Jump to content

Can core Kaspersky file be Hijacked despite all the security measures?

Recommended Posts

I received this email, the hijacker claiming that my he has a stealth, core malware hijack of My Kaspersky Free. Just wondering if this is a ploy to frighten me into giving into his/hers/their demand for payment. But what this phisher doesn't know is that I don't have a dime to my name, not even a bank account!!! Can't squeeze blood from a turnip ....

Delivered-To: xxxxxxxx@gmail.com
Received: by 2002:ab0:330d:0:0:0:0:0 with SMTP id r13csp992119uao;
        Thu, 28 Feb 2019 12:02:05 -0800 (PST)
X-Google-Smtp-Source: APXvYqxo7KroWx+1Y8BCF/90jIjnA4VMVCXwJBg7y39tXVJIcJGIlg0vbooinegwBkbY3NKTekyV
X-Received: by 2002:a05:6638:398:: with SMTP id y24mr532979jap.33.1551384125137;
        Thu, 28 Feb 2019 12:02:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551384125; cv=none;
        d=google.com; s=arc-20160816;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of postmaster@cloud134.ihsystem.com designates as permitted sender) smtp.helo=cloud134.ihsystem.com
Return-Path: <>
Received: from cloud134.ihsystem.com (cloud134.ihsystem.com. [])
        by mx.google.com with ESMTPS id t4si3422525ita.96.2019.
        for <xxxxxxxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 28 Feb 2019 12:02:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of postmaster@cloud134.ihsystem.com designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of postmaster@cloud134.ihsystem.com designates as permitted sender) smtp.helo=cloud134.ihsystem.com
Received: from mailnull by cloud134.ihsystem.com with local (Exim 4.86_1) id 1gzRsV-0004hO-O5 for cahoovjr@gmail.com; Thu, 28 Feb 2019 14:02:00 -0600
X-Failed-Recipients: xxxxxxxx@gmail.com
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@cloud134.ihsystem.com>
To: xxxxxxxx@gmail.com
Content-Type: multipart/report; report-type=delivery-status; boundary=1551384119-eximdsn-2089104959
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1gzRsV-0004hO-O5@cloud134.ihsystem.com>
Date: Thu, 28 Feb 2019 14:01:59 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cloud134.ihsystem.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: cloud134.ihsystem.com: sender_ident via received_protocol == local: mailnull/primary_hostname/system user
X-Authenticated-Sender: cloud134.ihsystem.com: mailnull

Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

    Domain themesofindia.com has exceeded the max defers and failures per hour (10/10 (76%)) allowed. Message discarded.

Content-type: message/delivery-status

Content-type: message/rfc822

Return-path: <xxxxxxxx@gmail.com>
Received: from [] (port=41640 helo=allen-company.com) by cloud134.ihsystem.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from <cahoovjr@gmail.com>) id 1gzMxH-0003kA-Oi for cahoovjr@gmail.com; Thu, 28 Feb 2019 08:46:36 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 28 Feb 2019 14:46:38 -0000
From: xxxxxxxx@gmail.com
To: xxxxxxxx@gmail.com
Subject: I hack you
Message-ID: <029002121.79836373748926@gmail.com>
X-Mailer: moveon.dk

Hi! As you may have noticed, I sent you an email from your account. This me=
ans that I have full access to your devices and accounts. I've been watchin=
g you for a few months now. The fact is that you were infected with malware=
 through an adult site that you visited. If you are not familiar with this,=
 I will explain. Trojan Virus gives me full access and control over a compu=
ter or other device. This means that I can see everything on your screen, t=
urn on the camera and microphone, but you do not know about it. I also have=
 access to all your contacts and all your correspondence. Why your antiviru=
s did not detect malware? Answer: My malware uses the driver, I update its =
signatures every 4 hours so that your antivirus is silent. I made a video s=
howing how you satisfy yourself in the left half of the screen, and in the =
right half you see the video that you watched. With one click of the mouse,=
 I can send this video to all your emails and contacts. If you want to prev=
ent this, transfer the amount of $820 to my bitcoin address (if you do not =
know how to do this, write to Google: "Buy Bitcoin"). My bitcoin address (B=
TC Wallet) is: 12yCNJHAwda8Kgxv9DswpS9k16XnstSqcJ   After receiving the pay=
ment, I will delete the video and you will never hear me again. I give you =
48 hours to pay. I have a notice reading this letter, and the timer will wo=
rk when you see this letter. Filing a complaint somewhere does not make sen=
se because this email cannot be tracked like my bitcoin address. I do not m=
ake any mistakes. If I find that you have shared this message with someone =
else, the video will be immediately distributed.


This message seems to make many assumptions, such as having access to my web cam on this machine, which I don't have... lol, but since I don't have a paid subscription for Kaspersky, I cannot notify them that some phisher out their is claiming to have a Hijack of their core software.

I'm hoping that someone in this forum will read this and forward it too Kaspersky in my behalf.


Edited by Cahjr
remove email address from text line

Share this post

Link to post

After seeing the headers and paths, the Email meets the criteria for having fake credentials. This is like a form letter that no doubt gets mailed to a lot of people and most likely Gmail users.. It's not too hard to forge the email header to show your email address, as who its from. Your best bet, IMO, is to send your email with all headers, as a source file, just like you did above already. This should bring about an investigation by the postmaster for that domain.( abuse@cloud134.ihsystem.com ) If that doesn't work and bounces, just use (postmaster@cloud134.ihsystem.com)


Here's a link to see what's going on with this fraudster. It shows its well known and the guy's format for the letters, AND using the recipent's email address. It's a link to Bitcoint Abuse Database and I got it by using the BTC address the guy gave you in his email for where to send the Bitcoin. You do not need to pay and just toss it.


12yCNJHAwda8Kgxv9DswpS9k16XnstSqcJ was used in your Email.

So doing a search for this bitcoin address shows the resulting abuse database.
This works on any and all BTC addresses, and providing there is fraud involved
for the BTC address...
Edited by plb4333

Share this post

Link to post
This topic is now closed to further replies.

  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.