Cyberbullying Report
Anti-Bullying and Internet Safety Services
Stop Letting Them Get Away with It!

Relentless Ransome Spam Email Attacks from "Save Yourself"

Relentless Ransome Spam Email Attacks from "Save Yourself"
Relentless Ransome Spam Email Attacks from "Save Yourself"
Report #: 1421 - 0 Comments
Date Reported: Tuesday, September 3, 2019
Status: Active and Ongoing
Severity: Low - Private Harassment
Primary Weapon: Email
Specific Location: Yuncheng, Shanxi
City/Local Area: Beijing
State/Territory: China
Region: East Asia

I have been under a relentless bombardment from a spammer or group of spammers demanding ransom with an ancient password I no longer use. The accounts they send mail to were all victims of a hack in 2011 in which I learned the hard way that FileZilla does not encrypt passwords that are stored in their system. Somehow I ended up with malware on my computer that sent someone all passwords used with FileZilla at that time and their software was able to hack the FTP servers of the websites, download files, and automatically append their own malicious script to each file. The end result they were looking for would have infected any visitor to those websites. Fortunately for those visitors the pages all rendered an error message because by appending that code to the files, the hackers placed HTML in places on on the pages where HTML was not allowed and so an error was displayed saying that illegal code was included in the file and the code would be displayed to the visitor without acutally running the file. They also put a RootKit on my computer that required a complete re-install of Windows and constant malware monitoring with Malwarebytes Premium.


The most recent emails always claim to be from "Save Yourself" and start with a subject like like "All your privacy - " followed by the ancient password. The body of the emails say something like:


"Hello, I know your password is : ###### Your computer was infected with my malware, RAT (Remote Administration Tool), your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit". My malware gave me full access and control over your computer, meaning, I got access to all your accounts (see password above) and I can see everything on your screen, turn on your camera or microphone and you won't even notice about it. I collected all your private data and I recorded you (through your webcam)! After that I removed my malware to not leave any traces. I can send the videos to all your contacts (email, social network), on the whole web, including the darknet where the very sick people are, I can publish absolutly everything I found on your computer! Only you can prevent me from doing this and only I can help you out in this situation. Transfer exactly 900$ with the current bitcoin (BTC) price to my bitcoin address. It's a very good offer, compared to all that horriblexxxxxxthat will happen if I publish everything! You can easily buy bitcoin here: www.paxful.com , www.coingate.com , www.coinbase.com , or check for bitcoin ATM near you, or Google for other exchanger. You can send the bitcoin directly to my address, or create your own wallet first here: www.login.blockchain.com/en/#/signup/ , then receive and send to mine. My bitcoin address is: 14WqqoWch8bDkFYUtxP96qUgyEQxDZhsoZ Copy and paste my address, it's (cAsE-sEnSEtiVE) I give you 3 days time pay. As I got access to this email account, I will know if this email has already been read. If you get this email multiple times, it's to make sure that you read it, my mailer script is configured like this and after payment you can ignore it. After receiving the payment, I will remove everything and you can life your live in peace like before. Next time update your browser before browsing the web."


Fortunately for me I do not and have never used a webcam, so I know that it is impossible for this guy to have turned on a camera and microphone that never existed. I have also never paid and have yet to see him use that old password to my detriment at all. I will never pay him anything and wish he would stop spamming every website that was hacked 8 years ago. He will gain nothing. Unfortunately I cannot simply block him as a sender because his spam bot changes the from email address header everytime. For instance this email said it was from "SaveYourself07@1156.com" and one before it came from "SaveYourself59@5989.com" as a result I need to find a different rule to keep this junk in the junk box where it belongs. But I do not want to block any email that says "save yourself" so I will probably just block the old password.


The redacted header from a recent email:


"Return-Path: SaveYourself07@1156.com Received: from smtp04.topdns.com (smtp04.topdns.com xxxxxxxxxxxxxx) by mail.xxxxxxxxx.com with ESMTP Wed, 14 Aug 2019 20:19:52 -0700

Received-SPF: none (1156.com: No applicable sender policy available) receiver=unknown identity=mailfrom envelope-from="SaveYourself07@1156.com" helo="60.222.139.151" client-ip=60.222.139.245 Received: from 60.222.139.151 (unknown 60.222.139.245) by smtp04.topdns.com (Postfix) with ESMTP id 9D268C63AF6 for webmaster@xxxxxxxxx.com Thu, 15 Aug 2019 05:10:18 +0200 (CEST) Received: from uiiarug (243.42.157.92) by 04285.com with MailEnable ESMTP Thu, 15 Aug 2019 11:19:53 +0800 Received: (qmail 11898 invoked by uid 118) 15 Aug 2019 11:19:51 +0800 From: Save Yourself SaveYourself07@1156.com To: webmaster@xxxxxxxxx.com Subject: All your privacy - xxxxxx Date: Thu, 15 Aug 2019 11:19:53 +0800 Message-ID: 118983.118983@04285.com Mime-Version: 1.0 Content-type: text/plain charset=utf-8"


Lesson to Be Learned:


If you use FileZilla only let it remember your password while you are logged in. You will have to enter it every time you use FileZilla but at least you will not risk having it stolen.


There Are 0 Comments

Login to Comment
 
 

Insert Loader
Your Data is Uploading...