Latest spear phishing: your password plus extortion

Intro
Three users that I know at a certain company have all received spear phishing emails worded very much like this one:

Spear Phishing shows you your password and extorts you

The details
I don’t really have many more details. One user described it to me as follows. He got this email at work. It displayed to him a password which he uses for some of his personal accounts and maybe for a few work-related logins. He said the wording was very similar to the one I showed in the above screenshot.

This one comes from IP 40.92.6.45, which is a legitimate Microsoft-owned IP. So it has an air of legitimacy to traditoinal spam filters.

I htikn all the users are reluctant to pursue the normal methods o reporting phishing, which involve sending the entire email to some unknown group of analysts because the email does in fatc contain a legitimate password of theirs. This makes it that much harder for an incident repsonse team to kick into gear and start a detailed analysis.

I mentioned three users – those are just the ones brought to my attention, and I’m not even in the business any more. So by extrapolation, this has probably occurred to many more users at just this one company. It’s disturbing…

November update
Another one came in to a different user. I have the text of this one and have only changed the recipient information.

From: a2603510@owlpic.com <a2603510@owlpic.com>
Sent: Thursday, November 29, 2018 11:55 AM
To: Dr J <drj@drj.com>
Subject: drj@drj.com has been hacked! Change your password immediately!
 
Hello!
 
I have very bad news for you.                                                                                                                                 03/08/2018 - on this day I hacked your OS and got full access to your account drj@drj.com On this day your account drj@drj.com has password: drj1234
 
So, you can change the password, yes.. But my malware intercepts it every time.
 
How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.
 
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
 
A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.
 
I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!
 
And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!
 
I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $709 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!
 
Pay ONLY in Bitcoins!
My BTC wallet: 1FgfdebSqbXRciP2DXKJyqPSffX3Sx57RF
 
You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy
 
For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.
 
After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".
 
I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.
 
P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
 This is the word of honor hacker
 
I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.
 
Do not hold evil! I just do my job.
Good luck.

Conclusion
A new disturbing type of spear phishing campaign is presented. The email presents an actual password (no hint as to how the hacker obtained it) and then tries to extort the user for quite a bit of money to avoid reputation-damaging disclosures to their close associates.

References and related
This is a useful site, albeit a little frightening, that shows you the many sites that have leaked your Email address due to a data breach: https://haveibeenpwned.com/

This entry was posted in Scams, Spam. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *