Krypt3ia

I started seeing a pivot on the extortion phish plots that I reported on a while back. The new iteration of these exploits starts off with the simple statement that the extortionist knows your password and actually states it in the first sentence of the email. On average the passwords that I have seen have been ones that the users actually do have in use on the internet at various places and become very agitated and panicky when they get these emails. Thankfully though the majority in my environment have had training and report these to me so I get to see them and work all this out as to who may be doing this.

I wanted to put this post out though to let others know about this pivot in the attack and the use of some psychology of fear tactics to get a knee jerk reaction out of the marks in hopes of getting them to cough up bitcoin. Of course in these they want a large sum upward of three thousand dollars which makes me wonder if they actually do have passwords or access to passwords from a dump somewhere or that these guys are brazen in their attempts.

SAMPLE 1

I will directly come to the point. I know that XXXX is your pass word. More importantly, I’m aware about your secret and I’ve proof of your secret. You do not know me personally and no one employed me to look into you.

It’s just your bad luck that I found your misadventures. Actually, I installed a malware on the adult video clips (porn) and you visited this web site to have fun (you know what I mean). When you were watching videos, your browser started functioning as a Rdp (Remote desktop) with a key logger which gave me accessibility to your display and webcam. Right after that, my software collected every one of your contacts from your messenger, social networks, and email.

Next, I put in more time than I probably should have into your life and made a double display video. 1st part displays the video you were watching and second part shows the recording from your web cam (its you doing inappropriate things).

Frankly, I am willing to forget about you and let you get on with your regular life. And my goal is to offer you two options that may make it happen. Those two choices either to ignore this letter, or simply pay me $2900. Let us explore those 2 options in details.

Option 1 is to ignore this email message. Let’s see what is going to happen if you opt this path. I will definitely send out your video recording to all of your contacts including relatives, colleagues, and so forth. It won’t help you avoid the humiliation your self will feel when relatives and buddies uncover your dirty details from me.

Option 2 is to make the payment of $2900. We will call it my “privacy charges”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will erase the recording immediately. You move on with your routine life as though nothing ever occurred.

At this point you must be thinking, “I’ll just go to the cops”. Without a doubt, I’ve covered my steps to ensure that this mail can’t be traced to me also it won’t stop the evidence from destroying your daily life. I’m not looking to dig a hole in your pocket. I am just looking to get paid for the time I placed into investigating you. Let’s assume you have decided to create pretty much everything vanish entirely and pay me the confidentiality fee. You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoins” in search engine)

Required Amount: $2900
Receiving Bitcoin Address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
(It’s cASe sensitive, so copy and paste it)

Tell nobody what you should be utilizing the Bitcoins for or they might not give it to you. The method to obtain bitcoin can take a few days so do not wait.
I’ve a specific pixel in this e mail, and at this moment I know that you’ve read through this email. You now have 2 days to make the payment. If I do not get the BitCoins, I will send your video to all your contacts including family members, co-workers, and so on. You better come up with an excuse for friends and family before they find out. However, if I receive the payment, I will erase the video immediately. It is a non-negotiable one time offer, thus please do not ruin my personal time & yours. Your time has started.

SAMPLE 2

I will directly come to the point. I’m aware XXXXX is your password. More importantly, I do know about your secret and I have proof of your secret. You don’t know me and no one hired me to investigate you.

It is just your bad luck that I found your blunder. In fact, I actually placed a malware on the adult videos (pornographic material) and you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a Rdp (Remote control desktop) that has a keylogger which provided me accessibility to your display screen and also cam. Immediately after that, my software program obtained all your contacts from your messenger, facebook, and email.

After that I gave in much more time than I should’ve exploring into your life and generated a two screen video. First part shows the recording you had been viewing and second part shows the capture from your web camera (its you doing inappropriate things).

Frankly, I’m ready to forget about you and let you continue with your life. And I will present you two options which will accomplish this. The two option is to either ignore this letter, or perhaps pay me $3200. Let us explore above 2 options in more detail.

First Option is to ignore this e-mail. Let me tell you what is going to happen if you opt this path. I definitely will send out your video recording to your contacts including friends and family, co-workers, and so on. It doesn’t help you avoid the humiliation your household will must face when relatives and buddies find out your unpleasant videos from me.

Second Option is to make the payment of $3200. We will name it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will delete the recording immediately. You move on with your routine life as though nothing like this ever occurred.

Now you must be thinking, “I’ll just go to the cops”. Without a doubt, I have covered my steps to ensure this mail cannot be tracked returning to me and it will not stop the evidence from destroying your daily life. I am not trying to steal all your savings. I just want to be compensated for the time I placed into investigating you. Let’s hope you have decided to make all this go away and pay me the confidentiality fee. You’ll make the payment via Bitcoin (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $3200
Receiving Bitcoin Address: 1JE6Pxdb865yhxc92KfjypcaXHgdAJpdsZ
(It’s CASE sensitive, so copy and paste it carefully)

Tell no person what you should be sending the bitcoin for or they might not sell it to you. The procedure to have bitcoins will take a short time so do not delay.

I have a unique pixel within this e-mail, and now I know that you have read through this email. You have 24 hours in order to make the payment. If I don’t get the Bitcoin, I definitely will send out your video to all of your contacts including family members, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll erase the video immediately. It’s a non-negotiable offer, thus kindly don’t ruin my personal time & yours. The clock is ticking.

SAMPLE 3

Let’s get straight to the point. I am aware XXXXXXX is your password. More to the point, I am aware about your secret and I have proof of it. You don’t know me and no one paid me to investigate you.

It is just your misfortune that I came across your bad deeds. Let me tell you, I setup a malware on the adult vids (pornography) and you visited this site to have fun (you know what I mean). While you were watching video clips, your web browser started operating as a Rdp (Remote desktop) with a keylogger which gave me access to your display screen and also webcam. Right after that, my software gathered your entire contacts from your messenger, social networks, and mailbox.

Next, I gave in much more hours than I should have exploring into your life and made a two view video. 1st part shows the recording you were watching and next part shows the capture of your cam (its you doing inappropriate things).

Honestly, I want to forget all information about you and allow you to get on with your regular life. And my goal is to present you two options that may accomplish this. These two choices are with the idea to ignore this letter, or perhaps pay me $2900. Let us investigate above 2 options in details.

Option 1 is to ignore this message. You should know what is going to happen if you select this path. I will definately send out your video to all of your contacts including members of your family, coworkers, and so on. It won’t help you avoid the humiliation your household will ought to feel when friends and family find out your dirty details from me.

Second Option is to make the payment of $2900. We’ll call it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You keep your life that none of this ever happened.

At this point you must be thinking, “I should go to the cops”. Let me tell you, I’ve taken steps to ensure this email message can’t be tracked time for me plus it will not prevent the evidence from destroying your daily life. I am not planning to steal all your savings. I am just looking to get paid for time I put into investigating you. Let’s assume you’ve decided to create all of this disappear completely and pay me my confidentiality fee. You’ll make the payment by Bitcoins (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $2900
Bitcoin Address to Send to: 169rDGiiDxTKknBYgLPDq4sCQJjKgejkni
(It is case sensitive, so copy and paste it)

Tell no one what you should be utilising the Bitcoins for or they possibly will not sell it to you. The process to have bitcoin usually takes a short time so do not put it off.

I’ve a specific pixel in this email message, and at this moment I know that you have read through this email. You now have 24 hours in order to make the payment. If I don’t get the Bitcoin, I will send out your video to your entire contacts including members of your family, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nevertheless, if I do get paid, I will erase the video immediately. It is a non-negotiable offer, so kindly don’t ruin my personal time and yours. The clock is ticking.

So as you can see from the samples, the extortionist is hoping that you visit porn and that your password was in fact some iteration if not literally the password they provided as a bona fide. If in fact the passwords are correct, it made me wonder if these were just good guesses on the part of the adversaries or do they have access to a dump of some site common to all the users in question. I am currently carrying out an investigation as to that, but, suffice to say that either method would work up to a point to get the fight or flight response of the end user going right?

So, if the adversaries have access to a dump I have to wonder what it is. In the case of some of the information I got from users, I used haveibeenpwnd and did not discover anything in there from old dumps. So, if there is a leak somewhere, it is likely on some hacker site where they are offering up these passwords and these guys decided to use them in this clever way. By sending these emails through open SMTP replays and expecting no response, with no links at all or malware, these phish get through every time bypassing the protections of filters and using sites like outlook.com to bypass any SPF settings one might have. It’s a smart tactic by an adversary intent on getting that bitcoin really.

Where the emails fail is the amount that they are looking for (nearly 3K) and this is where they tend to lose people I think. Who’s got that kind of money as an office worker? So far the bitcoin wallets are all empty and I suspect these guys are not going to be in the champagne room anytime soon from my users but other places may be different. Having an awareness program and interfacing with your employees is a key to fighting this and other phishing schemes and in my case it seems to be working with users either just deleting the emails or sending them in.

I just have to wonder now what the next iteration will be. Will these guys up the ante and present more hacked info? Maybe some sample clips of these alleged movies as bona fides?

Hmmmm…

K.

UPDATE:

It seems the gambit has worked on some people. One of the bitcoin accounts has over 4 grand in it today. A second has just over 3K.

UPDATE 2:

The phish are coming from the Microsoft domain space for SMTP servers so this is why they are not seen as spoofed. The email addresses are random names and do not exist really according to searches I have performed. So, Microsoft needs to address where these are coming from and maybe seal up the SMTP relay hole they have.

Additionally, the random nature of the email addresses and the Outlook domain make it hard to try to track and block these in defenses that rely on heuristics like subject and sender names. This is a clever means to get these to their targets by bypassing the controls in place without a real remedy.

I fully expect another iteration of this to come along where they add some content or some other key to get the targets to react quickly to their demands and send them bitcoin.

ALSO, it seems to be tracking that the passwords that are being cited in the extortion email are from the LinkedIN password dump in 2016. It may in fact be a melange of dumps but it seems since these are being targeted at corporate email accounts it makes sense that the adversary is using this dump cleverly.

UPDATE: 3

If my stats are right, the adversaries have now made approximately $185,499.50 cents in bitcoins from these phishing emails. I am checking the wallets again to insure I have the right ones in all cases but one of them has  transactions.