Phishing/Sextortion Email – For your own safety, I highly recommend reading this email

Malware Analysis
1


Phishing/Sextortion Email:

Subject: For your own safety, I highly recommend reading this email

Hello <name>,
You are in big trouble.
However, don't panic right away. Listen to me first, because there is always a way out.

You are now on the radar of an international group of hackers, and such things never end well for anyone.
I'm sure you've heard of Anonymous. Well, compared to us, they are a bunch of schoolboys.
We are a worldwide network of several thousand professionals, each with their own role.

Someone hacks corporate and government networks, someone cooperates with intelligence agencies on the most delicate tasks,
and someone (including me) deals with people like you to maintain the infrastructure of our group.
"What kind of people like me?" - that is the question you are probably asking yourself now.

The answer is simple: people who like to watch highly controversial and, shall we say,
unconventional pornography on the internet that most normal people would consider perverted.
But not you!

In order to leave you without any doubts, I'll explain how I found it out.
Two months ago, my colleagues and I installed spyware software on your computer and then gained access to all of your devices, including your phone.
It was easy - one of those many pop-ups on porn sites was our work.

I think you already understand that we would not write to an ordinary man who watches "vanilla" and even hardcore porn - there is nothing special about that.
But the things you're watching are beyond good and evil.
So after accessing your phone and computer cameras, we recorded you masturbating to extremely controversial videos.
There is a close-up footage of you and a little square on the right with the videos you're pleasing yourself.
However, as I said earlier, there is always a way out, because even the most degraded sinner deserves leniency.
You are lucky today because I am not a sadist who enjoys other people's suffering.
Only money matters to me.

Here is your salvation: you must transfer $1490 in Bitcoin to this BTC cryptocurrency wallet: 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt

You have exactly 48 hours to make the payment, so think less, and do more.
As soon as I receive confirmation of the transaction, I will delete all compromising content and permanently disable our computer worm.
Believe me, I always abide by gentleman's agreements. Even with people who are hardly gentlemen. Because it's nothing personal, just business.

If I do not receive a payment, I will send all videos of you to every person in your contact list, messengers and email.
Relatives, loved ones, colleagues, friends-everyone you've ever been in contact with will receive them.
You understand perfectly well that you will never be able to wash this stain on your reputation.
Everyone will remember you as sick as fuck.
Your life will be completely ruined, and, most likely, only a tightened noose around your neck will be able to save the day.

If you haven't dealt with crypto before, I suppose it won't be difficult for you to figure it all out.
Simply type in the "crypto exchange" into the search bar and pay with a credit card. Besides, based on your browser history, you are a savvy user.
When you want to, you can dig into the darkest depths of the Internet, so I'm sure you will be able to find out what is what.

Here is what my colleagues and I should warn you against:
...Do not reply to this email. Do you really think we are so stupid to be tracked by an email address? This is a temporary disposable email.
 As soon as I clicked "Send", it was gone for good.
...Forget about law-enforcement authorities. As soon as I see that you are trying to contact them, the compromising material will be published.
 Remember, I have access to all your devices, and I can even track your movements.
...Do not reset your devices to factory settings and do not try to get rid of your devices.
 It won't help in any way. Look above - my All-seeing eye is watching all your actions. It is easy to hunt you down.

I am sorry that we met in such circumstances. Probably, everything could be different if you had been more careful about what you are doing on the Internet.
Watch yourself from now on, because even such things that you previously considered insignificant can destroy your life in the future like a butterfly effect.
I hope this is goodbye forever. However, it depends on you.

P.S. The countdown is on. The choice is yours.

This is a phishing sextortion email scammers spreading in last few days. I came across few blog posts and tweets mentioning same email content.

A phishing sextortion email is a specific type of malicious email that combines elements of both phishing and sextortion. In such emails, the sender typically claims to have compromising or explicit material of the recipient, often obtained through a supposed hack or malware installed on the recipient’s device. The email usually includes threats to release this material unless a ransom is paid, typically in cryptocurrency.

These emails often employ psychological manipulation and intimidation tactics to coerce the recipient into complying with the demands. They may include personal information about the recipient, such as their name, username, or password (which may have been obtained from previous data breaches), to make the threats seem more credible.

Email header:

Received: from CH3PR14MB6324.namprd14.prod.outlook.com (2603:10b6:610:14d::22)
 by MW4PR14MB5997.namprd14.prod.outlook.com with HTTPS; Tue, 26 Mar 2024
 20:58:35 +0000
Received: from MW4PR04CA0203.namprd04.prod.outlook.com (2603:10b6:303:86::28)
 by CH3PR14MB6324.namprd14.prod.outlook.com (2603:10b6:610:14d::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.32; Tue, 26 Mar
 2024 20:58:34 +0000
Received: from CO1NAM11FT116.eop-nam11.prod.protection.outlook.com
 (2603:10b6:303:86:cafe::ee) by MW4PR04CA0203.outlook.office365.com
 (2603:10b6:303:86::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.13 via Frontend
 Transport; Tue, 26 Mar 2024 20:58:33 +0000
Authentication-Results: spf=fail (sender IP is 45.233.98.42)
 smtp.mailfrom=hotmail.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=none header.from=hotmail.com;compauth=fail
 reason=001
Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not
 designate 45.233.98.42 as permitted sender) receiver=protection.outlook.com;
 client-ip=45.233.98.42; helo=[45.233.98.42];
Received: from [45.233.98.42] (45.233.98.42) by
 CO1NAM11FT116.mail.protection.outlook.com (10.13.174.243) with Microsoft SMTP
 Server id 15.20.7430.22 via Frontend Transport; Tue, 26 Mar 2024 20:58:32
 +0000

Email header shows this email has been sent from IP 45.233.98.22 from Brazil.

When searched on Mxtoolbox, found this IP address is already in blacklist on “s5h.net” and “SORBS SPAM“.

Scammers have demanded $1490 bitcoin to transfer to Crypto wallet 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt and when I have received this email I checked for this wallet, there were no transactions but unfortunately now I see 2 transactions that means 2 victims fell for it.

link to check transaction for this wallet: Blockchair

If you receive a phishing sextortion email, it’s essential to:

  1. Stay calm: Remember that the sender’s threats may not be legitimate.
  2. Avoid responding or engaging: Do not reply to the email or attempt to contact the sender.
  3. Do not pay the ransom: Paying the ransom encourages further criminal activity and does not guarantee that the threats will stop.
  4. Report the email: Report the email to your email provider as spam or phishing. You can also report it to law enforcement agencies or relevant authorities.

Article Link: Phishing/Sextortion Email – For your own safety, I highly recommend reading this email – Malware Analysis