As i promised you in article one, we'll have a look at a typical phishing email, and go through it, why it isn't so scary as it seems.
If you haven't read the first one, you can find it here C-Days - Phishing explained
So, welcome back :)
As I promised you in the last piece, today we'll have some fun, and analyze an email I got, from a guy called Aaron686Smith.
He's one of those pesky little scammers out there, who I thought would make a wonderfull example case.
(Hi Aaron, if you're reading this, hope you're doing good. Please send some more samples, so I have something to poke fun at :) )
Hello,
I am a spyware software developer. Your account has been hacked by me in the summer of 2018.
I understand that it is hard to believe, but here is my evidence (I sent you this email from your account).
The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).
I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.
Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you.
At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit.
I note that it is useless to change the passwords. My malware update passwords from your accounts every times.
I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :)
I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality!
So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts.
Transfer $969 to my Bitcoin cryptocurrency wallet: 1971pHPgLaTmuYtoH4BsGSfFMZaAjotium Just copy and paste the wallet number when transferring. If you do not know how to do this - ask Google.
My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it.
Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material.
I advise you to remain prudent and not engage in nonsense (all files on my server).
Good luck!He's simply just an adorable guy, isn't he ?
Okay. So, should we take this seriously ? Noooo. and why not ? I mean, it's kind of scary what he says. He *gasp*, got private footage he is going to show the whole world, that would be awkward now, wouldn't it.
Hmm, lets have a look at this. First of, he's claiming that he send this email from my private account. Why not log in, and see if that's true ? If it is, it should be in the "sent" folder. Maybe he deleted it, but why would he, that's his proof that he was actually there.
And, finding an open relay SMTP server, that allow guys like Aaron to send email, claiming to be anybody they want to, is actually not hard, if you know how, and know where to look.
Then he goes on, saying he used an exploit, giving us the reference number. Look at that info here https://nvd.nist.gov/vuln/detail/CVE-2018-0296, and then come back to here.
You will see the exploit is only valid for specific types of Cisco gear, which I don't have, and secondly, it doesn't work the way he claims it to, so that's more bullshit.
But, why does he mention it then ? Because it makes him sound believable, it sounds menacing to someone not technically well versed, so it could have worked, maybe.
Secondly he claims that he installed an exploit in the router, that downloads malware to my system, in form of a driver..
Okay, rootkits from a router. If he can actually do that, I would veery mucjh like to see the code, or maybe even buy it from him. And drivers, on a Linux platform ? pleeease. If he's in my system, he should know it's Linux based platform, it doesn't have "drivers", but kernel modules.
So, he also claims that he have VNC access..hmm. Nothing listening here, bandwidth is normal, and have been for months.
Next, he has access to my camera. WOOUW, what an ace. This system got no microphone, or camera for that matter...
And, how can I actually know he'll delete the data once I pay him ? So, don't. IF he could prove it, and send me a copy of my private data, I might tend to believe him.
IF he could send me a video dump, or screenshot I could identify as a screenshot from "right now", I might believe him, or if he could pop open a command promt, I reeaaally would believe him.
All else..is just bullshit.
PS: Aaron, if you're out there. You still haven't answered my email for confirmation, I'm still waiting :)
So, what did he try to do. He tried to cause feelings of fear, shame and embarrassment, and hopefully force me to pay up.
There could be a chance he would hit someone that was visiting pornsites every day, having a good time with themself in front of the machine (yiekes, glad I'm not using that keyboard).
Let's face it, for most people, what he's threatening to do, would be veeery scary.
Most scams work that way. They prey on basic powerfull human needs, want's and emotions, because it works.
But in reality, Most times, they find an email list, from some site they hacked, or some list they bought dirt cheap online, and send an email like this to everybody, hoping someone will take the bait.
A way to help this, is checking your email accounts, and other online accounts, and change password. And, go to a site like https://haveibeenpwned.com/, and check if it finds you email.
Try the password section also, and for gods sake, change the password :)
Again, if a "real" hacker want's in, they are going to get in, and most of the time, you won't even notice them. But, that's a rare case, and highly unlikely to happen. They go for the big win, usually that's not you and me ;)