Page 1 of 1

They want $1,000

Posted: Sat Feb 09, 2019 9:32 am
by donrei
I have received two of these messages below the first asking for $1,000 and the second 4 days later asking for $500 (I didn't react to the first so they have lowered their demand hoping to get some action I guess.) I was on a porn site but I have had my computer's camera scotched taped for over two years and also have McAfee virus malware monitoring computer for two years which when scanned showed no malware or other activity in the last 6 months. So my risk seemed low so I did not react to the first email and nothing happened until I got the second email with the reduced bribe amount.

Here is the email. They are both the same except the $ amount is changed.

Hi, your account was infected! It will be good idea to change the password this time!
You probably do not know anything about me and you may be most probably wanting to know for what reason you are getting this particular message, is it right?
I'mhacker who crackedyour emailand systema few months ago.
Don't attempt to get in touch with me or find me, it is definitely hopeless, because I directed you a letter from YOUR hacked account.
I've build in malware soft to the adult videos (porn) site and guess that you have spent time on this website to have some fun (think you understand what I really mean).
While you have been keeping an eye on these "great" vids, your browser started out to act as a RDP (Remote Control) having a keylogger that gave me permission to access your screen and web camera.
Then, my applicationstoleall data.
You wrote passcodes on the web services you visited, I sniffed them.
Of course, you can modify them, or already modified them.
Even so it doesn't matter, my program updates information regularly.
And what did I do?
I compiled a reserve copy of your system. Of all files and contacts.
I created a dual-screen movie. The 1st part presents the film you had been observing (you've the perfect preferences, wow...), the 2nd part displays the recording from your webcam.
What actually should you do?
Great, in my view, 500 USD is basically a good price for our little riddle. You will make the payment by bitcoins (if you don't recognize this, search “how to purchase bitcoin” in any search engine).
My bitcoin wallet address:
1BiaqePJatfaQXJ9ZUzVdEfRCNr31LFT8c
(It is cAsE sensitive, so just copy and paste it).
Attention:
You have only 2 days to make the payment. (I put an unique pixel to this message, and from now I know that you've read this email).
To monitorthe reading of a messageand the actionsinside it, I utilizea Facebook pixel. Thanks to them. (That whichis appliedfor the authorities may helpus.)

In case I do not get bitcoins, I shall undoubtedly send your recording to all your contacts, along with family members, colleagues, ?and many more?.


HERE IS THE HEADER OF THE FIRST EMAIL.

X-Clx-Ushades: ⁨Junk⁩
X-Csa-Complaints: ⁨whitelist-complaints@dkd.lt
X-Dmarc-Policy: ⁨none⁩
X-Clx-Spam: ⁨false⁩
User-Agent: ⁨Microsoft-MacOutlook/10.e.1.180613⁩
Authentication-Results: ⁨st11p00mm-dmarcmilter005.me.com; dmarc=none header.from=reighley.net⁩
Authentication-Results: ⁨st11p00mm-dkimmilter016.mac.com; dkim=none⁩
Authentication-Results: ⁨st11p00mm-spfmilter003.mac.com; spf=fail (st11p00mm-spfmilter003.mac.com: domain of oliushka@dkd.lt does not designate 64.90.62.163 as permitted sender) smtp.mailfrom=oliushka@dkd.lt
Abuse-Reports-To: ⁨<abuse@mail.dkd.lt>⁩
Return-Path: ⁨<oliushka@dkd.lt>⁩
List-Help: ⁨<mailto:abuse@dkd.lt>⁩
X-Vr-Status: ⁨SPAM⁩
Original-Recipient: ⁨rfc822;mdonaldr@reighley.net
Organization: ⁨Woeekejmsa⁩
Errors-To: ⁨security@dkd.lt
X-Proofpoint-Spam-Details: ⁨rule=notspam policy=default score=0 spamscore=0 clxscore=1005 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=clx:Deliver adjust=0 reason=mlx scancount=1 engine=8.0.1-1812120000 definitions=main-1902050109⁩
⁨<zz7qfthygu98jil8ycgeiomepzbdhmoz@0v9a1j7ons9nt10o3ch1s6ueagpv3nabkyvcj7g95ogwq5a2dul8vyjgpcysluqm>⁩
X-Aid: ⁨3888684988⁩
X-Proofpoint-Virus-Version: ⁨vendor=fsecure engine=2.50.10434:,, definitions=2019-02-05_06:,, signatures=0⁩
X-Dmarc-Info: ⁨pass=none; dmarc-policy=(nopolicy); s=u0; d=u0⁩
X-Mailer: ⁨WhatCounts⁩
X-Vr-Spamcause: ⁨gggruggvucftvghtrhhoucdtuddrgedtledrkeeigdehhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecuogfuphgrmhfjughrucdlfedttddmnecujfgurhepfggvkfhofffouffhvffgtgefsehtsgfstderreenucfhrhhomhepoehmughonhgrlhgurhesrhgvihhghhhlvgihrdhnvghtqeenucfkphepkedvrddufeehrddugeelrdeltddpvddttddrhedvrddugeekrdduvddvnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehmgidurdgukhgunhgvthdrtghomhdpihhnvghtpeekvddrudefhedrudegledrledtpdhrvghtuhhrnhdqphgrthhhpeeomhguohhnrghlughrsehrvghighhhlhgvhidrnhgvtheqpdhmrghilhhfrhhomhepohhlihhushhhkhgrsegukhgurdhlthdpnhhrtghpthhtohepmhguohhnrghlughrsehrvghighhhlhgvhidrnhgvthenucevlhhushhtvghrufhiiigvpedt⁩
Content-Transfer-Encoding: ⁨base64⁩
X-Clx-Shades: ⁨Deliver⁩
Content-Type: ⁨text/plain; charset=UTF-8⁩
Received: ⁨from st11p00im-smtpin024.me.com ([17.172.80.139]) by ms35562.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with ESMTP id <0PMG00B67HDMX700@ms35562.mac.com> for dreighley@icloud.com; Tue, 05 Feb 2019 13:56:10 +0000 (GMT)⁩
Received: ⁨from pdx1-sub0-mail-mx14.g.dreamhost.com (mx1.dreamhost.com [64.90.62.163]) by st11p00im-smtpin024.me.com (Postfix) with ESMTPS id F2847680071 for <dreighley@icloud.com>; Tue, 5 Feb 2019 13:56:09 +0000 (UTC)⁩
Received: ⁨from vade-backend12.dreamhost.com (fltr-in2.mail.dreamhost.com [66.33.205.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pdx1-sub0-mail-mx14.g.dreamhost.com (Postfix) with ESMTPS id D2DB994146 for <mdonaldr@reighley.net>; Tue, 5 Feb 2019 05:56:06 -0800 (PST)⁩
Received: ⁨from mx1.dkdnet.com (mx1.dkdnet.com [82.135.149.90]) by vade-backend12.dreamhost.com (Postfix) with ESMTP id 9A34B42485F5B for <mdonaldr@reighley.net>; Tue, 5 Feb 2019 05:56:03 -0800 (PST)⁩
Received: ⁨from [range234-dynamic201.reytelhn.net] (unknown [200.52.148.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.dkdnet.com (Postfix) with ESMTP id 692363CF0 for <mdonaldr@reighley.net>; Tue, 5 Feb 2019 15:55:55 +0200 (EET)⁩
X-Vr-Score: ⁨300⁩
Received-Spf: ⁨fail (st11p00mm-spfmilter003.mac.com: domain of oliushka@dkd.lt does not designate 64.90.62.163 as permitted sender) receiver=st11p00mm-spfmilter003.mac.com; client-ip=64.90.62.163; helo=pdx1-sub0-mail-mx14.g.dreamhost.com; envelope-from=oliushka@dkd.lt
Feedback-Id: ⁨8:bex_ojkuve_vjlweg:qavgcdn⁩
X-Mantsh: ⁨1TEIXWV4bG1oaGkNHB1BeSF8aHxgeHxsaGxEKTEMXGx0EGx0YBBkfBBgSEBseGh8 aEQpMWRcbGhofEQpZTRduT0ZDXE9YEQpfWRcHGR4TEQpfTRdgX0RBEQpZSRcdH3EbBhsfGncGB xsfHgYaBgcbGhpCHgYHHxoGGnEaEBp3BhoGBxsfGgYZGgYaBhoGGnEaEBp3BhoRClleF2hjeRE KQ04XTWlTZWd/ZkRNT2R+fENBe19ebRoBemFDQ3lQXVx/fk8RClhcFxkEGgQeGgdMG09JEhIYS AUbHQQbHRgEEhkEGxMQGx4aHxoRCl5ZF35AUFt8EQpNXBcHGB0aEQpMWhdoXl9FfX8RCk1OF2l rEQpMRhdpEQpDWhcSGAQbGR8EGx4TBBMaEQpCXhcbEQpCRhduTUd9QUZEGG9aGhEKQkcXaG57H AVwXR8eWXwRCkJFF2BbR29yWgVtSx1cEQpCThdtTFgZYEJYclxsRBEKQkwXZEhJcmFob1NlZkQ RCkJsF2RISXJhaG9TZWZEEQpCQBdnWVBFbkZDHHtPSBEKQlgXenx4RF5fTEEZUmkRCk1eFwcbE QpwaBdjBUZdeGRkRlNpYxAHExIRCnBoF2F7ZFBbTEAffXJCEAcTExEKcGgXbGNBRHB+HFNcYHM QBxMfEQpwaBdoHmFTSVBoYnh4TBAHEx8RCnBoF2QdWHNTeGV4YGxbEAcbGxIRCnBDF2Jbf2RnQ BlsRgFfEAceEhEKbX4XBxsRClhNF0sR⁩
X-Clx-Score: ⁨1005⁩
X-Clx-Unspecialscore: ⁨-349⁩


AND HERE IS THE HEADER OF THE SECOND EMAIL WHICH IS DIFFERENT AND PROBABLY ROUTED DIFFERENTLY

Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kysis.edu.my; s=default; h=List-Subscribe:From:Date:Message-ID:To:Subject: Content-Type:Content-Transfer-Encoding:Sender:Reply-To:Cc:MIME-Version: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Post:List-Owner:List-Archive; bh=NdPEX4bWX9DuFgV2g9/anMfooQ/FOLM96UL7ZZbAkRE=; b=G2e2Xv3w6M2IRmI4dPT6/q8Nv5 EwPal8YBfhosu32YBsV37k9ermtCtQAKZ79eNL+TMB26ORbchrZoDDjqrrYwRydcI8kYGDUEVOpYi +smzBW6nOubnKmfyGoVK5TfbV7IZ3w/a+r9ybZleyWwKzIIWjaEmTu/FKoTcBF/QRjgY=;⁩
X-Csa-Complaints: ⁨complaints@kysis.edu.my
X-Clx-Ushades: ⁨None⁩
X-Dmarc-Policy: ⁨none⁩
X-Sender-Info: ⁨<jsnel@kysis.edu.my>⁩
X-Authenticated-Sender: ⁨cloud.kysis-server.net: jsnel@kysis.edu.my
X-Clx-Spam: ⁨false⁩
Authentication-Results: ⁨pv33p00im-dmarcmilter007.me.com; dmarc=none header.from=reighley.net⁩
Authentication-Results: ⁨pv33p00im-dkimmilter012.me.com; dkim=pass (1024-bit key) header.d=kysis.edu.my header.i=@kysis.edu.my header.b=G2e2Xv3w⁩
Authentication-Results: ⁨pv33p00im-spfmilter004.me.com; spf=softfail (pv33p00im-spfmilter004.me.com: domain of transitioning jsnel@kysis.edu.my does not designate 64.90.62.164 as permitted sender) smtp.mailfrom=jsnel@kysis.edu.my
Authentication-Results: ⁨vade-backend17.dreamhost.com; dkim=pass reason="1024-bit key; unprotected key" header.d=kysis.edu.my header.i=@kysis.edu.my header.b=G2e2Xv3w; dkim-adsp=none (unprotected policy); dkim-atps=neutral⁩
X-Complaints-To: ⁨abuse@kysis.edu.my
Abuse-Reports-To: ⁨<abuse@mailer.kysis.edu.my>⁩
Return-Path: ⁨<jsnel@kysis.edu.my>⁩
X-Vr-Status: ⁨SPAM⁩
X-Priority: ⁨1⁩
X-Antiabuse: ⁨This header was added to track abuse, please include it with any abuse report⁩
X-Antiabuse: ⁨Primary Hostname - cloud.kysis-server.net⁩
X-Antiabuse: ⁨Original Domain - reighley.net⁩
X-Antiabuse: ⁨Originator/Caller UID/GID - [47 12] / [47 12]⁩
X-Antiabuse: ⁨Sender Address Domain - kysis.edu.my⁩
Original-Recipient: ⁨rfc822;mdonaldr@reighley.net
⁨<15E792377D30C598280D52D7FE2D64E7@8D5AB9329>⁩
X-Dmarc-Info: ⁨pass=none; dmarc-policy=(nopolicy); s=u0; d=u0⁩
X-Proofpoint-Spam-Details: ⁨rule=notspam policy=default score=0 spamscore=0 clxscore=1005 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=clx:Deliver adjust=0 reason=mlx scancount=1 engine=8.0.1-1812120000 definitions=main-1902090081⁩
X-Proofpoint-Virus-Version: ⁨vendor=fsecure engine=2.50.10434:,, definitions=2019-02-09_10:,, signatures=0⁩
X-Clx-Shades: ⁨Deliver⁩
X-Vr-Spamcause: ⁨gggruggvucftvghtrhhoucdtuddrgedtledrleeggddvfecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunddouefvvedqvfhhrhgvrghtshdqufgvgihtohhrshhiohhnucdlfedttddmnecujfgurhepgfgtuffvkfffhffrtdesthgsjedttddtjeenucfhrhhomhepoehmughonhgrlhgurhesrhgvihhghhhlvgihrdhnvghtqeenucfkphepudelkedrfeekrdekgedrudeikedpudejtddrjeelrddujeekrddufeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopegtlhhouhgurdhkhihsihhsqdhsvghrvhgvrhdrnhgvthdpihhnvghtpeduleekrdefkedrkeegrdduieekpdhrvghtuhhrnhdqphgrthhhpeeomhguohhnrghlughrsehrvghighhhlhgvhidrnhgvtheqpdhmrghilhhfrhhomhepjhhsnhgvlheskhihshhishdrvgguuhdrmhihpdhnrhgtphhtthhopehmughonhgrlhgurhesrhgvihhghhhlvgihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd⁩
Content-Transfer-Encoding: ⁨base64⁩
Received: ⁨from pv33p00im-smtpin027.me.com ([17.142.180.53]) by ms35562.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with ESMTP id <0PMN00ACTNO6RD10@ms35562.mac.com> for dreighley@icloud.com; Sat, 09 Feb 2019 10:55:18 +0000 (GMT)⁩
Received: ⁨from pdx1-sub0-mail-mx12.g.dreamhost.com (mx2.dreamhost.com [64.90.62.164]) by pv33p00im-smtpin027.me.com (Postfix) with ESMTPS id D252978005E for <dreighley@icloud.com>; Sat, 9 Feb 2019 10:55:16 +0000 (UTC)⁩
Received: ⁨from vade-backend17.dreamhost.com (fltr-in1.mail.dreamhost.com [66.33.205.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pdx1-sub0-mail-mx12.g.dreamhost.com (Postfix) with ESMTPS id 286837F166 for <mdonaldr@reighley.net>; Sat, 9 Feb 2019 02:55:13 -0800 (PST)⁩
Received: ⁨from cloud.kysis-server.net (unknown [198.38.84.168]) by vade-backend17.dreamhost.com (Postfix) with ESMTPS id 9586640005856 for <mdonaldr@reighley.net>; Sat, 9 Feb 2019 02:55:10 -0800 (PST)⁩
Received: ⁨from [170.79.178.133] (port=57654 helo=[]) by cloud.kysis-server.net with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.91) (envelope-from <jsnel@kysis.edu.my>) id 1gr4dQ-0009tU-M5 for mdonaldr@reighley.net; Wed, 06 Feb 2019 01:35:49 +0800⁩
Content-Type: ⁨text/plain; charset=UTF-8⁩
X-Vr-Score: ⁨300⁩
X-Mantsh: ⁨1TEIXWlwZGVoaGkNHB0tNT0ReQ0QeHxoTEQpMQxcbHQQbHhgEGxMfBBkYEBseGh8 aEQpMWRcbGhofEQpZTRduT0ZDXE9YEQpfWRcYGREKX00XZEVETxEKWUkXHR9xGwYbHxp3BgcbG RgGGgYaBhsaGgYacRoQGncGGgYHHxoGGRoGGgYaBhpxGhAadwYaEQpZXhdjY3kRCkNOF3sFX11 eUEtjSWIaXHpfUHxcTHxSc2VBE3t5SF9IWUd9EQpYXBcZBBoEHhoHTBtPSRISGEgFGx0EGx4YB BsTEgQeGBAbHhofGhEKXlkXfkZsc1IRCk1cFxgaGxEKTFoXRl9Nb3sRCkxGF3traREKQ1oXGxM SBBkSBBIeBBscEhEKQl4XGxEKQkYXYQFBXGhdbUtIT24RCkJHF2ZAfGd8RWZBGX99EQpCRRdgW 0dvcloFbUsdXBEKQk4XbUxYGWBCWHJcbEQRCkJMF2RISXJhaG9TZWZEEQpCbBdkSElyYWhvU2V mRBEKQkAXZH1PYx9MYUl7T28RCkJYF3p8eEReX0xBGVJpEQpNXhcHGxEKcGgXYFJFUGIcclNJe H8QBxkaEQpwaBdtfhsTQgF4SxJsfxAHGRoRCnBoF2ZMTkduGHkeBXhtEAcZGhEKcGgXYHxvbmd taW5ASQUQBxkaEQpwaBdkX2ZCQkhSbE9OfhAHGRoRCnBDF2N9U34cWkNGRnBQEAcZGhEKbX4XB xsRClhNF0sR⁩
Feedback-Id: ⁨1n2lbn59wzdl27g8ug3e7p19rtwluaxusfcxzhg5nh1moaw:none:ovtxfpt⁩
X-Get-Message-Sender-Via: ⁨cloud.kysis-server.net: authenticated_id: jsnel@kysis.edu.my
List-Subscribe: ⁨subscribe@kysis.edu.my
X-Clx-Score: ⁨1005⁩
Received-Spf: ⁨softfail (pv33p00im-spfmilter004.me.com: domain of transitioning jsnel@kysis.edu.my does not designate 64.90.62.164 as permitted sender) receiver=pv33p00im-spfmilter004.me.com; client-ip=64.90.62.164; helo=pdx1-sub0-mail-mx12.g.dreamhost.com; envelope-from=jsnel@kysis.edu.my
X-Clx-Unspecialscore: ⁨23⁩


IS THERE ANY CHANCE OF LOCATING THIS PERSON? IS GOING TO THE FBI OR LOCAL POLICE WORTH THE TROUBLE?

Thanks in advance to any that may comment.

Re: They want $1,000

Posted: Sat Feb 09, 2019 3:43 pm
by Chrispcritters
This is a sextortion scam.