Last Updated: 2019-03-21 00:42:06 UTC
by Xavier Mertens (Version: 1)
The extortion attempts haved moved to another step recently. After the “sextortion” emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless... I received one two days ago and, this time, they go one step further. In many countries, child pornography is, of course, a very strong offense punished by law. What if you received an email from a Central Intelligence Agency officer who reveals that you’re listed in an international investigation about a case of child pornography and that you’ll be arrested soon? Hopefully, the agent is a “nice guy” and, if you pay $10K in Bitcoin, he will be happy to delete your name from the list of bad guys?
Here is a copy of the received email:
From: "Huey Ferguson" <firstname.lastname@example.org[.]ga> To: <redacted> Subject: Central Intelligence Agency Case 61587423 Case #61587423 Distribution and storage of pornographic electronic materials involving underage children. My name is Huey Ferguson and I am a technical collection officer working for Central Intelligence Agency. It has come to my attention that your personal details including your email address (<redacted>) are listed in case #61587423. The following details are listed in the document's attachment: - Your personal details, - Home address, - Work address, - List of relatives and their contact information. Case #61587423 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries. The data which could be used to acquire your personal information: - Your ISP web browsing history, - DNS queries history and connection logs, - Deep web .onion browsing and/or connection sharing, - Online chat-room logs, - Social media activity log. The first arrests are scheduled for April 8, 2019. Why am I contacting you ? I read the documentation and I know you are a wealthy person who may be concerned about reputation. I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition. Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through Bitcoin network to this special bitcoin address: 3EcEvozxnYvDX9EX3QR4PEYpdKbUKphLpv You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files). Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you. Please do not contact me. I will contact you and confirm only when I see the valid transfer. Regards, Huey Ferguson Technical Collection Officer Directorate of Science and Technology Central Intelligence Agency
The mail includes also several times the same logo in a very poor quality:
Here is a copy of the SMTP headers:
Return-Path: <email@example.com> X-Original-To: <redacted> Delivered-To: <redacted> Received: by <redacted> (Postfix, from userid 65534) id 1270B1A8008F; Mon, 18 Mar 2019 21:54:15 +0100 (CET) Received: from mx.wysa.cia-us-govn.ga (mx.wysa.cia-us-govn.ga [220.127.116.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by <redacted> (Postfix) with ESMTPS id 2AB631A80088 for <redacted>; Mon, 18 Mar 2019 21:54:14 +0100 (CET) Received: from [127.0.0.1] (mx.wysa.cia-us-govn.ga [127.0.0.1]) by mx.wysa.cia-us-govn.ga (Postfix) with ESMTP id 44NT1t4GJLz2nKD for <redacted>>; Mon, 18 Mar 2019 20:54:10 +0000 (UTC) Date: Mon, 18 Mar 2019 20:54:09 +0000 From: "Huey Ferguson" <firstname.lastname@example.org> To: <redacted> Subject: =?UTF-8?Q?Central=20Intelligence?==?UTF-8?Q?=20Agency=20-?= =?UTF-8?Q?=20Case=20#61587423?= List-Unsubscribe: <http://wysa.cia-us-govn.ga/unsubscribe/WFFUV2c0bUl2ZkV3TCt6aXdBQkY1cWNNZ3Y4Z0EzbytueUxWQ1hsY3M5ZjF3dktzdXRiRUpWZ2FMZ0xDMkphRUlQVzZkYjI2cVhVcHlrNHRRc2hxUDRwbEordHdtYnBOUGpvNVpRL0RNVkU9> Reply-To: <email@example.com> User-Agent: Postfix 3.3.11 X-Sender: firstname.lastname@example.org X-Mailer: Postfix 3.3.11 X-Priority: 3 (Normal) Message-ID: <email@example.com>
The email address uses a domain name with the .ga TLD (Gabon, Africa) but does not exist. The SMTP server is located at OVH, Canada (18.104.22.168).
As usual with this kind of emails, same conclusion: just delete them and do not pay! But feel free to report more Bitcoin addresses to us!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant