Yоu'rе my victim

Yоu'rе my victim

[g]

Hi, viсtim.
I writе you beсause I put a malwаre on the web pаgе with роrn whiсh you havе visited.
My virus grabbеd аll your рersоnal infо and turned on yоur сamеra which cарturеd thе proсess оf your оnanism. Just аftеr that the soft saved yоur соntаct list.
I will dеlеtе the сomрromising vidео and info if yоu pаy mе 500 EURO in bitcоin. This is аddress for раyment : 153j1FcUBe4LKd194idQho3tscFSeuYmRC

I give yоu 30 hоurs аftеr you open my mеssagе for mаking thе transаction.
Аs sоon as you rеad the mеssage I'll sее it right away.
It is nоt nеcеssаry tо tеll mе thаt yоu havе sent mоney tо me. This address is сonnected tо yоu, my system will delеte evеrything аutоmatically after transfеr cоnfirmatiоn.
If yоu nеed 48 h just reply оn this lеttеr with +.
You сan visit the pоliсe station but nobody cаn hеlp you.
If you try tо decеivе mе , I'll sеe it right аway !
I dоnt livе in your соuntry. Sо thеy cаn not trасk my locаtiоn evеn for 9 mоnths.
Gооdbye. Dont fоrgеt аbоut the shamе and to ignore, Yоur life cаn be ruined.

Re: Yоu'rе my victim

[Toby Douglass]

On 25/07/18 17:43, g wrote:
> Hi, viГ±tim.

[snip]

Interesting.  I read about this scam, but it's the first time I've seen it.

Re: Yоu'rе my victim

[U.Mutlu]

g wrote on 07/25/2018 06:43 PM:
> Hi, viсtim.
> I writе you beсause I put a malwаre on the web pаgе with роrn whiсh you havе visited.
> My virus grabbеd аll your рersоnal infо and turned on yоur сamеra which cарturеd thе proсess оf your оnanism. Just аftеr that the soft saved yоur соntаct list.
> I will dеlеtе the сomрromising vidео and info if yоu pаy mе 500 EURO in bitcоin. This is аddress for раyment : 153j1FcUBe4LKd194idQho3tscFSeuYmRC
>
> I give yоu 30 hоurs аftеr you open my mеssagе for mаking thе transаction.
> Аs sоon as you rеad the mеssage I'll sее it right away.
> It is nоt nеcеssаry tо tеll mе thаt yоu havе sent mоney tо me. This address is сonnected tо yоu, my system will delеte evеrything аutоmatically after transfеr cоnfirmatiоn.
> If yоu nеed 48 h just reply оn this lеttеr with +.
> You сan visit the pоliсe station but nobody cаn hеlp you.
> If you try tо decеivе mе , I'll sеe it right аway !
> I dоnt livе in your соuntry. Sо thеy cаn not trасk my locаtiоn evеn for 9 mоnths.
> Gооdbye. Dont fоrgеt аbоut the shamе and to ignore, Yоur life cаn be ruined.
>


The above mail was sent to a mailing list, ie. to all subscribers of the 
mailing list.

Analysis of the mail headers:
Received: from 007s.us (HELO 007s.us) (185.180.196.43)

----------------------------------
Mail headers (filtered):

Mailing-List: contact gcc-help-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-help.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-help/>
List-Post: <mailto:gcc-help@gcc.gnu.org>
List-Help: <mailto:gcc-help-help@gcc.gnu.org>
Sender: gcc-help-owner@gcc.gnu.org
Delivered-To: mailing list gcc-help@gcc.gnu.org
Received: (qmail 43839 invoked by uid 89); 25 Jul 2018 16:44:26 -0000
Authentication-Results: sourceware.org; auth=none
X-HELO: 007s.us
Received: from 007s.us (HELO 007s.us) (185.180.196.43) by sourceware.org 
(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 25 Jul 2018 16:44:25 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mail; d=007s.us; 
h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type; 
i=noreply@007s.us; bh=iUhaeHjVAVXcPqwXQ+g7nHQf1RY5aL0h0oLfoOS8was=; 
b=dwj30hJwL7MOA8razdCjaVhyxYonhphRJkJl7O1nnxJSa3mw7tEnVYwiYciOiG1jn/mZGrg1Kzv7 
 
9BqX9IYkkaHUAArdbwCGNoU6WE28XCWxY37sc+BCI1sim8ONmDH9yqRBPR9inJdaNRzTVPj8YRIx 
  YQa5q3jOFbpYkn3FIjM=
Message-ID: <28D29B0376A28DAE72773EB256A013F9@007s.us>
From: "g" <noreply@007s.us>
To: <gcc-help@gcc.gnu.org>
Subject: =?windows-1251?B?We51J3LlIG15IHZpY3RpbQ==?=
Date: Wed, 25 Jul 2018 17:43:56 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

----------------------------------
whois 007s.us:

Domain Name: 007s.us
Registry Domain ID: D2310738-US
Registrar WHOIS Server:
Registrar URL: whois.aitdomains.com
Updated Date: 2018-05-11T07:33:41Z
Creation Date: 2002-05-06T23:15:52Z
Registry Expiry Date: 2019-05-05T23:59:59Z
Registrar: Advanced Internet Technologies, Inc.
Registrar IANA ID: 57
Registrar Abuse Contact Email: abuse@ait.com
Registrar Abuse Contact Phone: +1.8772095184
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: C2310736-US
Registrant Name: John h. Hong
Registrant Organization: ronstin
Registrant Street: 7119 Seville Ave # D
Registrant Street:
Registrant Street:
Registrant City: Huntington Park
Registrant State/Province: CA
Registrant Postal Code: 90255
Registrant Country: US
Registrant Phone: +1.3235825171
Registrant Phone Ext: 9999
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ronstin@att.net
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Registry Admin ID: C32507768-US
Admin Name: John h. Hong
Admin Organization: ronstin
Admin Street: 7719 Pacific Blvd
Admin Street:
Admin Street:
Admin City: Huntington Park
Admin State/Province: CA
Admin Postal Code: 90255
Admin Country: US
Admin Phone: +1.3232778080
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: oliverx@pacbell.net
Admin Application Purpose: P1
Admin Nexus Category: C11
Registry Tech ID: C2310735-US
Tech Name: John h. Hong
Tech Organization: ronstin
Tech Street: 7119 Seville Ave # D
Tech Street:
Tech Street:
Tech City: Huntington Park
Tech State/Province: CA
Tech Postal Code: 90255
Tech Country: US
Tech Phone: +1.3235825171
Tech Phone Ext: 9999
Tech Fax:
Tech Fax Ext:
Tech Email: ronstin@att.net
Tech Application Purpose: P1
Tech Nexus Category: C11
Name Server: ns69.domaincontrol.com
Name Server: ns70.domaincontrol.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
 >>> Last update of WHOIS database: 2018-07-25T18:00:58Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NeuStar, Inc., the Registry Administrator for .US, has collected this 
information for the WHOIS database through a .US-Accredited Registrar. This 
information is provided to you for informational purposes only and is designed 
to assist persons in determining contents of a domain name registration record 
in the NeuStar registry database. NeuStar makes this information available to 
you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, 
you agree that you will use this data only for lawful purposes and that, under 
no circumstances will you use this data: (1) to allow, enable, or otherwise 
support the transmission of mass unsolicited, commercial advertising or 
solicitations via direct mail, electronic mail, or by telephone; (2) in 
contravention of any applicable data and privacy protection laws; or (3) to 
enable high volume, automated, electronic processes that apply to the registry 
(or its systems). Compilation, repackaging, dissemination, or other use of the 
WHOIS database in its entirety, or of a substantial portion thereof, is not 
allowed without NeuStar's prior written permission. NeuStar reserves the right 
to modify or change these conditions at any time without prior or subsequent 
notification of any kind. By executing this query, in any manner whatsoever, 
you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE 
WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All 
domain names are subject to certain additional domain name registration rules. 
For details, please visit our site at www.whois.us.

----------------------------------
dig 007s.us any:

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> 007s.us any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60455
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;007s.us. IN ANY

;; ANSWER SECTION:
007s.us. 3599 IN NS ns69.domaincontrol.com.
007s.us. 3599 IN NS ns70.domaincontrol.com.
007s.us. 3599 IN SOA ns69.domaincontrol.com. dns.jomax.net. 2018071907 28800 
7200 604800 600
007s.us. 599 IN MX 10 mail.007s.us.
007s.us. 599 IN TXT "v=spf1 ip4:185.180.196.43 a mx ~all"
007s.us. 599 IN A 185.180.196.43

;; AUTHORITY SECTION:
007s.us. 3599 IN NS ns69.domaincontrol.com.
007s.us. 3599 IN NS ns70.domaincontrol.com.

;; Query time: 145 msec
;; SERVER: 37.139.71.2#53(37.139.71.2)
;; WHEN: Wed Jul 25 20:07:50 CEST 2018
;; MSG SIZE rcvd: 253

----------------------------------

Re: Yоu'rе my victim

[U.Mutlu]

Update:

The domain IP has been taken off by the abuse-dept and/or the authorities... :-)

$ ping 185.180.196.43
PING 185.180.196.43 (185.180.196.43) 56(84) bytes of data.
^C
--- 185.180.196.43 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6120ms



U.Mutlu wrote on 07/25/2018 08:33 PM:
> g wrote on 07/25/2018 06:43 PM:
>> Hi, viсtim.
>> I writе you beсause I put a malwаre on the web pаgе with роrn whiсh you havе
>> visited.
>> My virus grabbеd аll your рersоnal infо and turned on yоur сamеra which
>> cарturеd thе proсess оf your оnanism. Just аftеr that the soft saved yоur
>> соntаct list.
>> I will dеlеtе the сomрromising vidео and info if yоu pаy mе 500 EURO in
>> bitcоin. This is аddress for раyment : 153j1FcUBe4LKd194idQho3tscFSeuYmRC
>>
>> I give yоu 30 hоurs аftеr you open my mеssagе for mаking thе transаction.
>> Аs sоon as you rеad the mеssage I'll sее it right away.
>> It is nоt nеcеssаry tо tеll mе thаt yоu havе sent mоney tо me. This address
>> is сonnected tо yоu, my system will delеte evеrything аutоmatically after
>> transfеr cоnfirmatiоn.
>> If yоu nеed 48 h just reply оn this lеttеr with +.
>> You сan visit the pоliсe station but nobody cаn hеlp you.
>> If you try tо decеivе mе , I'll sеe it right аway !
>> I dоnt livе in your соuntry. Sо thеy cаn not trасk my locаtiоn evеn for 9
>> mоnths.
>> Gооdbye. Dont fоrgеt аbоut the shamе and to ignore, Yоur life cаn be ruined.
>>
>
>
> The above mail was sent to a mailing list, ie. to all subscribers of the
> mailing list.
>
> Analysis of the mail headers:
> Received: from 007s.us (HELO 007s.us) (185.180.196.43)
>
> ----------------------------------
> Mail headers (filtered):
>
> Mailing-List: contact gcc-help-help@gcc.gnu.org; run by ezmlm
> Precedence: bulk
> List-Id: <gcc-help.gcc.gnu.org>
> List-Archive: <http://gcc.gnu.org/ml/gcc-help/>
> List-Post: <mailto:gcc-help@gcc.gnu.org>
> List-Help: <mailto:gcc-help-help@gcc.gnu.org>
> Sender: gcc-help-owner@gcc.gnu.org
> Delivered-To: mailing list gcc-help@gcc.gnu.org
> Received: (qmail 43839 invoked by uid 89); 25 Jul 2018 16:44:26 -0000
> Authentication-Results: sourceware.org; auth=none
> X-HELO: 007s.us
> Received: from 007s.us (HELO 007s.us) (185.180.196.43) by sourceware.org
> (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 25 Jul 2018 16:44:25 +0000
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mail; d=007s.us;
> h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type;
> i=noreply@007s.us; bh=iUhaeHjVAVXcPqwXQ+g7nHQf1RY5aL0h0oLfoOS8was=;
> b=dwj30hJwL7MOA8razdCjaVhyxYonhphRJkJl7O1nnxJSa3mw7tEnVYwiYciOiG1jn/mZGrg1Kzv7
> 9BqX9IYkkaHUAArdbwCGNoU6WE28XCWxY37sc+BCI1sim8ONmDH9yqRBPR9inJdaNRzTVPj8YRIx
>   YQa5q3jOFbpYkn3FIjM=
> Message-ID: <28D29B0376A28DAE72773EB256A013F9@007s.us>
> From: "g" <noreply@007s.us>
> To: <gcc-help@gcc.gnu.org>
> Subject: =?windows-1251?B?We51J3LlIG15IHZpY3RpbQ==?=
> Date: Wed, 25 Jul 2018 17:43:56 +0100
> MIME-Version: 1.0
> Content-Type: text/plain; charset="windows-1251"
> Content-Transfer-Encoding: quoted-printable
>
> ----------------------------------
> whois 007s.us:
>
> Domain Name: 007s.us
> Registry Domain ID: D2310738-US
> Registrar WHOIS Server:
> Registrar URL: whois.aitdomains.com
> Updated Date: 2018-05-11T07:33:41Z
> Creation Date: 2002-05-06T23:15:52Z
> Registry Expiry Date: 2019-05-05T23:59:59Z
> Registrar: Advanced Internet Technologies, Inc.
> Registrar IANA ID: 57
> Registrar Abuse Contact Email: abuse@ait.com
> Registrar Abuse Contact Phone: +1.8772095184
> Domain Status: ok https://icann.org/epp#ok
> Registry Registrant ID: C2310736-US
> Registrant Name: John h. Hong
> Registrant Organization: ronstin
> Registrant Street: 7119 Seville Ave # D
> Registrant Street:
> Registrant Street:
> Registrant City: Huntington Park
> Registrant State/Province: CA
> Registrant Postal Code: 90255
> Registrant Country: US
> Registrant Phone: +1.3235825171
> Registrant Phone Ext: 9999
> Registrant Fax:
> Registrant Fax Ext:
> Registrant Email: ronstin@att.net
> Registrant Application Purpose: P1
> Registrant Nexus Category: C11
> Registry Admin ID: C32507768-US
> Admin Name: John h. Hong
> Admin Organization: ronstin
> Admin Street: 7719 Pacific Blvd
> Admin Street:
> Admin Street:
> Admin City: Huntington Park
> Admin State/Province: CA
> Admin Postal Code: 90255
> Admin Country: US
> Admin Phone: +1.3232778080
> Admin Phone Ext:
> Admin Fax:
> Admin Fax Ext:
> Admin Email: oliverx@pacbell.net
> Admin Application Purpose: P1
> Admin Nexus Category: C11
> Registry Tech ID: C2310735-US
> Tech Name: John h. Hong
> Tech Organization: ronstin
> Tech Street: 7119 Seville Ave # D
> Tech Street:
> Tech Street:
> Tech City: Huntington Park
> Tech State/Province: CA
> Tech Postal Code: 90255
> Tech Country: US
> Tech Phone: +1.3235825171
> Tech Phone Ext: 9999
> Tech Fax:
> Tech Fax Ext:
> Tech Email: ronstin@att.net
> Tech Application Purpose: P1
> Tech Nexus Category: C11
> Name Server: ns69.domaincontrol.com
> Name Server: ns70.domaincontrol.com
> DNSSEC: unsigned
> URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>  >>> Last update of WHOIS database: 2018-07-25T18:00:58Z <<<
>
> For more information on Whois status codes, please visit https://icann.org/epp
>
> NeuStar, Inc., the Registry Administrator for .US, has collected this
> information for the WHOIS database through a .US-Accredited Registrar. This
> information is provided to you for informational purposes only and is designed
> to assist persons in determining contents of a domain name registration record
> in the NeuStar registry database. NeuStar makes this information available to
> you "as is" and does not guarantee its accuracy. By submitting a WHOIS query,
> you agree that you will use this data only for lawful purposes and that, under
> no circumstances will you use this data: (1) to allow, enable, or otherwise
> support the transmission of mass unsolicited, commercial advertising or
> solicitations via direct mail, electronic mail, or by telephone; (2) in
> contravention of any applicable data and privacy protection laws; or (3) to
> enable high volume, automated, electronic processes that apply to the registry
> (or its systems). Compilation, repackaging, dissemination, or other use of the
> WHOIS database in its entirety, or of a substantial portion thereof, is not
> allowed without NeuStar's prior written permission. NeuStar reserves the right
> to modify or change these conditions at any time without prior or subsequent
> notification of any kind. By executing this query, in any manner whatsoever,
> you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE
> WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All
> domain names are subject to certain additional domain name registration rules.
> For details, please visit our site at www.whois.us.
>
> ----------------------------------
> dig 007s.us any:
>
> ; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> 007s.us any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60455
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;007s.us. IN ANY
>
> ;; ANSWER SECTION:
> 007s.us. 3599 IN NS ns69.domaincontrol.com.
> 007s.us. 3599 IN NS ns70.domaincontrol.com.
> 007s.us. 3599 IN SOA ns69.domaincontrol.com. dns.jomax.net. 2018071907 28800
> 7200 604800 600
> 007s.us. 599 IN MX 10 mail.007s.us.
> 007s.us. 599 IN TXT "v=spf1 ip4:185.180.196.43 a mx ~all"
> 007s.us. 599 IN A 185.180.196.43
>
> ;; AUTHORITY SECTION:
> 007s.us. 3599 IN NS ns69.domaincontrol.com.
> 007s.us. 3599 IN NS ns70.domaincontrol.com.
>
> ;; Query time: 145 msec
> ;; SERVER: 37.139.71.2#53(37.139.71.2)
> ;; WHEN: Wed Jul 25 20:07:50 CEST 2018
> ;; MSG SIZE rcvd: 253
>
> ----------------------------------
>
>
>

Re: Yоu'rе my victim^H^H^H^Hspam

[Dennis Clarke]

On 07/25/2018 10:03 PM, U.Mutlu wrote:
> Update:
> 
> The domain IP has been taken off 

A word or two for your edification :

     1) ping prooves nothing as ICMP can be blocked easily
     2) never ever reply in any way to spam
     3) look at (2) again because you did follow up on the ml
     4) even worse I felt motivated to break (3) to correct/help you

Dennis

Re: Yоu'rе my victim^H^H^H^Hspam

[U.Mutlu]

Dennis Clarke wrote on 07/26/2018 07:10 PM:
> On 07/25/2018 10:03 PM, U.Mutlu wrote:
>> Update:
>>
>> The domain IP has been taken off
>
> A word or two for your edification :
>
>      1) ping prooves nothing as ICMP can be blocked easily

His previously open ports (22, 25, 80) are down too... So... :-)


>      2) never ever reply in any way to spam

I made an Abuse Report, if you know what it is. See the Abuse Contact and 
where the reply went to...

>      3) look at (2) again because you did follow up on the ml

And? Just informing the ML that someone, me, has reported that criminal.

>      4) even worse I felt motivated to break (3) to correct/help you

In such matters I don't need your help as I have experience in such matters
as I once wrote a tool to automate such reportings (was then mainly against 
spammers).
Such blackmailing mails are relatively new, since last ~ 3 yrs or so.