iT邦幫忙

5

比特幣勒索信

最近公司部分帳號信箱會一直收到這樣的勒索信,郵件是由國外隨意IP寄出
郵件"寄件者"跟"收件者"都是自己,原本懷疑是郵件密碼被破解,結果更改過密碼後
還是持續收到。公司郵件伺服器架設在內部,這會是什麼問題?

郵件內文如下:

Hello!

I'm a programmer who cracked your email account and device about half year ago.
You entered a password on one of the insecure site you visited, and I catched it.

Of course you can will change your password, or already made it.
But it doesn't matter, my rat software update it every time.

Please don't try to contact me or find me, it is impossible, since I sent you an email from your email account.

Through your e-mail, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a rat software on your device and long tome spying for you.

You are not my only victim, I usually lock devices and ask for a ransom.
But I was struck by the sites of intimate content that you very often visit.

I am in shock of your reach fantasies! Wow! I've never seen anything like this!
I did not even know that SUCH content could be so exciting!

So, when you had fun on intime sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I jointed them to the content of the currently viewed site.

Will be funny when I send these photos to your contacts! And if your relatives see it?
BUT I'm sure you don't want it. I definitely would not want to ...

I will not do this if you pay me a little amount.
I think $823 is a nice price for it!

I accept only Bitcoins.
My BTC wallet: 17XHRucfd4kx3W5ty7ySLGiKHqmPUUdpus

If you have difficulty with this - Ask Google "how to make a payment on a bitcoin wallet". It's easy.
After receiving the above amount, all your data will be immediately removed automatically.
My virus will also will be destroy itself from your operating system.

My Trojan have auto alert, after this email is looked, I will be know it!

You have 2 days (48 hours) for make a payment.
If this does not happen - all your contacts will get crazy shots with your dirty life!
And so that you do not obstruct me, your device will be locked (also after 48 hours)

Do not take this frivolously! This is the last warning!
Various security services or antiviruses won't help you for sure (I have already collected all your data).

Here are the recommendations of a professional:
Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!

I hope you will be prudent.
Bye.

附上郵件表頭:
Received: from customer-189-216-57-31.cablevision.net.mx (unknown [189.216.57.31])
by mail.xxx.com.tw (Postfix) with ESMTP id 318A26AE4059
for moska@xxx.com.tw; Mon, 29 Oct 2018 08:14:52 +0800 (CST)
Message-ID:
From: moska@xxx.com.tw
To: moska@xxx.com.tw
Subject: moska@xxx.com.tw is compromised. Password must be changed
Date: 28 Oct 2018 10:56:13 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.0471
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.0471

SMTP記錄:
Oct 29 08:14:52 mail postfix/smtpd[3226]: disconnect from unknown[189.216.57.31]
Oct 29 08:14:52 mail postfix/smtpd[3226]: 318A26AE4059: client=unknown[189.216.57.31]
Oct 29 08:14:51 mail postfix/smtpd[3226]: connect from unknown[189.216.57.31]
Oct 29 08:14:51 mail postfix/smtpd[3226]: warning: hostname customer-189-216-57-31.cablevision.net.mx does not resolve to address 189.216.57.31: Name or service not known

看更多先前的討論...收起先前的討論...
comhlp iT邦新手 4 級 ‧ 2018-10-29 10:17:48 檢舉
你公司的電郵伺服器是什麼? POSTFIX?
彭偉鎧 iT邦研究生 3 級 ‧ 2018-10-29 10:19:27 檢舉
內網若是沒有完全阻隔,加上系統安全性沒有更新,一樣會被入侵的,請看台灣司法院的案例:https://www.ettoday.net/news/20180319/1133196.htm#ixzz5TIg4X1fA
lard0921 iT邦新手 4 級 ‧ 2018-10-29 10:20:15 檢舉
像是被植入惡意軟體 清查一下所有SERVER 使用者最好也清查一下
沒有SPAM在擋...會簡單的SMTP COMMAND就可以做得到了.
arvin423 iT邦新手 4 級 ‧ 2018-10-29 10:30:11 檢舉
公司郵件伺服器是 DomLinux III
郵件主機被開 MAIL REPLY ,然後就出現這堆信件,建議立即檢查郵件伺服器
你們沒上當沒關係,問題是當你們的主機被列入黑名單,到是後要取消又是一堆溝通時間
comhlp iT邦新手 4 級 ‧ 2018-10-29 11:38:55 檢舉
DOMLINUX...即係POSTFIX 改密碼沒用的 這東西怎樣設 還是會被HACK 除非你不開通WEBMAIL 對外使用 如果硬要對外開 就加一隻有MAIL SPAM 功能的FIREWALL在MAIL SERVER前面
comhlp iT邦新手 4 級 ‧ 2018-10-29 11:38:56 檢舉
DOMLINUX...即係POSTFIX 改密碼沒用的 這東西怎樣設 還是會被HACK 除非你不開通WEBMAIL 對外使用 如果硬要對外開 就加一隻有MAIL SPAM 功能的FIREWALL在MAIL SERVER前面
最近常收到, 剛收到一封, 內容供參考
Hello!

I'm a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.

Of course you can will change it, or already changed it.
But it doesn't matter, my malware updated it every time.

Do not try to contact me or find me, it is impossible, since I sent you an email from your account.

Through your email, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a Trojan on your device and long tome spying for you.

You are not my only victim, I usually lock computers and ask for a ransom.
But I was struck by the sites of intimate content that you often visit.

I am in shock of your fantasies! I've never seen anything like this!

So, when you had fun on piquant sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I combined them to the content of the currently viewed site.

There will be laughter when I send these photos to your contacts!
BUT I'm sure you don't want it.

Therefore, I expect payment from you for my silence.
I think $840 is an acceptable price for it!

Pay with Bitcoin.
My BTC wallet: 1DVU5Q2HQ4srFNSSaWBrVNMtL4pvBkfP5w

If you do not know how to do this - enter into Google "how to transfer money to a bitcoin wallet". It is not difficult.
After receiving the specified amount, all your data will be immediately destroyed automatically. My virus will also remove itself from your operating system.

My Trojan have auto alert, after this email is read, I will be know it!

I give you 2 days (48 hours) to make a payment.
If this does not happen - all your contacts will get crazy shots from your dark secret life!
And so that you do not obstruct, your device will be blocked (also after 48 hours)

Do not be silly!
Police or friends won't help you for sure ...

p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites.

I hope for your prudence.
Farewell.
arvin423 iT邦新手 4 級 ‧ 2018-10-29 15:55:59 檢舉
看郵件伺服器設定Mail Relay是沒有開啟的.
假的,我司也常收到,只要User別亂點都還好
常常收到都是業務跟老闆,我都攔截請軟體廠商協助處理!
我們使用BOX Solutions, 這些信都會被攔截, 我是使用[隔離報告]的[內容流覽]查看, 從第一封到現在都已一個多月了, 每週也都會有相同的信件進來, 到目前並沒什麼事情發生, 假的!!
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中
4
ks1217
iT邦研究生 1 級 ‧ 2018-10-29 17:17:36
最佳解答

請服用 "使用UMail或Mail-God,收到自己寄給自己的廣告信如何過濾刪除!!(退信攻擊)"
http://ns2.ublink.org/viewtopic.php?f=5&t=2611#p4531

arvin423 iT邦新手 4 級 ‧ 2018-10-30 16:40:23 檢舉

原來有這郵件條件過濾器功能~非常感謝!!/images/emoticon/emoticon58.gif
後續再觀察有無問題!!

ks1217 iT邦研究生 1 級 ‧ 2018-10-30 17:39:53 檢舉

記得方向為 收信, 因為你MAIL主機沒有檢查SPF反查功能. 建議還是在Mail Server前面加個SPAM主機來稽核這些郵件,
另外可以加強的是建立危險附件的稽核條件, 把附件是危險的(例如, SCR, js,docm,exe,iso 等)這些都是會讓使用者一按就中毒的, 壓縮檔的話你可以設定條件為等候你審核, 只要是繼壓縮檔(ZIP,ARJ等), 就先轉寄給你, 先看過沒問題在放行寄給收件者. 沒有SPAM來擋, 就要多設定稽核了.

2
yesongow
iT邦大師 1 級 ‧ 2018-10-29 10:28:48

先備份,再置板凳,看看48小時過去後,會發生什麼精采的事情!

arvin423 iT邦新手 4 級 ‧ 2018-10-29 10:32:46 檢舉

這類似的信件是10/13開始寄出,但是公司內部並無發生任何影響
並不是每天寄出,目前無任何災情。

yesongow iT邦大師 1 級 ‧ 2018-10-29 10:45:02 檢舉

有定時每日異地備份,就不怕囉!

記得檢查備份檔案,是否能夠還原!

4
做工仔人!
iT邦大師 1 級 ‧ 2018-10-29 11:23:06

假的 !!
https://www.youtube.com/watch?v=dtuMAWGIyw0&t=324s

再來一點:要823個比特幣.
目前比特幣相當於6,000美元(USD)
美元對台幣的匯率為:1:31
算一下:相當台幣多少錢? 已經破億了 !!

看更多先前的回應...收起先前的回應...

我公司也是收一堆~我都跟它們講假的~請直接刪除(反正英文信一律刪除= =a)

yesongow iT邦大師 1 級 ‧ 2018-10-29 13:49:12 檢舉

它要us$840,你可以用btc支付,不是支付840個btc吧!

arvin423 iT邦新手 4 級 ‧ 2018-10-29 15:42:48 檢舉

是假的沒錯,但怎麼會從自己的帳號寄給自己
目前測試跟使用者密碼無關。/images/emoticon/emoticon02.gif

comhlp iT邦新手 4 級 ‧ 2018-10-29 18:04:02 檢舉

BYPASS了你的權限 直接自己SENT MAIL 比CLEINT FROM MAILSERVER 就是這麼一回事 =你用ROOT 直接打COMMAND SENT TEST MAIL比任何一個DOMAIN內的CLIENT

1
esel
iT邦新手 4 級 ‧ 2018-10-30 08:52:31

本司最近也常收到這種詐騙信,也是自己寄給自己,不過看起來並非自身Mail Relay ,但目前也找不到方法可以阻擋。

chris0630 iT邦新手 3 級 ‧ 2018-10-30 09:26:34 檢舉

Mail server 開啟 SPF/DKIM 就可以檢查了。

1
eigen
iT邦新手 1 級 ‧ 2018-10-30 12:50:12

https://ithelp.ithome.com.tw/upload/images/20181030/200742099gP7n4JrOH.jpg

那這種又是怎麼一回事? 密碼還猜對了 (但是不是這個 EMAIL 的密碼)

是其它網站登入的 ID:EMAIL PW:KXXXXXX 都被知道了

(個人猜是某些網站的註料資料外流,我上網查大躴從 10/20日開始有人上網問這問題,這期間我只有註冊幾個新的網站,我猜是 18X 的網站外流的)

rising iT邦新手 5 級 ‧ 2018-10-30 14:17:35 檢舉

搜尋 Sextortion scam 就有很多國外案例了,大概從今年七月開始案例有顯著增加,大概跟某個用戶資料庫有關

1
andylau
iT邦新手 3 級 ‧ 2018-10-30 14:18:08

假的...

我公司連群組信箱都可以收到
群組帳號根本沒密碼啊...
你覺得會是真的還是假的?

寄這種信不用hack mail server 啦
寄件者本來就可以亂打
找可以被Relay 的Mail Server幫忙寄就是了
寄件者是自己是垃圾郵件的基本入門

另外既然有帳號密碼了
要入侵你的電腦
加密檔案根本不是問題
真的要錢
就直接加密再勒索不是更有用?

我每天收到一堆.... 煩都煩死了

0
riches88
iT邦研究生 3 級 ‧ 2018-10-30 23:54:25

網域信件被偽冒,只要設定過濾條件即可

通常會偽裝寄件者為你的公司網域 , 讓你誤以為是公司同事寄給你的信 , 而誘使收件者來打開這封信 , 進而達到廣告信的效益 或者是病毒等惡意行為,引誘用戶開啟 郵件過濾器 -> 過濾規則管理 , 增加一條過濾規則 , 記得先把過濾器功能啟用 設定條件為"AND",當接收信件,卻寄件者是公司網域時 刪除該信件即可
參考設定方式 :https://www.richesinfo.com.tw/index.php/mxmail/mxmail-faq/215-faq-mxmail-181030

esel iT邦新手 4 級 ‧ 2018-11-23 15:47:30 檢舉

分享一下,我公司不能用寄件人&收件人都是公司DOMAIN的規則來阻擋,因為有真的信件是這樣寄送的,我試著阻擋信件內容有bitcoin,結果竟然無法阻擋,反而阻擋表頭有bitcoin的大部分可以檔掉,不過還是有漏網之魚,我也很納悶為何還是有些檔不掉????

0
wancheng
iT邦研究生 1 級 ‧ 2018-11-04 21:00:48

剛剛打開信箱收信,看到一封類似的勒索信,信件標題寫出我的密碼,當下我很震驚,我也被鎖定了嗎? 前幾天剛好有看到這裡在討論,趕快再上網搜尋是否有類似的情形,過了幾分鐘的思考,不對,我的密碼似乎早改了,那個勒索信的密碼是舊密碼。

又再仔細思考,為什麼那個勒索信會有那個密碼呢? 我在猜是不是我在那個論壇留下的信箱帳號、密碼,一般人密碼幾乎都用同一組,我就是其中一個,那個勒索信是用亂槍打鳥的方式,總會有人密碼設一樣的會被猜到。我看我也要盡量用動態密碼,不同網站設不同的密碼。

richman iT邦新手 3 級 ‧ 2018-11-10 18:45:26 檢舉

我也有二個密碼外洩被勒索,信件標題和內文也是寫出我的密碼,
我從https://haveibeenpwned.com/
找到其中一組密碼外洩,是因為註冊的網站個資外洩所導致,
另一網密組是登入此站的密碼(資料沒記錯的話),但我還不知外洩的原因.
在每個註冊網站我都會包含代表該網站某些字母的密碼,所以從那個網站洩漏我會迅速去更改資料

1
xdxxx
iT邦新手 4 級 ‧ 2018-11-23 10:00:09

http://www.softnext.com.tw/news_main.html?tag=t&nid=978
這裡有一篇文章

大家參考一下

我要發表回答

立即登入回答