| | | Effective PR

Bitcoin (s)extortionists change tactics

Editorial Staff

The flood of sextortion e-mails demanding payment in bitcoin continues. However, while the body of the mails is increasingly standardised, the anti-avoidance methods used by the criminals is mutating, analysis of reports at GlobalKYC.com indicates.

Buried deep within the "headers" of e-mails is a huge amount of information as to the origin and route taken by the demands.

One of the methods of identifying fraudulent emails is to check if the information in the mail header matches the centrally stored information relating to the server / domain that the mail purports to be from.

This is done via a flag called DMARC. DMARC is set by an internet domain owner and anti-spam systems check the authorised IP address against the information in the header. If the sending domain has been spoofed (i.e. fraudulently entered by the criminal) there is a warning note in the header that the IP address used is not authorised to use that domain name.

However, not all domain owners activate, or even know about, DMARC.

For example, criminals have targeted the mail servers of patongbayvacationclub.com and karonbeachclub.com. The owners of these domains have not set DMARC and as a result, anti-spam tools report that mail from them is in fact authorised.

What is worse is that, in the case of those two domains, criminals are actually sending from the servers which would render DMARC ineffective even if set. That is clear from the lines in the header that say
"X-SPF-Result: se7.mailspamprotection.com: domain of patongbayvacationclub.com designates as permitted sender

"Authentication-Results: mailspamprotection.com; spf=pass "

As a result, systems must fall back onto content analysis to identify suspicious e-mails.

These two changes in the way criminals are operating means that more extortion e-mails will be delivered to potential victims.

---------------- Advertising ----------------

World NomadsTravel Insurance | | Singapore Airlines