phishing-mail

I am C, an Exabee working at Exabytes.

I’m just an ordinary human who joins the crazy morning traffic to Exabytes Office in Bayan Baru every day to fulfill the mission of ‘Grow Your Business Online!’

What the…this is surely not a good start amid Monday Blues because I just received a similar email which I thought was some kind of love story, and moved it straight to the Junk folder.

And I found a Big Bad Wolf Hiding behind Exabytes Mail.

So, I grabbed a cup of coffee and started to perform an analysis.
GOSH! “Email target@domain.com has been compromised!”

Take a look at how I met the Big Bad Wolf in some phishing emails.

Email header + Content

All emails consist of an Email header and Email body. Email header records every single relay point going through before it reaches your mailbox. It is like how you trace your parcel from a courier service provider after purchasing something online.

 Received: from [12.12.12.123] (UnknownHost [12.12.12.123]) by mail.domain.com with SMTP;Thu, 29 Oct 2018 06:17:21 +0800

Message-ID: <xxxxxx>

From: <target@domain.com>

To:  <target@domain.com>

Subject: account target@domain.com is compromised

Date: 29 Oct 2018 06:00:12 +0800

password-leak

Suspicion 1: “I know your password!”

I’m a hacker who hacked your email and device a few months ago.

You entered a password on one of the sites you visited, and I intercepted it.

Of course you can/will change your password, or already changed it.

But it doesn’t matter, my malware updated it every time.

Do not try to contact me or find me, it is impossible, since I sent you an email from your account.

If you have my email account password, why didn’t you directly authenticate/relay over the mail server but instead sending from a third party host [12.12.12.123], and pretended that you know my password? Hmmm..puzzler.

spying-trojan

Suspicion 2: Spying on you!

Through your email, I uploaded malicious codes to your Operating System.

I saved all your contacts with friends, colleagues, relatives, and a complete history of visited websites.

I also installed a Trojan on your device and have been spying on you for a long time.

You are not my only victim. I usually lock computers and ask for a ransom.

But I was struck by the sites of intimate content that you often visit.

That’s another head-scratcher. The spammer seems to put on more pressure.

If he/she is a real hacker that has “full access” to my laptop/desktop, then he/she should deploy a ransomware instead of sending a phishing email and wait for me to take the bait.

screenshot-photo

Suspicion 3: I made screenshot from your photos!

So, when you had fun on piquant sites (you know what I mean!), I made screenshot using my program from your camera device.

After that, I combined them with the content of the currently viewed site.

There will be laughter when I send these photos to your contacts! BUT I’m sure you don’t want this to happen.

For real? My camera has broken for ages and the most frequent website I visit is exabytes.my. Seriously, my gramps have a greater sense of humour than you do. LOL!

bitcoin-pay

Suspicion 4: Pay me or Data gone!

Therefore, I expect payment from you for my silence.

I think $852 is an acceptable price for it!

Pay with Bitcoin.

My BTC wallet: 1DVU5Q2HQ4srFNSSaWBrVNMtL4pvBkfP5w

If you do not know how to do this – Search this on Google “how to transfer money to a bitcoin wallet”. It is not difficult.

After receiving the specified amount, all your data will be immediately destroyed automatically. My virus will also remove itself from your operating system.

It seems that you care about me more than I do regarding this data. You care about me so much that you provided me with the steps on how to make payment.

By the way, the last line sounds like a scene in Mission Impossible. Are you a fan of the box office?

time-out

Suspicion 5: Time is running out! I’m coming now!

My Trojan have auto alert, after this email is read, I will know it!

You have 2 days (48 hours) to make payment. If this does not happen – all your contacts will get crazy shots from your dark secret life! Soon your device will be blocked too (also after 48 hours).

I read the similar email last week, did you not track that?

Email actually has a function called “Read receipts”. And why would you need to spend time writing a Trojan?

wolf-husky

Suspicion 6: Do not be Silly!

Do not be silly!

Police or friends won’t help you for sure …

P.S. I can give you advice for the future. Do not enter your passwords on unsafe sites.

I hope you understand your situation now.

Farewell.

Finally, I saw a meaningful line in the whole content…Yes, do not be silly with such low-level phishing email, and I will sure help my friends by spreading this information!

Bye Mr. Spammer, good try!