Vol. 24, #9 - March 04, 2019 - Issue #1221

WServerNews: Identifying email extortion

Free Tool for Monitoring Exchange Server Status & Performance 

Image

SolarWinds® Exchange Monitor is a free tool that allows users to monitor Microsoft® Exchange™ Server 2013 and 2016. Get basic information about the server’s metrics, services, and database availability group (DAG) status. Add as many Exchange Servers as you wish. Simply click the “Add Server” button and fill IP address/domain name and credentials.

Download Free Tool

Editor's Corner

This morning I checked my inbox and found the following email:

Hello!

As you may have noticed, I sent you an email from your account. This means that I have full access to your account.

I've been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this, transfer the amount of $625 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin"). My bitcoin address (BTC Wallet) is: 1DASN5fH1E1PCoxU9qMEF7QDjnXcA2b3Km

After receiving the payment, I will delete the video and you will never hear me again.

I give you 48 hours to pay. I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!

Email extortion like this has been in the news a lot lately, and I'm sure that many of our readers have encountered similar attempts to extort money from them. Some recent news items on this subject include the following:

New Email Extortion Scam Bomb Threat Demands Bitcoin (KnowBe4)

https://blog.knowbe4.com/heads-up-new-email-extortion-scam-bomb-threat-demands-bitcoin

Sextortion Scam Uses Recipient's Hacked Passwords (Krebs on Security)

https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

 

This particular email didn't worry me however for several reasons. First, if someone really wanted to extort money from me they would need to trick me into opening a phishing email that encrypted all the data stored on my computer making it inaccessible to me. Having done that they could then try and extort money from me to get them to unlock the encrypted data. Good luck with that.

Then there's the actual nature of the threat implied in their email. They say that they've gained control of the camera and microphone on my and have an incriminating video of me. But there's no camera or microphone on our office PCs as they're desktops not laptop. (We also tape over the built-in camera on all our laptops, and I actually "disabled" the built-in microphones on my own laptop using a sewing needle, which is something I really don't recommend trying).

Then there are the message headers of this email, which read as follows:

X-Envelope-From: [email protected]

Return-Path: <[email protected]>
Received: from host-206-net-102-160-119.mobilinkinfinity.net.pk (host-206-net-102-160-119.mobilinkinfinity.net.pk [119.160.102.206] (may be forged))
by mail96c7.megamailservers.com (8.14.9/8.13.1) with ESMTP id x1PKME9h031270
for <[email protected]>; Mon, 25 Feb 2019 15:22:17 -0500
Message-ID: <[email protected]>
From: <[email protected]>
To: <[email protected]>
Subject: The decision to suspend your account. Waiting for payment.
Date: 26 Feb 2019 04:55:12 +0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.4322
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.4322
X-CTCH-Spam: Confirmed
X-CTCH-VOD: Unknown
X-CTCH-RefID: str=0001.0A02020B.5C744E7A.00F5,ss=4,re=0.000,recu=0.000,reip=0.000,pt=C_5708,cl=4,cld=1,fgs=12
X-CSC: 100
X-CHA: v=2.3 cv=D8tp1MZj c=1 sm=1 tr=0 p=qleB87htwrEA:10 p=G_Ged1UdEkcA:10
a=zcuXhQgbCHc+1SaD96pTSw==:117 a=zcuXhQgbCHc+1SaD96pTSw==:17
a=t1nvviL9iAQA:10 a=G7ipKTrHp8AA:10 a=ilbA_pwHWIpUhlBkRWQA:9
a=tsszc8YBZ5R3n47-:21 a=0AzBmXreBEsyrksH:21 a=JxIORQWYtW0A:10
a=pHzHmUro8NiASowvMSCR:22 a=xoEH_sTeL_Rfw54TyV31:22
X-WHL: LR

There are a few things of interest one can immediately see from these headers. First, the Received header says that the message came from a host with DNS name host-206-net-102-160-119.mobilinkinfinity.net.pk. But a simple ping or nslookup indicates that no such DNS host exists on the Internet. The IP address 119.160.102.206 does exist however, and by using a tool like IPAddress.com you can look up who owns this address, which turns out to be Mobilink Mobile Internet in the city of Lahore, Pakistan. The type of connection is cellular, so the sender must have sent this email from his smartphone:

 

Image

 

Then there's the presence of the words "may be forged" in this line of the message headers:

Received: from host-206-net-102-160-119.mobilinkinfinity.net.pk (host-206-net-102-160-119.mobilinkinfinity.net.pk [119.160.102.206] (may be forged))

by mail96c7.megamailservers.com (8.14.9/8.13.1) with ESMTP id x1PKME9h031270

for <[email protected]>; Mon, 25 Feb 2019 15:22:17 -0500

These words were inserted into the header by the relaying mail server mail96c7.megamailservers.com when it tried performing a reverse hostname lookup of the IP address of the connecting client and a lookup of the IP addresses for that hostname. When the relaying mail server discovered that this lookup produced inconsistent results it inserted the tag "may be forged" into the Received line of the message header. But the simple presence phrase "may be forged" in an email message header doesn't necessarily mean that the email has been forged; it just means that there is a mismatch in DNS between the A and PTR records for the sending host. At least that's how I understand it; readers with deeper insight into how email works can elucidate this further for our readers benefit by emailing me at [email protected]

The final thing that made me chuckle was the this header line:

X-Mailer: Microsoft Outlook Express 6.00.2600.4322

Since when does a hacker work from a PC running Windows XP?

How do you identify and deal with flood of spoofed emails and the threats they sometimes contain? Email your thoughts and suggestions to us and I'll share them for the benefit of our newsletter readers: [email protected]

Cheers,
Mitch Tulloch, Senior Editor
WServerNews.com


 

Tip of the Week

Got any IT pro tips you'd like to share with other readers of our newsletter? Email us at [email protected]

Fixing failed Active Directory trust relationship

Here's a short tip from Stafano Mapelli on how you can use PowerShell to reset the password for your PC's computer account when the trust relationship between your PC and the domain has failed for some reason:

http://www.wservernews.com/go/nkmmmcwo/

Much easier than removing your computer from the domain and then joining it again.

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without 

GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at [email protected]

SysKit Shell is a new solution that allows system admins to run 

http://www.wservernews.com/go/m85b2zbk/

R-HUB provides you video/web/audio conferencing and remote support server that YOU own and YOU control--forever!

http://www.wservernews.com/go/48kimyiv/

Sysmalogic Active Directory Report Builder is a simple to use multi-domain auditing tool for compliance requirements that provides AD reporting at a moment's notice:

http://www.wservernews.com/go/10y4qrwv/

 



Factoid - Do coffee and music mix?

Last week's factoid and question  was this:

Fact: Smartphones are becoming increasingly minimalist to the point where they don't have a headphone jack, charging port, SIM card slot, speaker grill, or buttons. Just a couple of pinholes.

Question: What's next? Get rid of the screen?

George from Philadelphia, USA replied with a good-as-gold answer:

Nope, get rid of your phone instead!

I'll say amen to that!

Now let's move on to this week's factoid:

Fact: Starbucks' music is driving employees nuts!

Sourcehttp://www.wservernews.com/go/krcyo4iw/

Question: What kind of music would you prefer your local coffee shop to play over their speakers?  Or would you prefer silence instead? 

Email your answer to [email protected]

 

 

Conference calendar

>> Got an IT conference happening in North America that you'd like to promote in our newsletter? Email us at [email protected]

Microsoft Ignite 2019

Nov 4-8, 2019 in Orlando, Florida

http://www.wservernews.com/go/d9xi0005/

 

Microsoft Ignite -- The Tour

Register for your city's Tour event here:

http://www.wservernews.com/go/okhpsmfz/


More Microsoft conferences

Microsoft Business Applications Summit - June 10-11 in Atlanta, Georgia

http://www.wservernews.com/go/yui2tnpn/

Microsoft DevDays - June 17-21 in Redmond, Washington USA

http://www.wservernews.com/go/p78mouq1/

Microsoft Inspire - July 14-18 in Las Vegas, Nevada USA

http://www.wservernews.com/go/qeezs2nz/


Infosec conferences

Black Hat Asia - March 26-29 in Singapore

http://www.wservernews.com/go/cebhl86y/

Cyber Security Summit - April 4 in Denver, Colorado USA

http://www.wservernews.com/go/kxz22as6/

Cyber Security Summit - April 25 in Philadelphia, Pennsylvania USA

http://www.wservernews.com/go/dftvpw2f/

European Identity & Cloud Conference - May 14-17 in Munich, Germany

http://www.wservernews.com/go/g7u3hhj7/

Cyber Security Summit - May 15 in Dallas, Texas USA

http://www.wservernews.com/go/hf72jmbf/

Infosecurity Europe - June 4-6 in London, England

http://www.wservernews.com/go/zz0h6wxg/

Gartner Security & Risk Management Summit - June 17-20 in National Harbor, Maryland USA

http://www.wservernews.com/go/502kt8ez/

Cyber Security Summit - June 27 in Washington D.C. USA

http://www.wservernews.com/go/ywyrbvrk/


Other conferences

SQLBits: The SQL Server Conference - Feb 27 to Mar 2 in Manchester, England

http://www.wservernews.com/go/p8bvxb6e/

Technology and Solutions Summit 2019 - March 11-15 in Paris, France

http://www.wservernews.com/go/pirnhs5v/

IT Nation Connect - March 25-27 in Gold Coast, Australia

http://www.wservernews.com/go/0z9hp3e6/

Dell Technologies World - April 29 to May 2 in Las Vegas, Nevada USA

http://www.wservernews.com/go/89b485yg/

SharePoint Fest - April 29 to May 3 in Washington D.C. USA

http://www.wservernews.com/go/brw5xzcr/

VeeamON (Veeam) - May 20-22 in Miami, Florida USA

http://www.wservernews.com/go/usmusfxm/

Citrix Synergy - May 21-23 in Atlanta, Georgia USA

http://www.wservernews.com/go/g1afpxyg/

SharePoint Conference - May 21-23 in Las Vegas, Nevada USA

http://www.wservernews.com/go/qp1qbp49/

Computex - May 28 to June 1 in Taipei, Taiwan

http://www.wservernews.com/go/i3mythcf/

Microsoft Azure + AI Conference - ;June 10-13 in Atlanta, Georgia

http://www.wservernews.com/go/vonr1bbb/

Cloud & DevOps World - June 12-13 in London, England

http://www.wservernews.com/go/0azcmcc0/


 

New on TechGenix.com

Software development in the cloud: Benefits and challenges

Although most developers are still coding locally, there are benefits from software development in the cloud. But yes, there are challenges too.

http://www.wservernews.com/go/ufk92z0j/


The down and dirty on data cleaning: Best practices

Data is among your most precious assets. But by not practicing good data hygiene, it can become unusable. These data cleaning tips will keep it safe.

http://www.wservernews.com/go/shtea2wo/


Using PowerShell to locate a Hyper-V virtual machine

What can you do if you need to know which Hyper-V host a particular VM is running on? Roll up your sleeves and use these helpful PowerShell commands.

http://www.wservernews.com/go/5cduxltn/


Supersize your ITSM: 9 ways AI can bolster IT service management

Adding AI to your IT service management boosts your company's productivity. Here is why AI-powered ITSM should be the backbone of your organization.

http://www.wservernews.com/go/9juy4lbm/


Xtreme Podcast: Contentious issues on continuous authentication

In this week's Xtreme Podcast: How we authenticate must change, but are biometrics the answer? Also, in the dark about tech's block boxes.

http://www.wservernews.com/go/ev3kp84x/

 

 

Fun videos from Flixxy

Three German Shepherds In A British Pub

The funny story of three German Shepherds, Jade, Guy, and Izzy from the George Hotel pub in Castle Cary, Somerset, Great Britain:

http://www.wservernews.com/go/frlygrxr/


World Record Airplane Water Ski

Incredible piloting and amazing videography of Kevin Quinn water-skiing his plane continuously for 46 miles around Lake Tahoe:

http://www.wservernews.com/go/bqek3xte/


Flying With The Birds

'Extraordinary footage of microlight pilot Christian Moullec flying with orphaned geese as he helps them migrate:

http://www.wservernews.com/go/5lvd9s6q/


Magician Shin Lim Is Back with Another Amazing Trick For Ellen

Shin Lim just won 'America's Got Talent: The Champions' and now he's back on Ellen with another astonishing card trick:

http://www.wservernews.com/go/y20ed61p/

 

 More articles of Interest

How can IT turn off Windows 10 automatic updates?

In some cases, IT pros should disable Windows 10 updates to gain control over the process. They can use methods such as editing group policies and setting a metered connection. Learn how here.

http://www.wservernews.com/go/i4wrvr7h/


VMware NSX 6.4 introduces upgrade planner, HTML5 features

VMware NSX features new to 6.4 include an upgrade planner and improved firewall functionality. Users can access these features from vSphere Client, which includes new HTML5 components.

http://www.wservernews.com/go/h7lwrsjm/


VMworld conference coverage

Check out this guide for news and updates about VMware's software-defined data center and virtualization offerings, the company's cloud computing and container strategy, and its latest advancements in desktop and end-user computing.

http://www.wservernews.com/go/27puesq4/


Every company already 'does mobility,' no matter what!

Don't have EMM, custom apps, or a 'mobile center of excellence'? Guess what, you've still gone mobile!

http://www.wservernews.com/go/ifc4x3w3/

 

Need help from the IT pro community?

WServerNews goes out each week to more than 500,000 IT pro subscribers worldwide! That's a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? Ask Our Readers by emailing your problems and/or questions to us at [email protected] 

 

Send us your feedback!

Got feedback about anything in this issue of WServerNews? Email us at [email protected]

 

WServerNews - Product of the Week

Free Tool for Monitoring Exchange Server Status & Performance 

Image

SolarWinds® Exchange Monitor is a free tool that allows users to monitor Microsoft® Exchange™ Server 2013 and 2016. Get basic information about the server’s metrics, services, and database availability group (DAG) status. Add as many Exchange Servers as you wish. Simply click the “Add Server” button and fill IP address/domain name and credentials.

Download Free Tool

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his  outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.