A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Cybercrime, how the EUROPOL themed sextortion scam works
Cybersecurity Researcher and Malware Hunter JAMESWT pretended to fall for the EUROPOL-child pornography-themed sextortion scam, which circulates in Europe
Here’s how the sextortion scam in EU on the fake Europol email linked to the alleged accusation of online child pornography works.
Cybersecurity Researcher and Malware Hunter JAMESWT pretended to fall into the trap to understand the mechanisms, as this is widespread in many countries, as confirmed by emails written in different languages.
He did this by contacting the senders of the phishing message, as requested in the text of the email.
They replied, providing details on the alleged “crimes” and communicating that his file will be sent within 72 hours to the European Attorney General. At the same time, however, they offer the possibility of an “amicable settlement” of the affair, upon payment of 9,978 euros.
Once the proposal has been accepted, they sent a new email in which they provide the bank details of a physical person to whom to make the transfer of the expected amount.
In another case, the request was almost double (18,578 euros) and the IBAN holder is different.
Cyber criminals from hunters become prey and unintentionally allow to find out where the money from “friendly settlements” goes
JAMESWT continued to investigate the sextortion scam, writing to the cyber criminals that the bank details were not working. The answer was the sending of a new IBAN, made out to a third person.
At that point the cybersecurity researcher set a trap for the fake EUROPOL officials. He sent them an email explaining that his ceiling for foreign transfers is lower than required, therefore inviting them to provide an Italian IBAN.
They proposed to him to make two separate transfers.
However, following his complaint that it was not possible, they disappeared into thin air. Meanwhile, with a simple Google search, JAMESWT discovered that all the IBANs communicated in the conversation via email are owned by a single company: “PFS CARD SERVICES IRELAND LIMITED, S.E.“, which manages and offers prepaid credit cards.
Related Posts
