Chase a Cybercriminal via its Spam email

It often happens to receive spam and treating emails, lately though I have received a few such as this:


This account was infected! Change the password immediately!
You do not heard about me and you are probably wondering why you are receiving this electronic message, proper?
I’mhacker who burstyour emailand OSnot so long ago.
Do not attempt to talk to me or alternatively seek for me, it is not possible, considering that I sent you a letter from YOUR own hacked account.
I have build in malware software on the adult videos (porno) website and suppose you watched this site to have a good time (you understand what I want to say).
When you were watching films, your browser started out functioning as a RDP (Remote Control) with a keylogger that provided me authority to access your display and webcam.
Then, my softgotall info.
You have typed passwords on the websites you visited, and I already caught all of them.
Of course, you could possibly change them, or have already modified them.
However it doesn’t matter, my app renews information every time.
What did I do?
I compiled a backup of every your device. Of all the files and personal contacts.
I created a dual-screen movie. The first part shows the clip you had been watching (you’ve a very good taste, huh…), the second part demonstrates the movie from your camera.
What exactly do you have to do?
Good, I believe, 1000 USD is a fair amount of money for this very little secret. You will make your payment by bitcoins (in case you don’t know this, go searching “how to purchase bitcoin” in Google).
My bitcoin wallet address:
19SDJp3rdgU99sadqEb437b1qAynsC
g9r8
(It is cAsE sensitive, so just copy and paste it).
Important:
You will have 48 hours to perform the payment. (I built in an exclusive pixel to this letter, and at the moment I know that you have read through this email).
To tracethe reading of a letterand the actionsin it, I usea Facebook pixel. Thanks to them. (That whichcan be usedfor the authorities may helpus.)

In the event I fail to get bitcoins, I shall immediately direct your video files to all your contacts, such as relatives, co-workers, and so forth?

A part from the usual language issues of the so called hacker I think this is quite a nice piece of work. There are all the ingredients of nowadays cyber-paranoia mixed with some more credible keywords and facts although I’m not sure what to make of


I built in an exclusive pixel to this letter, and at the moment I know that you have read through this email


but it must be something new that I don’t yet know about.

So a part from the fact that I don’t have $1000 to spare to save me from public flagellation when everyone I know will eventually receive the video that portraits my joyful moments, I got curious about the origins of this email and started digging. It was time to chase a cybercriminal via its spam email

It goes without saying that it would be great if people would use antiviruses and be a bit more careful with their wondering in the treacherous waters of the Internet sea as my email address got in the hands of these people not because I gave it to them.

As I was looking at the original message I found out that the email appeared to have originated from casacm.com.br domain. Looking at the naked domain up on whois

 % Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use at https://registro.br/termo/en.html ,
% being prohibited its distribution, commercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2019-02-19T06:14:59-03:00
domain: casacm.com.br
owner: CMT - PRESENTES E DECORACOES EIRELI - ME
owner-c: CEMMA18
admin-c: CEMMA18
tech-c: CEMMA18
billing-c: CEMMA18
nserver: ns1.locaweb.com.br
nsstat: 20190218 AA
nslastaa: 20190218
nserver: ns2.locaweb.com.br
nsstat: 20190218 AA
nslastaa: 20190218
nserver: ns3.locaweb.com.br
nsstat: 20190218 AA
nslastaa: 20190218
created: 20100730 #7145668
changed: 20180711
expires: 20200730
status: published
nic-hdl-br: CEMMA18
person: Celina Martins Macchione
created: 20100726
changed: 20160127
% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/ , respectivelly to
% and
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), registrant (tax ID), ticket,
% provider, contact handle (ID), CIDR block, IP and ASN.
Information Updated: 2019-02-19 09:14:59

So a legitimate domain of a legitimate business it seams

Could such a pretty website hide some very not nice crooks?

In looking a bit more closely to the email details

Received: from [ip-177.223.24.50.speedline.com.br] (unknown [177.223.24.50]) (Authenticated sender: atendimento@casacm.com.br) by proxy.email-ssl.com.br (Postfix) with ESMTPSA id 23ADDE00E03 for <MYEMAILADDRESS>; Mon, 18 Feb 2019 22:33:37 -0300 (-03) 

it turns out that the user was in fact authenticated as atendimento@casacm.com.br but that it most probably was being sent from a private line that might not have had anything to do with casacm owners.

The result from whois on speedline.com.br

 % Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use at https://registro.br/termo/en.html ,
% being prohibited its distribution, commercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2019-02-19T06:31:52-03:00
domain: speedline.com.br
owner: SPEED LINE TELECOMUNICA??ES LTDA - ME
ownerid: 05.968.616/0001-74
responsible: Willams Torres de Melo
country: BR
owner-c: WTM28
admin-c: WTM28
tech-c: ROPAG54
billing-c: WTM28
nserver: ns1.speedline.com.br 177.223.16.138
nsstat: 20190218 AA
nslastaa: 20190218
nserver: ns2.speedline.com.br 177.223.16.148
nsstat: 20190218 AA
nslastaa: 20190218
dsrecord: 22057 RSASHA1 0252A41CAC95A5A2927846830F03CDFED17B429C
dsstatus: 20190218 DSOK
dslastok: 20190218
created: 20050723 #2265306
changed: 20160905
expires: 20220723
status: published
nic-hdl-br: WTM28
person: Willams Torres de Melo
e-mail:
country: BR
created: 20031107
changed: 20150126
nic-hdl-br: ROPAG54
person: RODRIGO PEDROSA DE AGUIAR
e-mail:
country: BR
created: 20160529
changed: 20170925
% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/ , respectivelly to
% and
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), registrant (tax ID), ticket,
% provider, contact handle (ID), CIDR block, IP and ASN.
Information Updated: 2019-02-19 09:31:52

says that Speedline is a telecommunication provider and that the responsible people have gmail addresses!?!?!

this is a bit disconcerting. I then looked to see if the provider had other domains and came up with this

 aut-num:     AS52702
owner: SPEED LINE TELECOMUNICAÇÕES LTDA - ME
responsible: Willams Torres de Melo
owner-c: WTM28
routing-c: WTM28
abuse-c: ROPAG54
created: 20121220
changed: 20160925
inetnum: 177.223.16.0/20
inetnum: 2804:c68::/32
nic-hdl-br: WTM28
person: Willams Torres de Melo
created: 20031107
changed: 20150126
nic-hdl-br: ROPAG54
person: RODRIGO PEDROSA DE AGUIAR
created: 20160529
changed: 20170925

The IP address from which the email in question originated is 177.233.24.50 and it’s just right up their alley.

A query to this service even reveals where on earth is the IP located

Unfortunately as I dig deeper in the rabbit hole it turns out that there are several spam emails originating from the same IP address and I suspect at this point that someone’s PC might have been exploited. As the messages originating from this IP are repeating themselves I tend to think it might be a malware of some sort infecting the PC of whomever lives in Bezerros.

Lesson learned

The spam email has three interesting aspects:

  • An email account (atendimento@casacm.com.br) had been compromised and the spammer has been then able to impersonate someone else email address by using username and password for that account
  • My email address has been used in the From field of the email header so that it would look like my account had instead been compromised and that the spammer was in fact sending the email from using my credentials
  • A compromised computer has been used to actually send the emails. A malware behaving like an email client would send emails from someones PC in Bezerros (BR)
  • The spammer provided a Bitcoin wallet address 19SDJp3rdgU99sadqEb437b1qAynsCg9r8 for the payment and leveraged on the fact that there is no traceability on Bitcoin accounts.

despite this isn’t the most elaborated master mind plan to extort some money it shows what are nowadays risks and why it is good to be very careful with whom we share information like our credentials, why it is important to have good antivirus (better would be to have a good OS but that’s another story), why a lot more investment should be done from ISP in implementing a safer Internet and most importantly how the heck is Bitcoin not traceable??? I mean with all the issues we are currently experiencing with cyber-crime and the big fuss about block-chain someone allows new currency and new ways of exchanging money without the right belts and braces?

So be more careful, watch less porn and for the love of God stop believing everything you are told 😉

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.