­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ Return-Path: Delivered-To: info+spam@autozone.com.sa Received: from depro4.fcomet.com by depro4.fcomet.com with LMTP id EHnqMYyVC2TGTwkAfHesKA (envelope-from ) for ; Fri, 10 Mar 2023 21:39:40 +0100 Return-path: Envelope-to: info@autozone.com.sa Delivery-date: Fri, 10 Mar 2023 21:39:40 +0100 Received: from [209.14.227.247] (port=55291 helo=247.227.14.209.nethope.com.br) by depro4.fcomet.com with esmtp (Exim 4.95) (envelope-from ) id 1pajWf-002ZjS-Uq for info@autozone.com.sa; Fri, 10 Mar 2023 21:39:40 +0100 From: To: Date: 10 Mar 2023 13:28:00 -0400 Message-ID: <002601d95377$0285de47$1f0b1ea4$@autozone.com.sa> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac5ye4e85rlrncmo5ye4e85rlrncmo== Content-Language: en x-cr-hashedpuzzle: 2D4= e4e8 5rlr ncmo qu82 co4q u82c o4qu 82co 4qu8 2co4 qu82 co4q u82c o4qu 82co;1;4qu82co4qu8l3wnhwn13psmv8l3wnhwn13psmv8l3wnhwn13;Sosha1_v1;7;\{C3A168C4-D40A-0D78-1AD3-7F6FB1B6C3A1\};ZQB3AGUAZg8l3wnhwn13psmv8l3wnhwn13psmv8l3wnhwn13;10 Mar 2023 13:28:00 -0400;60qlcwhaxl5ods60 x-cr-puzzleid: \{C3A168C4-D40A-0D78-1AD3-7F6FB1B6C3A1\} X-Spam-Status: Yes, score=27.3 X-Spam-Score: 273 X-Spam-Bar: +++++++++++++++++++++++++++ X-Spam-Report: Spam detection software, running on the system "depro4.fcomet.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Dear user of autozone.com.sa! I am a spyware software developer. Your account has been hacked by me couple months ago. The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2023-20026). Content analysis details: (27.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 4.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [209.14.227.247 listed in zen.spamhaus.org] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL 1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [209.14.227.247 listed in psbl.surriel.com] 2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 1.5 KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment 2.0 RDNS_NONE Delivered to internal network by a host with no rDNS 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods 0.8 FSL_BULK_SIG Bulk signature with no Unsubscribe 1.0 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX 1.4 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers 2.6 MALWARE_NORDNS Malware bragging + no rDNS X-Spam-Flag: YES Subject: ***SPAM*** Settle your debt in order to avoid additional fees. Dear user of autozone.com.sa! I am a spyware software developer. Your account has been hacked by me couple months ago. The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2023-20026). I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time. Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you. At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit. I note that it is useless to change the passwords. My malware update passwords from your accounts every times. I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :) I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality! So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts. Transfer $1340 to my Bitcoin cryptocurrency wallet: 14YLQ A98RN JX22W2 Prmc7PR QNf6QQ f1B1D Just copy and paste the wallet number when transferring. An important notice: I have specified my Bitcoin wallet with spaces, hence once you carry out a transfer, please make sure that you key-in my bitcoin address without spaces to be sure that your funds successfully reach my wallet! If you do not know how to do this - ask Google. My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it. Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material. P.S. Do not try to contact me (this is impossible, sender's address was randomly generated). I advise you to remain prudent and not engage in nonsense (all files on my server). Good luck!