of money around so I am wondering if they are trying to mixmaster or what. I did not go down that rabbit hole so if you all want to go right ahead. As for me I thought that this post should be put out there for others to see the actor, the act, and maybe as a PSA to put a stop to it. So, here are the other variations on the theme. The emails all pretty much say the same thing with some variations on “I see you have been surfing porn because I infected your machine with porn!” and ask for the money;
So there you have it. You don’t have to be anyone special, you don’t have to be 1337 to scam people with an email…
Yay internet!
K.
Krypt3ia 
Leave a comment