Return-path: <johhas08041817672@alpen-koenig.eu> Envelope-to: wrodriguez@ifprc.com.pe Delivery-date: Fri, 03 Mar 2023 00:29:08 -0300 Received: from host203.190-228-234.telecom.net.ar ([190.228.234.203]:26414) by pyme91.pymedns.net with esmtp (Exim 4.94.2) (envelope-from <johhas08041817672@alpen-koenig.eu>) id 1pXw6O-007yQ7-Pc for wrodriguez@ifprc.com.pe; Fri, 03 Mar 2023 00:29:08 -0300 Message-ID: <002c01d94d67$0418723b$95546f99@ypjnpbct> From: <johhas08041817672@alpen-koenig.eu> To: <wrodriguez@ifprc.com.pe> Date: 2 Mar 2023 19:58:16 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="cp-850" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.4107 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.4107 X-Spam-Status: Yes, score=23.5 X-Spam-Score: 235 X-Spam-Bar: +++++++++++++++++++++++ X-Spam-Report: Spam detection software, running on the system "pyme91.pymedns.net", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Dear user of ifprc.com.pe! I am a spyware software developer. Your account has been hacked by me couple months ago. The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2023-20026). Content analysis details: (23.5 points, 7.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.1 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 1.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] 0.0 FROM_LOCAL_DIGITS From: localpart has long digit sequence 0.0 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <https://www.spamcop.net/bl.shtml?190.228.234.203>] 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [190.228.234.203 listed in psbl.surriel.com] 1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL, https://senderscore.org/blocklistlookup/ [190.228.234.203 listed in bl.score.senderscore.com] 3.0 RCVD_IN_ANONMAILS RBL: Relay is listed in spam.dnsbl.anonmails.de [190.228.234.203 listed in spam.dnsbl.anonmails.de] 1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) 0.3 BITCOIN_XPRIO Bitcoin + priority 0.0 PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps 0.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX 0.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX 2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers 1.0 MALWARE_PASSWORD Malware bragging + "password" X-Spam-Flag: YES Subject: ***SPAM*** Security Notice. wrodriguez@ifprc.com.pe was hacked! Change your password now! Dear user of ifprc.com.pe! I am a spyware software developer. Your account has been hacked by me couple months ago. The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2023-20026). I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time. Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit. I note that it is useless to change the passwords. My malware update passwords from your accounts every times. I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :) I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality! So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts. Transfer $1300 to my Bitcoin cryptocurrency wallet: 1PNWAf qoNQhTR2 jCpcSPL 6P5XrC xCofqB3 Just copy and paste the wallet number when transferring. An important notice: I have specified my Bitcoin wallet with spaces, hence once you carry out a transfer, please make sure that you key-in my bitcoin address without spaces to be sure that your funds successfully reach my wallet! If you do not know how to do this - ask Google. My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it. Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material. P.S. Do not try to contact me (this is impossible, sender's address was randomly generated). I advise you to remain prudent and not engage in nonsense (all files on my server). Good luck!