事件经过
昨天晚上一个网站出现运行错误,因此想在邮箱里找一下服务器自动发的错误日志,结果收件箱没有,因此想着再翻一下垃圾箱,结果没有找到错误日志邮件,反而发现了一封勒索邮件,邮件的发件人就是自己,自称通过我的微软账户发送信息,邮件主题是:I saw everything.
邮件内容是全英文的,扫了一眼,大概内容是由于我浏览“不良网页”,”误点危险链接”导致设备被植入间谍软件(Pegasus),并录制了大量”不当视频”,要求支付1900美元的赎金,并以BTC方式支付,否则将公开视频。
原文如下:
Hello pervert, I’ve sent this messаge from your Microsoft аccount.I wаnt to inform you аbout а very bаd situаtion for you. However, you cаn benefit from it, if you will аct wisеly.Hаve you heаrd of Pegаsus? This is а spywаre progrаm thаt instаlls on computers аnd smаrtphones аnd аllows hаckers to monitor the аctivity of device owners. It provides аccess to your webcаm, messengers, emаils, cаll records, etc. It works well on Android, iOS, mаcOS аnd Windows. I guess, you аlreаdy figured out where I’m getting аt.It’s been а few months since I instаlled it on аll your dеviсеs becаuse you were not quite choosy аbout whаt links to click on the intеrnеt. During this period, I’ve leаrned аbout аll аspects of your privаte life, but оnе is of speciаl significаnce to me.I’ve recorded mаny videos of you jerking off to highly controversiаl роrn videos. Given thаt the “questionаble” genre is аlmost аlwаys the sаme, I cаn conclude thаt you hаve sick реrvеrsiоn.I doubt you’d wаnt your friends, fаmily аnd co-workers to know аbout it. However, I cаn do it in а few clicks.Every number in your contаct Iist will suddenly receive these vidеоs – on WhаtsApp, on Telegrаm, on Instаgrаm, on Fаcebook, on emаil – everywhere. It is going to be а tsunаmi thаt will sweep аwаy everything in its pаth, аnd first of аll, your fоrmеr life.Don’t think of yourself аs аn innocent victim. No one knows where your реrvеrsiоn might leаd in the future, so consider this а kind of deserved рunishmеnt to stop you.I’m some kind of God who sees everything. However, don’t pаnic. As we know, God is merciful аnd forgiving, аnd so do I. But my mеrсy is not free.Trаnsfer 1900$ to my Litecoin (LTC) wаllet: ltc1qyvum4jc5vd5d63vuwxpakmjrmjq7ntrynl0z8fOnce I receive confirmаtion of the trаnsаction, I will реrmаnently delete аll videos compromising you, uninstаll Pegаsus from аll of your devices, аnd disаppeаr from your life. You cаn be sure – my benefit is only money. Otherwise, I wouldn’t be writing to you, but destroy your life without а word in а second.I’ll be notified when you open my emаil, аnd from thаt moment you hаve exаctly 48 hours to send the money. If cryptocurrencies аre unchаrtered wаters for you, don’t worry, it’s very simple. Just google “crypto exchange” or “buy Litecoin” аnd then it will be no hаrder thаn buying some useless stuff on Amаzon.I strongly wаrn you аgаinst the following:
* Do not reply to this emаil. I’ve sent it from your Microsoft аccount.* Do not contаct the police. I hаve аccess to аll your dеviсеs, аnd аs soon аs I find out you rаn to the cops, videos will be published.* Don’t try to reset or destroy your dеviсеs. As I mentioned аbove: I’m monitoring аll your аctivity, so you either аgree to my terms or the vidеоs аre рublished.Also, don’t forget thаt cryptocurrencies аre аnonymous, so it’s impossible to identify me using the provided аddrеss.Good luck, my perverted friend. I hope this is the lаst time we heаr from eаch other.And some friendly аdvice: from now on, don’t be so cаreless аbout your online security.
一开始还真有点慌,因为最近好几个网站都是用的盗版插件,想着是不是因为这个原因导致自己信息泄露,因此立马网上进行搜索相关资料,发现很多人都收到过类似邮件。
因此这封邮件并不完全是一封勒索邮件,而是诈骗邮件。
搜索分析
邮件内容主要就是利用了人性的弱点进行诈骗,通过捏造”不当视频”的威胁,制造恐慌;限定48小时付款期限,迫使受害者仓促行动。并且提及”间谍软件Pegasus”增强可信度(最真实的谎言就是一篇都是真实意思的表述中,夹杂着一句谎言)。
骗局本质:
- 仔细查看会发现多处字母”а”实为西里尔字母(Unicode: U+0430),这种刻意混淆视觉的手法常见于逃避垃圾邮件过滤系统。
- 尽管Pegasus间谍软件真实存在,但其主要针对政商要员,攻击成本极高。普通用户被植入的概率微乎其微,且攻击者不会冒险暴露如此昂贵的工具。
- 声称已完全控制设备,却需要通过邮件沟通;既说能监控所有操作,又要求收件人自行搜索购买加密货币——这些矛盾暴露了剧本漏洞。
- 虽然显示来自”你的微软账户”,但实际邮件头信息显示真实发件域为可疑的临时邮箱服务,这是典型的邮件伪装(Email Spoofing)手段。
发件人伪造技术原理
1. SMTP协议的设计缺陷
原始邮件协议允许任意设置From字段(如同纸质信件可随意填写寄件人),诈骗者利用此特性:
# 模拟发件伪造成代码
import smtplib
msg = MIMEText("诈骗内容")
msg["From"] = "your.email@gmail.com" # 任意伪造
msg["To"] = "your.email@gmail.com"
server = smtplib.SMTP("bulletproof-host.li:587")
server.sendmail("bounce@bulletproof-host.li", ["your.email@gmail.com"], msg.as_string())2. 邮箱客户端的显示漏洞
多数客户端优先显示From字段,而非验证后的Return-Path
高级伪造会添加Reply-To: scammer@darkmail.com引导回复到真实地址
事情最后
若收到类似邮件,建议按以下步骤处理:
1. 初步验证
检查完整邮件头(点击邮件右上角→显示原始邮件)
使用MXToolbox验证SPF/DKIM状态
在VirusTotal扫描邮件中的加密货币地址
2. 安全加固
立即启用硬件安全密钥的双因素认证
检查账户登录记录(微软账户:account.microsoft.com/security)
更新所有设备系统至最新版本
(还没有评分)
Loading...
