An interesting email

[Vince]

I just received this email, it's obviously spam. However, what struck me was that this is by far the most interesting use of my details (from one of the many database leaks over the years) that I've seen. It has a password that was used on one my accounts that got caught in the leak and the body of the email is generic enough that it could apply to many.



The only thing I don't get about this, is how can you spoof a local email? Usually, you expand the details from [email protected] (or whatever it is) and you see a ridiculously foreign email address. How, in Outlook, do you make it so when you expand the details, it gives you your own contact and email information?

Really easily as it happens, a few commands in telnet and you are away, if as an organisation you have open smtp relay it's trivial. Mind you although you can spoof quite a lot generally you can't spoof it all, if you save the email and look at it's envelope sender property you might actually see where it originated from. We have in the past created some seriously decent spoofs that we test our staff with where I work. We tested some of them in house and it's quite scary a) how easy it is to spoof email headers and b) how many people fall for these things. We don't do any of them in house anymore but we do construct campaigns in KnowB4 to spoof and fish test people.

 

[Finners]

well it has worked on a couple of people.

https://www.blockchain.com/btc/address/17zmnmqEUCesNz6UgXGbRk7fKnu8iq1q2J

that bitcoin wallet received 2 payments yesterday!

You would think that they only email a certain amount of addresses with one bitcoin wallet address and will change it fairly often so they are probably doing ok out of it.

 

[djshauny1]

Had one myself, replied with a link to the tropic thunder flaming dragon phone call scene.

 

[benjii]

well it has worked on a couple of people.

https://www.blockchain.com/btc/address/17zmnmqEUCesNz6UgXGbRk7fKnu8iq1q2J

that bitcoin wallet received 2 payments yesterday!

You would think that they only email a certain amount of addresses with one bitcoin wallet address and will change it fairly often so they are probably doing ok out of it.

I forgot to check the address, that's really sad that they're getting hits on it.

This reminds me of a friend that fell for one of these emails, he didn't have the money to pay it off, so instead opted to warn everyone on Facebook that some five-finger-shuffle videos were about to be leaked. Obviously they never got released.

 

[Angilion]

The mechanism is quite easy. emails contain a few headers that are hidden to end users, 2 of these are "mail-from" and "reply-to" (don't quote me on the specifics, its from memory )
Most mail clients display the reply-to address and this is the header they spoof. im guessing if you are able to view the full header you will see the originating domain address.

The domain validators aspects of Antispam mechanisms (spf/dmarc) work against the "mail-from" address so as long as this is valid (any random hosted solution will do) then its less likely to get caught as spam and delivered to your inbox.

Im quite impressed by this vector as they are using the leaked DB's of email/passwords, pairing it all up and spear phishing users on a mass scale, its all automated. You have to wonder about the people behind these ideas, if they put this much effort into a legitimate line of business they would probably do ok out of it!

They're probably in a place where it's a lot more difficult to make as much money from a legitimate business. There are plenty of places where US$700 is a lot of money. Just a hundred people falling for the con could net them free money equivalent to a lifetime of average income. Besides, as you say, it's all automated. So they put the work in to set the con up but then it's all gravy, no work required. There aren't many (if any) legitimate businesses that can yield so much money from so little work.

 

[Energize]

You should absolutely not receive emails from a spoofed email address, decent email providers use spf records, dmarc and dkim to filter spam. The spf record contains details of all the servers that are allowed to send emails from paypal, since the email was not sent from a paypal email server the spf record check will fail and the email provider should block the email.

Basically your email provider is crap.

 

[DJ85]

I have been receiving these emails all week but what could these achieve? Your given a password and a pdf attachment which requires the password to open it

Hello David, I am bringing 2 new people into my system this month and I thought that you might be a good fit.

I have attached your secure invitation, the password is 736658.

I am looking forward to hearing back from you.

Samuel Bates


......nice name

 

[Scania]

You should absolutely not receive emails from a spoofed email address, decent email providers use spf records, dmarc and dkim to filter spam. The spf record contains details of all the servers that are allowed to send emails from paypal, since the email was not sent from a paypal email server the spf record check will fail and the email provider should block the email.

Basically your email provider is crap.

I use Apple mail, yes it’s probably crap, but hey ho.

 

[Angilion]

I have been receiving these emails all week but what could these achieve? Your given a password and a pdf attachment which requires the password to open it

Hello David, I am bringing 2 new people into my system this month and I thought that you might be a good fit.

I have attached your secure invitation, the password is 736658.

I am looking forward to hearing back from you.

Samuel Bates


......nice name

My first thought is it might be a social engineering thing, an attempt to manipulate you into treating the attachment as legitimate and important.

 

[iamtheoneneo]

This reminds me of a friend that fell for one of these emails, he didn't have the money to pay it off, so instead opted to warn everyone on Facebook that some five-finger-shuffle videos were about to be leaked. Obviously they never got released.

I really don't get this.

It's like if this actually happened to me I wouldn't care at all, wow they see me jerk off so what,its been talked to death with my mates and wife over the years they would probably just laugh.

 

[Building Candy]

I got some of these a while back, well im still getting them but they go straight to the junk folder. They actually had a password of mine for one of my emails, so I changed it nice of them to let me know. oh yeh, and I dont have a webcam.

 

[DJ85]

My first thought is it might be a social engineering thing, an attempt to manipulate you into treating the attachment as legitimate and important.

Another 2 this morning from differant names (in spam) it must be something before some people are getting so much! Wander if the pdf has a code on it or something and instructs you to save it to a certain folder or something! Not sure if pdf format would be good though! Or maybe typing in the password would do something.

 

[leezer3]

It'll have either embedded scripts in or use one of the many PDF vunerabilities to launch a nasty.

Password protecting it (with a random unique password; simple scripting job) just means that it's going to be missed by anything that tries to use hash based signatures.

 

[Lord-Jaffa]

You should absolutely not receive emails from a spoofed email address, decent email providers use spf records, dmarc and dkim to filter spam. The spf record contains details of all the servers that are allowed to send emails from paypal, since the email was not sent from a paypal email server the spf record check will fail and the email provider should block the email.

Basically your email provider is crap.

If they filter out these emails then how will we know where to provide btc in order that our self-serve station videos aren't leaked to all our contacts?

 

[GGizmo]

I'm not sure if I'm answering your question but on the Outlook website, just put your arrow over the sender name and it'll show the true email address, which is usually some weird one.

Not sure if you was meaning the outlook email program or the website.

As for spoofing emails, I've never done it myself but I hear its very easy to spoof email addresses.

 

[Diddums x]

Here's a little taster of my Gmail spam folder

 

[jrodga2k5]

@Diddums The real question here Mrs. Thelma S. Morg. is...can I trust you?

 

[Housey]

I paid but he’s not sent me my self porn he promised. Disappointing service.

 

[benjii]

I'm not sure if I'm answering your question but on the Outlook website, just put your arrow over the sender name and it'll show the true email address, which is usually some weird one.

Not sure if you was meaning the outlook email program or the website.

As for spoofing emails, I've never done it myself but I hear its very easy to spoof email addresses.

It was in Outlook. The reason I asked was because doing what you suggested gave me my own contact card info, so it really did look like I'd just emailed myself. However, it was obviously spam and peaked my interest, other people explained how it's possible though, so all is good.

Here's a little taster of my Gmail spam folder

At least those are interesting! Aside from the one I posted here, I mainly get dating spam or the occasional enlargement pills.

 

[theone8181]

I am aware xxxxxx is your pass. Lets get right to point. Neither anyone has paid me to check about you. You may not know me and you are probably thinking why you're getting this email?

Well, i actually installed a software on the 18+ streaming (pornography) site and you know what, you visited this website to have fun (you know what i mean). When you were viewing videos, your web browser started operating as a Remote control Desktop having a keylogger which provided me accessibility to your display and cam. Right after that, my software gathered your complete contacts from your Messenger, social networks, as well as email . Next i created a double-screen video. 1st part shows the video you were watching (you've got a fine taste hahah), and 2nd part displays the view of your web camera, yea its u.

You get 2 alternatives. Why dont we study the options in particulars:

1st option is to neglect this e-mail. Consequently, i will send out your very own video clip to just about all of your contacts and thus just think regarding the shame you feel. Moreover should you be in a committed relationship, precisely how it can affect?

Number two alternative will be to pay me $868. Lets name it as a donation. in such a case, i will immediately eliminate your videotape. You will keep going on your daily routine like this never took place and you never will hear back again from me.

You will make the payment through Bi‌tco‌in (if you do not know this, search for 'how to buy b‌itcoi‌n' in Google).

B‌T‌C‌ ad‌dre‌ss to send to: 1DG8pnwK9vdevHjB1nfDQRUmyYVJyPQNf9

[case-sensitive copy and paste it]

if you are looking at going to the law enforcement, good, this mail cannot be traced back to me. I have taken care of my actions. i am not trying to demand very much, i simply prefer to be rewarded. at this moment%} i know that you have rea if i do not receive the ‌bi‌tco‌in‌, i will certainly send your video to all of your contacts including family members, coworkers, and so forth. Nonetheless, if i do get paid, i'll erase the video right away. If you want proof, reply Yup! and i will certainly send out your video recording to your 5 contacts. This is the nonnegotiable offer and so please do not waste my personal time and yours by replying to this email message.

Thats the one i got lol, i don't have a webcam however the password it mentioned was a very very old one. Guess somebody has had information stolen. Interestingly in the lines between paragraphs there was the password and my email repeated.