This Account Was Recently Infected! Email Extortion Scam
I recently got an email purportedly from my own account that began with “This Account Was Recently Infected!’ The full email is shown as an image below with the text in the description tag of the image reference. The text was contained in an an image file and since it spoofed my own account, my email client displayed the image. Concerned that my account had been hacked, I looked at the email source, and discovered that it was just a spoofed email originating from a server in Japan. I Googled the first sentence and found many hits for descriptions of the email scam and one that suggested reporting to the FBI.
Because it included a Bitcoin wallet ID, I decided to go ahead and report to the FBI. Finding the right site is not a trivial task, but I did end up filing a report.
Image of Email Extortion Text
The extortion email was presented as an image, which allowed it to get past SpamAssassin and the spam filtering in Thunderbird. It also made it impossible to cut and paste the Bitcoin wallet ID into the FBI report.
Headers from the Extortion Email
In most email clients, you can view the source of the email which will give you information on where the email may have originated. In this case, the header shows that the email started out in intercom-45-29.pro which does not point to anything in DNSLytics, but intercom.pro does point to Russian ownership. From the first server, it went to max-luomo.com which is registered with a Japanese domain registrar. In any case, it is clear that the sender did not compromise my email account or server.
Received: from cpanel.domain_name.com
by cpanel.domain_name.com with LMTP id 4C3ZCfrnn1xMEQAAdMgoMg
for ; Sat, 30 Mar 2019 17:04:42 -0500
Delivery-date: Sat, 30 Mar 2019 17:04:42 -0500
Received: from oogw1239.ocn.ad.jp ([18.104.22.168]:47343)
by cpanel.domain_name.com with esmtp (Exim 4.91)
for mail@domain_name.com; Sat, 30 Mar 2019 17:04:42 -0500
Received: from cmn-spm-mts-006c1.ocn.ad.jp (cmn-spm-mts-006c1.ocn.ad.jp [22.214.171.124])
by oogw1239.ocn.ad.jp (Postfix) with ESMTP id 6551360E8B
for ; Sun, 31 Mar 2019 07:03:57 +0900 (JST)
Received: from mwb-vc-mts-002c1.ocn.ad.jp ([126.96.36.199])
by cmn-spm-mts-006c1.ocn.ad.jp with ESMTP
id AM3Shggxt07dLAM4zhkTVZ; Sun, 31 Mar 2019 07:03:57 +0900
Received: from sgs-vcgw117.ocn.ad.jp ([188.8.131.52])
by mwb-vc-mts-002c1.ocn.ad.jp with ESMTP
id AM4zhSVQmPu64AM4zhc1qI; Sun, 31 Mar 2019 07:03:57 +0900
Received: from max-luomo.com (max-luomo.com [184.108.40.206])
by sgs-vcgw117.ocn.ad.jp (Postfix) with ESMTP id E800024019A
for ; Sun, 31 Mar 2019 07:03:56 +0900 (JST)
Received: from [intercom-45-29.pro] (unknown [220.127.116.11])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by max-luomo.com (Postfix) with ESMTPSA id DB58F8401F6B
for ; Sun, 31 Mar 2019 07:03:50 +0900 (JST)
Date: Sat, 30 Mar 2019 23:03:47 +0100
This is a multi-part message in MIME format
This is a hoax and a scam. Sadly, it is a part of life today.