Freemors Blog

Musings of an East Coast Techie
Archive for January 2019

P.S.A. Re: Sextortion Scam

2019-01-31 by Freemor

This is just a quick posting to alert those that read my blog that sextortion spammers have changed tactics.

They still claim that they hacked your life but are now claiming to have done so by breaking into an email account. As proof they offer the fact that the "From:" header shows the e-mail as coming from your account.

The important thing to know is that the "From:" header is completely and trivially spoofable. Anyone can send an e-mail with anything they want in the From: line.

Do Not Fall For this.

Here is the raw (source version with all the headers shown) version of one of these spams that hit my mailbox.

From freemor@freemor.ca Sat Oct 13 06:05:01 2018
Return-Path: freemor@freemor.ca
X-Original-To: freemor@freemor.ca
Delivered-To: freemor@freemor.ca
Received: from 213-174-110.netrunf.cytanet.com.cy (213-174-110.netrunf.cytanet.com.cy [213.149.174.110])
by server (Postfix) with ESMTP id 4127571C
for freemor@freemor.ca; Sat, 13 Oct 2018 06:05:01 -0300 (ADT)
Message-ID: <5F7026344D09625F7026344D09625F70@PSFB91RPS>
From: freemor@freemor.ca
To: freemor@freemor.ca
Subject: freemor@freemor.ca was hacked
Date: 13 Oct 2018 13:34:07 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
Status: RO

Hello freemor@

My nickname in darknet is sauveur16. I'll begin by saying that I hacked this mailbox (please look on 'from' in your header) more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited!

I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $500 is quite a fair price to destroy the dirt I created.

Send the above amount on my bitcoin wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!

Since reading this letter you have 48 hours! After your reading this message, I'll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere! Good luck!

Even though both "From" lines say it came from me there are several important facts.

The "Received:" line clearly shows that it actually came from 213-174-110.netrunf.cytanet.com.cy which is not my mail server. It is a computer in the Republic of Cyprus, Most certainly not where my mail server lives. And from the looks of the domain name probably from someone's home.

So let me say it again. The "From:" line in an email means Nothing. It is Trivial to spoof. Anyone with even a tiny bit of knowledge can send e-mails that claim to be from you, or Plato, or the Easter bunny. This type of sextortion scam is just trying to scare you into paying for no reason.