Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New Wave of Extortion Emails: Central Intelligence Agency Case - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Wave of Extortion Emails: Central Intelligence Agency Case

The extortion attempts haved moved to another step recently. After the “sextortion” emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless... I received one two days ago and, this time, they go one step further. In many countries, child pornography is, of course, a very strong offense punished by law. What if you received an email from a Central Intelligence Agency officer who reveals that you’re listed in an international investigation about a case of child pornography and that you’ll be arrested soon? Hopefully, the agent is a “nice guy” and, if you pay $10K in Bitcoin, he will be happy to delete your name from the list of bad guys?

Here is a copy of the received email:

From: "Huey Ferguson" <hueyferguson@wysa.cia-us-govn[.]ga>
To: <redacted>
Subject: Central Intelligence Agency Case 61587423

Case #61587423
Distribution and storage of pornographic electronic materials involving
underage children.

My name is Huey Ferguson and I am a technical collection officer working for
Central Intelligence Agency.

It has come to my attention that your personal details including your email
address (<redacted>) are listed in case #61587423.

The following details are listed in the document's attachment:

- Your personal details,
- Home address,
- Work address,
- List of relatives and their contact information.

Case #61587423 is part of a large international operation set to arrest more
than 2000 individuals suspected of paedophilia in 27 countries.

The data which could be used to acquire your personal information:

- Your ISP web browsing history,
- DNS queries history and connection logs,
- Deep web .onion browsing and/or connection sharing,
- Online chat-room logs,
- Social media activity log.

The first arrests are scheduled for April 8, 2019.

Why am I contacting you ?

I read the documentation and I know you are a wealthy person who may be
concerned about reputation.

I am one of several people who have access to those documents and I have
enough security clearance to amend and remove your details from this case.
Here is my proposition.

Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through
Bitcoin network to this special bitcoin address:

3EcEvozxnYvDX9EX3QR4PEYpdKbUKphLpv

You can transfer funds with online bitcoin exchanges such as Coinbase,
Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to
access and edit the files).

Upon confirming your transfer I will take care of all the files linked to
you and you can rest assured no one will bother you.

Please do not contact me. I will contact you and confirm only when I see the
valid transfer.

Regards,
Huey Ferguson
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

The mail includes also several times the same logo in a very poor quality:

Note also that pedophilia is written as “paedophilia”[1] (which is an alternative spelling but not usual). The only relevant information found about Huey Ferguson is coming from ca.gov[2].

Here is a copy of the SMTP headers:

Return-Path: <hueyferguson@wysa.cia-us-govn.ga>
X-Original-To: <redacted>
Delivered-To: <redacted>
Received: by <redacted> (Postfix, from userid 65534)
    id 1270B1A8008F; Mon, 18 Mar 2019 21:54:15 +0100 (CET)
Received: from mx.wysa.cia-us-govn.ga (mx.wysa.cia-us-govn.ga [54.39.181.120])
    (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by <redacted> (Postfix) with ESMTPS id 2AB631A80088
    for <redacted>; Mon, 18 Mar 2019 21:54:14 +0100 (CET)
Received: from [127.0.0.1] (mx.wysa.cia-us-govn.ga [127.0.0.1])
    by mx.wysa.cia-us-govn.ga (Postfix) with ESMTP id 44NT1t4GJLz2nKD
    for <redacted>>; Mon, 18 Mar 2019 20:54:10 +0000 (UTC)
Date: Mon, 18 Mar 2019 20:54:09 +0000
From: "Huey Ferguson" <hueyferguson@wysa.cia-us-govn.ga>
To: <redacted>
Subject: =?UTF-8?Q?Central=20Intelligence?==?UTF-8?Q?=20Agency=20-?= =?UTF-8?Q?=20Case=20#61587423?=
List-Unsubscribe: <http://wysa.cia-us-govn.ga/unsubscribe/WFFUV2c0bUl2ZkV3TCt6aXdBQkY1cWNNZ3Y4Z0EzbytueUxWQ1hsY3M5ZjF3dktzdXRiRUpWZ2FMZ0xDMkphRUlQVzZkYjI2cVhVcHlrNHRRc2hxUDRwbEordHdtYnBOUGpvNVpRL0RNVkU9>
Reply-To: <hueyferguson@wysa.cia-us-govn.ga>
User-Agent: Postfix 3.3.11
X-Sender: hueyferguson@wysa.cia-us-govn.ga
X-Mailer: Postfix 3.3.11
X-Priority: 3 (Normal)
Message-ID: <5c900571eee4c@wysa.cia-us-govn.ga>

The email address uses a domain name with the .ga TLD (Gabon, Africa) but does not exist. The SMTP server is located at OVH, Canada (54.39.181.120). 

As usual with this kind of emails, same conclusion: just delete them and do not pay! But feel free to report more Bitcoin addresses to us!

[1] https://www.urbandictionary.com/define.php?term=paedophilia
[2] https://appellatecases.courtinfo.ca.gov/search/case/dockets.cfm?dist=0&doc_id=2266518&doc_no=S251894&request_token=NiIwLSIkXkg%2FWyBVSCNdUEJIQDw0UDxTJiJOJzNSMCAgCg%3D%3D

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

463 Posts
ISC Handler
The first thing I would do is make sure you're blocking email from TLD's that don't end in .com, .org, .net. etc. Regular expressions are your friend.
Anonymous
Quoting Anonymous:The first thing I would do is make sure you're blocking email from TLD's that don't end in .com, .org, .net. etc. Regular expressions are your friend.


Blocking emails based on TLD's is not a good idea. ".ga" is a valid TLD even if many domains are used for malicious purposes.
Also, with the continuously growing list of new TLD's, you will loose your time and energy to filter like this. My $0.02.
Xme

463 Posts
ISC Handler
Quoting Xme:
Quoting Anonymous:The first thing I would do is make sure you're blocking email from TLD's that don't end in .com, .org, .net. etc. Regular expressions are your friend.


Blocking emails based on TLD's is not a good idea. ".ga" is a valid TLD even if many domains are used for malicious purposes.
Also, with the continuously growing list of new TLD's, you will loose your time and energy to filter like this. My $0.02.


If you're a U.S. based company and only do business in the U.S., it's not a waste of time at all. It takes 5 seconds to add a TLD to a block list taken from threat intelligence. In fact, I would do the same with web traffic as well. I'm not talking about spending day and night adding every TLD in the world. I'm specifically referring to TLD's seen in threat intelligence data.
Anonymous
Quoting Anonymous:
Quoting Xme:
Quoting Anonymous:The first thing I would do is make sure you're blocking email from TLD's that don't end in .com, .org, .net. etc. Regular expressions are your friend.


Blocking emails based on TLD's is not a good idea. ".ga" is a valid TLD even if many domains are used for malicious purposes.
Also, with the continuously growing list of new TLD's, you will loose your time and energy to filter like this. My $0.02.


If you're a U.S. based company and only do business in the U.S., it's not a waste of time at all. It takes 5 seconds to add a TLD to a block list taken from threat intelligence. In fact, I would do the same with web traffic as well. I'm not talking about spending day and night adding every TLD in the world. I'm specifically referring to TLD's seen in threat intelligence data.


More to the point, change your mail server to refuse delivery of emails from domains for which you can't resolve the MX records. (maybe just a temporary failure SMTP code in case of DNS problems). But your point is well taken, though I'd say if you don't trust a TLD, put it in your DNS filters. Then not only do you solve the problem of emails coming in from domains in that region, you also break C&C channels and malware landing pages hosted there too.

Yes, you have to exercise some caution in which countries or TLDs you decide to block but if you can safely get away with it you block a lot of abuse and gain some useful indicators in your logs too (who's systems are doing DNS lookups for hostnames in TLDs you don't trust). For instance, I just recently put *.icu in our DNS filters because I was seeing a ton of spam/phish coming from domains hosted there. Before I did, though, I also searched our DNS query logs for the past 90 days for ALL queries for *.icu to see if there were any legit-looking hostnames there. And I have a dashboard in my log server so I can spot-check it and see if I start seeing legit hostnames not related to spam, phish, malware, or C&C channels.
Brent

120 Posts
There is no need to block or panic but use smart filters like akismet and also make links of obvious TLD.
rawla

1 Posts

Sign Up for Free or Log In to start participating in the conversation!