Sponsored by..

Tuesday, 31 October 2017

Bogus porn blackmail attempt from adulthehappytimes.com

This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com

Hello.

I sincerely anticipate that I will not hurt ur feelings. Shit happens, life didn’t give me a choice. I don’t hate people with special tastes, moreover only God can judge u. So:

Firstly, I put the particular virus on a web site with porn videos (I think you understood me).

Secondly, when you tapped on a video, soft instantly started working, all cams turned on and screen started recording, then my soft collected all contacts from emails, messengers etc. Im really proud for this soft, it makes devices act as remote desktop with keylogger function, impressive. This email address Ive collected from your device, I emailed u here because I think you will 100% going to check your corporative email.

Eventually, I edited a split screen video, with your participation and porn video from your screen, its very weird. Consequently, I can share this video with all your friends, colleagues, relatives etc. I guess it’s a big problem for you.

But we can resolve this problem. 305 Usd- in my opinion, very common cost for false like this.

I accept only bitcoin, this is my wallet’s address- 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY U have 45 hours after opening my letter to make transaction. I will see when u read this letter, I adjusted special tracking pixel in it. This time is sufficiently only to complete all verifications and transaction, so you have to think rapidly. If I wont get my «wage», I will share this video with all contact Ive received from ur device.

You can complain to cops for a help, but they wont search out me for even 150 hours, Im from Japan, so think twice. If Ill receive btc- all compromising evidence will be erased forever and I will never message you again.

U can reply, but this Will not make sense, I sent you this notification using my soft for anonymous messages, I don’t check the email after using it, because I contemplate about my safety too. Have a nice day, I hope u will make a good decision for you.
If you got one of these, the first thing to realise is that it is bullshit. This particular one was sent to the contact@ address of a random domain I own. You note there are no personal details in the email, and furthermore the claim that there's a tracking pixel in the email can easily be refuted by checking the HTML of the message itself.

The "from" address in the email is bill@adulthehappytimes.com and this matches the name of the sending email server, mta11.adulthehappytimes.com on 188.225.9.190

You might notice it says mta11 - indeed adulthehappytimes.com seems to have subdomains mta.adulthehappytimes.com through mta15.adulthehappytimes.com some of which are hosted at Heroku / AWS, but the ones that aren't are on the following IPs:

5.23.49.167
5.23.49.180
92.53.124.50
176.57.214.134
176.57.214.240
176.57.217.49
176.57.217.55
176.57.217.167
176.57.217.225
188.225.9.190

188.225.9.215

All of those belong to TimeWeb in Russia. The domain itself is also hosted on 5.23.49.180 (mta1.adulthehappytimes.com) but it appears to be parked. However, however controls this domain has gone to the effort of setting up 16 different mail servers. The WHOIS details show that the domain is actually ten years old..

Domain Name: ADULTHEHAPPYTIMES.COM
Domain ID: 1041994153_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2016-09-06T01:55:42Z
Creation Date: 2007-06-21T21:10:46Z
Registrar Registration Expiration Date: 2018-06-21T21:10:46Z
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Netfirms
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Alexey Pokachalov
Registrant Organization: Alexey Pokachalov
Registrant Street: Stepana Razina 84-10
Registrant City: Togliatti
Registrant State/Province: NA
Registrant Postal Code: 445057
Registrant Country: RU
Registrant Phone: +17.9608367000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: genarur@gmail.com
Registry Admin ID: 


It's odd to see an old domain being used for spam like this, so perhaps the domain itself and the infrastructure has been hijacked. It is hard to be certain, but also you wouldn't post real contact details on the WHOIS and then solicit anonymous payments through BitCoin, so my hunch is that the domain owner doesn't even know it is happening.

I don't know if Bitcoin wallet 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY is common to all these spam emails, but at the moment nobody has sent money to that Bitcoin wallet.



2 comments:

SeriesSeven said...

I received the same spam email on the 1/11/17.
The text is very similar with some slight variance.
To the best of my limited ability I checked for an image and it also did not appear to contain any what-so-ever. The bitcoin wallet address differs. After reading your blog I checked it today with BitRef and it also currently contains nothing.

b said...

Received a similar email. Email received on nov 2nd, 2017 from a dodorv dot com mail server and sender, the email also contains a List-Unsubscribe header that contains a link to fastme dot xyz. It contains a valid dkim signature. The body contains a different bitcoin address. And he graciously gave me 50, not 45 hours. Completely bogus email, but it is cleverly written so it might make other recipients very nervous. Not me though. I don't visit pornography sites. :-)