Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2019-03-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Thursday, March 21st 2019 https://isc.sans.edu/podcastdetail.html?id=6422

New Wave of Extortion Emails: Central Intelligence Agency Case

Published: 2019-03-21
Last Updated: 2019-03-21 00:42:06 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

The extortion attempts haved moved to another step recently. After the “sextortion” emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless... I received one two days ago and, this time, they go one step further. In many countries, child pornography is, of course, a very strong offense punished by law. What if you received an email from a Central Intelligence Agency officer who reveals that you’re listed in an international investigation about a case of child pornography and that you’ll be arrested soon? Hopefully, the agent is a “nice guy” and, if you pay $10K in Bitcoin, he will be happy to delete your name from the list of bad guys?

Here is a copy of the received email:

From: "Huey Ferguson" <hueyferguson@wysa.cia-us-govn[.]ga>
To: <redacted>
Subject: Central Intelligence Agency Case 61587423

Case #61587423
Distribution and storage of pornographic electronic materials involving
underage children.

My name is Huey Ferguson and I am a technical collection officer working for
Central Intelligence Agency.

It has come to my attention that your personal details including your email
address (<redacted>) are listed in case #61587423.

The following details are listed in the document's attachment:

- Your personal details,
- Home address,
- Work address,
- List of relatives and their contact information.

Case #61587423 is part of a large international operation set to arrest more
than 2000 individuals suspected of paedophilia in 27 countries.

The data which could be used to acquire your personal information:

- Your ISP web browsing history,
- DNS queries history and connection logs,
- Deep web .onion browsing and/or connection sharing,
- Online chat-room logs,
- Social media activity log.

The first arrests are scheduled for April 8, 2019.

Why am I contacting you ?

I read the documentation and I know you are a wealthy person who may be
concerned about reputation.

I am one of several people who have access to those documents and I have
enough security clearance to amend and remove your details from this case.
Here is my proposition.

Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through
Bitcoin network to this special bitcoin address:

3EcEvozxnYvDX9EX3QR4PEYpdKbUKphLpv

You can transfer funds with online bitcoin exchanges such as Coinbase,
Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to
access and edit the files).

Upon confirming your transfer I will take care of all the files linked to
you and you can rest assured no one will bother you.

Please do not contact me. I will contact you and confirm only when I see the
valid transfer.

Regards,
Huey Ferguson
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

The mail includes also several times the same logo in a very poor quality:

Note also that pedophilia is written as “paedophilia”[1] (which is an alternative spelling but not usual). The only relevant information found about Huey Ferguson is coming from ca.gov[2].

Here is a copy of the SMTP headers:

Return-Path: <hueyferguson@wysa.cia-us-govn.ga>
X-Original-To: <redacted>
Delivered-To: <redacted>
Received: by <redacted> (Postfix, from userid 65534)
    id 1270B1A8008F; Mon, 18 Mar 2019 21:54:15 +0100 (CET)
Received: from mx.wysa.cia-us-govn.ga (mx.wysa.cia-us-govn.ga [54.39.181.120])
    (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by <redacted> (Postfix) with ESMTPS id 2AB631A80088
    for <redacted>; Mon, 18 Mar 2019 21:54:14 +0100 (CET)
Received: from [127.0.0.1] (mx.wysa.cia-us-govn.ga [127.0.0.1])
    by mx.wysa.cia-us-govn.ga (Postfix) with ESMTP id 44NT1t4GJLz2nKD
    for <redacted>>; Mon, 18 Mar 2019 20:54:10 +0000 (UTC)
Date: Mon, 18 Mar 2019 20:54:09 +0000
From: "Huey Ferguson" <hueyferguson@wysa.cia-us-govn.ga>
To: <redacted>
Subject: =?UTF-8?Q?Central=20Intelligence?==?UTF-8?Q?=20Agency=20-?= =?UTF-8?Q?=20Case=20#61587423?=
List-Unsubscribe: <http://wysa.cia-us-govn.ga/unsubscribe/WFFUV2c0bUl2ZkV3TCt6aXdBQkY1cWNNZ3Y4Z0EzbytueUxWQ1hsY3M5ZjF3dktzdXRiRUpWZ2FMZ0xDMkphRUlQVzZkYjI2cVhVcHlrNHRRc2hxUDRwbEordHdtYnBOUGpvNVpRL0RNVkU9>
Reply-To: <hueyferguson@wysa.cia-us-govn.ga>
User-Agent: Postfix 3.3.11
X-Sender: hueyferguson@wysa.cia-us-govn.ga
X-Mailer: Postfix 3.3.11
X-Priority: 3 (Normal)
Message-ID: <5c900571eee4c@wysa.cia-us-govn.ga>

The email address uses a domain name with the .ga TLD (Gabon, Africa) but does not exist. The SMTP server is located at OVH, Canada (54.39.181.120). 

As usual with this kind of emails, same conclusion: just delete them and do not pay! But feel free to report more Bitcoin addresses to us!

[1] https://www.urbandictionary.com/define.php?term=paedophilia
[2] https://appellatecases.courtinfo.ca.gov/search/case/dockets.cfm?dist=0&doc_id=2266518&doc_no=S251894&request_token=NiIwLSIkXkg%2FWyBVSCNdUEJIQDw0UDxTJiJOJzNSMCAgCg%3D%3D

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

5 comment(s)
Diary Archives