Jump to content
Cahjr

Can core Kaspersky file be Hijacked despite all the security measures?

Recommended Posts

I received this email, the hijacker claiming that my he has a stealth, core malware hijack of My Kaspersky Free. Just wondering if this is a ploy to frighten me into giving into his/hers/their demand for payment. But what this phisher doesn't know is that I don't have a dime to my name, not even a bank account!!! Can't squeeze blood from a turnip ....

Delivered-To: xxxxxxxx@gmail.com
Received: by 2002:ab0:330d:0:0:0:0:0 with SMTP id r13csp992119uao;
        Thu, 28 Feb 2019 12:02:05 -0800 (PST)
X-Google-Smtp-Source: APXvYqxo7KroWx+1Y8BCF/90jIjnA4VMVCXwJBg7y39tXVJIcJGIlg0vbooinegwBkbY3NKTekyV
X-Received: by 2002:a05:6638:398:: with SMTP id y24mr532979jap.33.1551384125137;
        Thu, 28 Feb 2019 12:02:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551384125; cv=none;
        d=google.com; s=arc-20160816;
        b=tBA5+HC2oDnmshxHo0TOlV56EAaEpgIXZfHdF0yajg8RfC9R6FjcOSWB7Sb/WzyU1N
         H5oeFTmRLy1dTlsNinSvhaEbJkQMjqn7PeyD5CEJsuXWcxGL7T2qu3/qjcM//kMODzFK
         dZgaoMpfD4N5VNqCS4+rJOtxkbugKxe7FjFpdJiiDGT961gxewPJJt11/QJNXO7+Zgbt
         TmCJ6+SW05otHYanuodYY2lDES1bbz7yj90QelITEU61nEhz4JdE8gzcaeOwYp3uU5GD
         QEwapL4jakaJnD+OC9mYdo9N6UtF22kFnfLblQ+s+ZLmWYktb82dNxWsqlktLDNQ0qqB
         P+Xw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:message-id:subject:mime-version:to:from:auto-submitted;
        bh=ulWPyAzbvpvFZok2D4WyfOa0e78OKJ09K88jc0clXY0=;
        b=DlU7UW77sF8bQuSbapVB1KH4dEJbX5ezYHGhVQAWnbot71b8VD9ViN+nn+s9k04qFp
         VDzNJsRtmaIl5tzrKike7Br2uVOY9oHTeY6uSBakKbleUa6gz3TZax+kRMCetAKCXJyj
         SpC88tbmWVoDa2TaqggUPFQdk3Zhfc/+ZW7EmGIHfYcQu8EffIK4RNxzOk8Vfuk/3vuL
         RsOtQVUH4EMN0Tr1Or/TS1N8/X0Zaj0f7NZJ0oR6zkkfJ3xsT9fDRTv97YbYpMnaWLiC
         yxmfdzxbBR5dmKGllXPUH0vkdea9BhqFAd61VxM/rKEe3g+SiRR2Vsc1fyLk1VJVYPP9
         Vr/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of postmaster@cloud134.ihsystem.com designates 66.235.194.225 as permitted sender) smtp.helo=cloud134.ihsystem.com
Return-Path: <>
Received: from cloud134.ihsystem.com (cloud134.ihsystem.com. [66.235.194.225])
        by mx.google.com with ESMTPS id t4si3422525ita.96.2019.02.28.12.02.04
        for <xxxxxxxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 28 Feb 2019 12:02:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of postmaster@cloud134.ihsystem.com designates 66.235.194.225 as permitted sender) client-ip=66.235.194.225;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of postmaster@cloud134.ihsystem.com designates 66.235.194.225 as permitted sender) smtp.helo=cloud134.ihsystem.com
Received: from mailnull by cloud134.ihsystem.com with local (Exim 4.86_1) id 1gzRsV-0004hO-O5 for cahoovjr@gmail.com; Thu, 28 Feb 2019 14:02:00 -0600
X-Failed-Recipients: xxxxxxxx@gmail.com
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@cloud134.ihsystem.com>
To: xxxxxxxx@gmail.com
Content-Type: multipart/report; report-type=delivery-status; boundary=1551384119-eximdsn-2089104959
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1gzRsV-0004hO-O5@cloud134.ihsystem.com>
Date: Thu, 28 Feb 2019 14:01:59 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cloud134.ihsystem.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: cloud134.ihsystem.com: sender_ident via received_protocol == local: mailnull/primary_hostname/system user
X-Authenticated-Sender: cloud134.ihsystem.com: mailnull
X-Source: 
X-Source-Args: 
X-Source-Dir: 

--1551384119-eximdsn-2089104959
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  xxxxxxxx@gmail.com
    Domain themesofindia.com has exceeded the max defers and failures per hour (10/10 (76%)) allowed. Message discarded.

--1551384119-eximdsn-2089104959
Content-type: message/delivery-status


--1551384119-eximdsn-2089104959
Content-type: message/rfc822

Return-path: <xxxxxxxx@gmail.com>
Received: from [156.204.238.208] (port=41640 helo=allen-company.com) by cloud134.ihsystem.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from <cahoovjr@gmail.com>) id 1gzMxH-0003kA-Oi for cahoovjr@gmail.com; Thu, 28 Feb 2019 08:46:36 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 28 Feb 2019 14:46:38 -0000
From: xxxxxxxx@gmail.com
To: xxxxxxxx@gmail.com
Subject: I hack you
Message-ID: <029002121.79836373748926@gmail.com>
X-Mailer: moveon.dk

Hi! As you may have noticed, I sent you an email from your account. This me=
ans that I have full access to your devices and accounts. I've been watchin=
g you for a few months now. The fact is that you were infected with malware=
 through an adult site that you visited. If you are not familiar with this,=
 I will explain. Trojan Virus gives me full access and control over a compu=
ter or other device. This means that I can see everything on your screen, t=
urn on the camera and microphone, but you do not know about it. I also have=
 access to all your contacts and all your correspondence. Why your antiviru=
s did not detect malware? Answer: My malware uses the driver, I update its =
signatures every 4 hours so that your antivirus is silent. I made a video s=
howing how you satisfy yourself in the left half of the screen, and in the =
right half you see the video that you watched. With one click of the mouse,=
 I can send this video to all your emails and contacts. If you want to prev=
ent this, transfer the amount of $820 to my bitcoin address (if you do not =
know how to do this, write to Google: "Buy Bitcoin"). My bitcoin address (B=
TC Wallet) is: 12yCNJHAwda8Kgxv9DswpS9k16XnstSqcJ   After receiving the pay=
ment, I will delete the video and you will never hear me again. I give you =
48 hours to pay. I have a notice reading this letter, and the timer will wo=
rk when you see this letter. Filing a complaint somewhere does not make sen=
se because this email cannot be tracked like my bitcoin address. I do not m=
ake any mistakes. If I find that you have shared this message with someone =
else, the video will be immediately distributed.


--1551384119-eximdsn-2089104959--

This message seems to make many assumptions, such as having access to my web cam on this machine, which I don't have... lol, but since I don't have a paid subscription for Kaspersky, I cannot notify them that some phisher out their is claiming to have a Hijack of their core software.

I'm hoping that someone in this forum will read this and forward it too Kaspersky in my behalf.

Thanks

Edited by Cahjr
remove email address from text line

Share this post


Link to post

After seeing the headers and paths, the Email meets the criteria for having fake credentials. This is like a form letter that no doubt gets mailed to a lot of people and most likely Gmail users.. It's not too hard to forge the email header to show your email address, as who its from. Your best bet, IMO, is to send your email with all headers, as a source file, just like you did above already. This should bring about an investigation by the postmaster for that domain.( abuse@cloud134.ihsystem.com ) If that doesn't work and bounces, just use (postmaster@cloud134.ihsystem.com)

 

Here's a link to see what's going on with this fraudster. It shows its well known and the guy's format for the letters, AND using the recipent's email address. It's a link to Bitcoint Abuse Database and I got it by using the BTC address the guy gave you in his email for where to send the Bitcoin. You do not need to pay and just toss it.

https://www.bitcoinabuse.com/reports/12yCNJHAwda8Kgxv9DswpS9k16XnstSqcJ

12yCNJHAwda8Kgxv9DswpS9k16XnstSqcJ was used in your Email.


So doing a search for this bitcoin address shows the resulting abuse database.
This works on any and all BTC addresses, and providing there is fraud involved
for the BTC address...
Edited by plb4333

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.