Well, looks like the game is up. I've been exposed. Shame on me. Or, at least that is what a would-be blackmailer who sent me an e-mail last week would like me to believe.
Let's step back a bit to the Adult FriendFinder breach about 6 months ago. I had only in the last month began writing this blog, and my honeypot server was in its infant stages. I had signed up for a few dodgy sites using a fake e-mail address, but after the revelation of this breach, I went on a furious rampage of signing up for all the adult, software portal, and gambling websites that I could. One of those sites just so happened to be Ashley Madison which, as we all know, was breached just 2 months later. Within a day after the breach, I had a copy of the data dump and confirmed that my fake e-mail address was present. I then set about filing all of the Ashley Madison e-mail I received into a single folder in that same e-mail address' mailbox. Surprisingly, though, nothing really came of this breach in relation to me... at least until I checked my mailbox last night and found this gem that had been sent to me on 11/05/2015:
Subject: You are EXPOSED
Rita Rees shared this with you
I would like to tell you that Ashley Madison was recently hacked, and now I have all the information about your online affairs and even the cheatings you did ;) I have located all your social networking and dating website profiles, and using this I am going to send message to all of your friends and family members about this.
Well, for sure, you would feel ashamed if I tell your family members and friends about this, and it would be even more worse, when you meet them face to face. Wondering how to prevent me from doing this? Its simple, you need to send just 2 Bitcoin (i.e Two BTC) to the following Bitcoin address:
You may be wondering why should you and what will prevent other people from doing the same, in short you can now delete your social and dating accounts. So go ahead and give it a try. Do you think, you can get away so easily? I have already saved a copy of your profiles, pics, chat logs, and even the contact details of your relatives and friends.
To send a Bitcoin, you can use sites like CoinBase. If I do not receive the Bitcoin in the next 48 hours, I am going to contact all of your friends and relatives and post your profiles, pics, etc all ONLINE. Oh! I didnt tell you, that I know where you live and hangout, did I?
Just think if you are in committed relationship how this will affect your social standing amongst your friends, family members and others. Your countdown is started.
So, Rita Rees has all the information about my online affairs and cheating. She has located my social network and dating website profiles. She has also copied all of my info, including contact information for my friends and family. Oh, and she knows where I live and hang out. She demands that I give her 2 BTC ($327.90 at the time of writing this sentence, according to Preev) within 2 days of receiving this e-mail, or she will leak this information. I am writing this e-mail 5 days past her deadline, so at this point I guess I am out of luck. Or, y'know, I would be, if in fact I had actually done anything other than sign up for the website in the first place. But I am waxing verbose, so let's get technical, shall we?
First, the message headers. They are as such:
Authentication-Results: hotmail.com; spf=pass (sender IP is 18.104.22.168) firstname.lastname@example.org; dkim=pass header.d=yahoo.com; x-hmca=pass email@example.com
Received: from BAY004-MC6F34.hotmail.com ([10.148.226.105]) by SNT004-IMC2S16.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
Thu, 5 Nov 2015 06:02:04 -0800
Received: from n12-vm4.bullet.mail.bf1.yahoo.com ([22.214.171.124]) by BAY004-MC6F34.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
Thu, 5 Nov 2015 06:01:13 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1446732069; bh=nNO+9vKC6WpDpXnCnR5GUhXrgbRxYOuTs4LuKaEimf4=; h=Date:To:From:Reply-to:Subject:From:Subject;b=ByH98Z2F/nyf8b98ig+XJe4KHAOgmTGxMom/k1otyfFogfXA9gpdP3pxB/w64ayu1YquSIcplg9GLe2urKITNaLJFG9DCQkqHN5hIp4eMEpHOHkujvXPyuznKNbM2qzhDbqMbevKgvFtjzvyjdWlmRB+6hOgCEtO9bAQ/XDKYrM/x1i3y2yp3lOvs4rGcfftSCvEarV8y+8tFPnncGVk4eWJV4OqCUoz9XEbgTMZfcZDtkxKP1ioDryvBNPHYaSUfYgTHOhVp6mWcvlvh9XmReY+73S9fN7XW/wHz7j5CEBRWDCBxF41Ok2ixF7FWyJf95T+DaaFR6n6mooqA/4kcg==
Received: from [126.96.36.199] by n12.bullet.mail.bf1.yahoo.com with NNFMP; 05 Nov 2015 14:01:09 -0000
Received: from [10.193.189.227] by t4.bullet.mail.bf1.yahoo.com with NNFMP; 05 Nov 2015 14:01:09 -0000
Date: 05 Nov 2015 14:01:09 +0000
Received: from [127.0.0.1] by ec03.unp.bf1.yahoo.com with NNFMP; 05 Nov 2015 14:01:09 -0000
From: "Rita Rees via Yahoo"
Content-Type: text/html; charset="utf-8"
Subject: You are EXPOSED
X-OriginalArrivalTime: 05 Nov 2015 14:01:13.0930 (UTC) FILETIME=[6EC302A0:01D117D2]
Nothing exciting here. Someone shared something via Yahoo!'s NNFMP and it eventually landed in my Outlook mailbox. Not really anything of interest to be seen there.
The sender's e-mail address, firstname.lastname@example.org, did not return any Google results, and Maltego (which I have been using a lot lately) also came up with nothing of interest.
The only other piece of data that could be of interest would be the Bitcoin address, 1BXgGTQdNfPp9LtUr895VFqu8WVTtkmNvh. Blockchain.info lists 10 transactions to this wallet, and the total value of the wallet at the time of this sentence being written is 13.99985327 BTC, or approximately $4,651 according to Preev's current valuing of BTC. Googling that address also led me to a smattering of other posts online that indicate this e-mail has been sent to other people, but from a different sender. People also report in mixed numbers that they didn't even have an Ashley Madison account in the first place. However, we know now that Ashley Madison didn't verify e-mail addresses of new users, so for all we know people signed up on behalf of these unwitting victims.
Well, there isn't any more to offer on this one. Just thought I would get this out there in case people need something to turn up in Google results, and I also got a kick out of it. Took them long enough, though.