Extortion emails from Microsoft’s outlook.com mail service

Extortion email

Extortion email from a criminal scumbag

A new scam, this time extortion attempts that are originating from Microsoft’s outlook.com mail system.

[Update 25Aug2018] These emails seem to have slowed/stopped. Either scammers have given up (doubt it) or Microsoft has put in some intelligence into their system to prevent them. Well done Microsoft!

These attempts are addressed to email addresses that have had an online account password discovered previously by other hackers and include the password in the subject line of the email. The email is written in English and uses good English unlike many other scam and extortion emails.

If you receive an email like the below, it’s an attempt to extort money from you. The Extortionist doesn’t have anything so don’t pay. Instead report it by using the instructions at https://support.office.com/en-us/article/deal-with-abuse-phishing-or-spoofing-in-outlook-com-0d882ea5-eedc-4bed-aebc-079ffa1105a3 which I have copied here for your convenience:

Reporting abuse

  • If you’re being threatened, call your local law enforcement.

  • To report harassment, impersonation, child exploitation, child pornography, or other illegal activities received via an Outlook.com account, forward the offending email as an attachment to abuse@outlook.com. Include any relevant info, such as the number of times you’ve received messages from the account and the relationship, if any, between you and the sender.

    Note: To learn how to add a message as an attachment, see Attach an email to another email.

  • To report abuse received from a non-Outlook.com account, go to https://www.abuse.net to identify the correct abuse reporting address.

I encourage you to report it as above because this lets Microsoft know they need to act, not just blocking accounts as a reactive activity but block the email from going out in a pro-active action and forwarding all relevant information to law enforcement. Lets all help catch these criminals.  Don’t forget to attach the offending email, not just forward and you don’t need the mail server logs to do it.

Below are the last three email’s I received including the mail server log and email headers but I have obscured my email address and the password (from oldest to newest):

  • The first from Annette Moroianu <tsvswelchheubertud@outlook.com>
  • Second from Hipolito Payton <hthzcolbyramseypc@outlook.com>
  • The third from Lonnie Killip <ernesttgdpender@outlook.com>

Example 1 from Annette Moroianu <tsvswelchheubertud@outlook.com>

Mail server log

Jul 15 02:50:37 <my-server-ip> postfix/smtpd[25996]: connect from mail-pu1apc01hn0245.outbound.protection.outlook.com[104.47.126.245]

Jul 15 02:50:38 <my-server-ip> postfix/smtpd[25996]: AA692210DA07: client=mail-pu1apc01hn0245.outbound.protection.outlook.com[104.47.126.245]

Jul 15 02:50:39 <my-server-ip> postfix/cleanup[26004]: AA692210DA07: message-id=<TYAPR04MB2463293DDA285CABBBEA73B1C35F0@TYAPR04MB2463.apcprd04.prod.outlook.com>

Jul 15 02:50:39 <my-server-ip> postfix/qmgr[1913]: AA692210DA07: from=<tsvswelchheubertud@outlook.com>, size=12462, nrcpt=2 (queue active)

Jul 15 02:50:39 <my-server-ip> postfix/pipe[26006]: AA692210DA07: to=<me>@<my-domain>, orig_to=<me>@<my-domain>, relay=dovecot, delay=0.94, delays=0.91/0.02/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)

Jul 15 02:50:39 <my-server-ip> postfix/smtpd[25996]: disconnect from mail-pu1apc01hn0245.outbound.protection.outlook.com[104.47.126.245]

Email header

Return-Path: <tsvswelchheubertud@outlook.com>
Delivered-To: <me>@<my-domain>
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01hn0245.outbound.protection.outlook.com [104.47.126.245])
by <my-mailserver> (Postfix) with ESMTPS id AA692210DA07
for <me>@<my-domain>; Sun, 15 Jul 2018 02:50:38 +0930 (ACST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=YvztMgxFGW3yxa7YcHOxCj/lTNMcUrSHy4SaQ1D1jMk=;
b=k+iQVvviDgDCu9+g0k06z9uWOsbyacTVZP8Fu/JZnF4nK1zO2ijv5onwWLYCv62MpMsMqCc9/8w1V2uZBS+HoqgSkfGzo0RH5DOfLY6LUZdZTbTCyaYNrLRymA+M2DwU3moX+MYBm5s8jVhXcgT5IpYA+oCsxzDAPA6v7VRSQkOposQzVdX5CNB+3M42yxOJZvsZmW8slxEMX1aZ3v5yZldbYLaIb4mY2kxdz+l+45vCh3xhyEqaer1Cz5ZmC2uBbpJTtCZ+JAt+D1hHaP52hptaFm0tgqAjl8Zx1CkBw4ruBwXNOgDU/inx4h8Y8oIFf00O6hm5otBvjcV0wZiRcg==
Received: from SG2APC01FT024.eop-APC01.prod.protection.outlook.com
(10.152.250.60) by SG2APC01HT071.eop-APC01.prod.protection.outlook.com
(10.152.251.211) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.952.17; Sat, 14
Jul 2018 17:20:31 +0000
Received: from TYAPR04MB2463.apcprd04.prod.outlook.com (10.152.250.60) by
SG2APC01FT024.mail.protection.outlook.com (10.152.250.185) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.930.16 via
Frontend Transport; Sat, 14 Jul 2018 17:20:31 +0000
Received: from TYAPR04MB2463.apcprd04.prod.outlook.com
([fe80::9464:f9c0:413c:f322]) by TYAPR04MB2463.apcprd04.prod.outlook.com
([fe80::9464:f9c0:413c:f322%13]) with mapi id 15.20.0952.017; Sat, 14 Jul
2018 17:20:31 +0000
From: Annette Moroianu <tsvswelchheubertud@outlook.com>
To: “<me>@<my-domain>” <me>@<my-domain>
Subject: <me> – <old password>
Thread-Topic: <me> – <old password>
Thread-Index: AQHUG5b364BXpfZWiUS0sQEVUYzL3g==
Date: Sat, 14 Jul 2018 17:20:31 +0000
Message-ID: <TYAPR04MB2463293DDA285CABBBEA73B1C35F0@TYAPR04MB2463.apcprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:9C77261EFB3BB47C24E06D0583EB8A2487BA0BABE2348D97DD8AF72F6119B4EE;UpperCasedChecksum:121C450B6A2940FBE217B23160AC6936C2B1EF859F91E76C5ED36311DE42FFBE;SizeAsReceived:6819;Count:43
x-tmn: [NFIPpuw5gMiYrJ/eCCk1qEvCwsvYt7EO]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;SG2APC01HT071;7:1+GuoNuCW6C3cgLIouc383PxTbEaFcIPaRJ6Z6CdGXIR4a03LNqDRWQwYLFUXBqMA0tfudDft5Bh/zxkUyq+b20dib6EvUZZY18zETVQ0SV/shTweWwYLfja66KmceY7Sjad+/yNnbAvfZDejMheKX5lUIso48n9pHY9hxVIxtducNlQduaCeqaVRRMwcyMXfYziVlNHV0FKfWfUjK92NCTcf4yCB9P835O6XjCZDBgpHgIUgvmDPb3d6vtTAkgu
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125500)(1701031045);SRVR:SG2APC01HT071;
x-ms-traffictypediagnostic: SG2APC01HT071:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(82015058);SRVR:SG2APC01HT071;BCL:0;PCL:0;RULEID:;SRVR:SG2APC01HT071;
x-forefront-prvs: 07334CBCCD
x-forefront-antispam-report: SFV:SPM;SFS:(7070007)(979002)(189003)(199004)(8936002)(2900100001)(551544002)(68736007)(1730700003)(81156014)(8676002)(74316002)(25786009)(7696005)(55016002)(54896002)(97736004)(256004)(14444005)(20460500001)(19627235002)(86362001)(6916009)(6436002)(5640700003)(82202002)(486006)(10156002)(56003)(476003)(5660300001)(33656002)(87572001)(106356001)(426003)(2351001)(6346003)(102836004)(2501003)(5250100002)(26005)(14454004)(53906005)(99286004)(105586002)(104016004)(173224004)(332134003)(98824002)(42522002)(42262002)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1501;SCL:5;SRVR:SG2APC01HT071;H:TYAPR04MB2463.apcprd04.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:;
received-spf: None (protection.outlook.com: outlook.com does not designate
permitted sender hosts)
authentication-results: spf=none (sender IP is )
smtp.mailfrom=tsvswelchheubertud@outlook.com;
x-microsoft-antispam-message-info: jcftIUeEX5KMGbUPpmWIUygVxrNDEqi0wRwyVTEoYM6/8U4MEGXMzdMf4J8sg+0s23hv4d0fWN4gZjC+ZWcgnbhKvS7KJGwykge6b+8kmLY3W7BNxeJO5Og0gv/bgv++yCGvnApoaPSDWOtkyuIWf7Gz/IWy+RSZHvORLZfbw/aAW8NbqkgHe6LdSJfszvBSWaDWMnSVTD4C2NfsSRcwOGusA2j9EvydZV0tnPR4OSQ=
Content-Type: multipart/alternative;
boundary=”_000_TYAPR04MB2463293DDA285CABBBEA73B1C35F0TYAPR04MB2463apcp_”
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 54485d23-c432-40fe-8436-6091d627118c
X-MS-Exchange-CrossTenant-Network-Message-Id: 85e62cc3-6fa1-4687-6b6e-08d5e9ae19e6
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 54485d23-c432-40fe-8436-6091d627118c
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2018 17:20:31.0280
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT071

Email body

I’m going to cut to the chase. I do know <old password> is your password. Most importantly, I know about your secret and I have evidence of it. You do not know me and no one employed me to investigate you.

It is just your bad luck that I came across your misdemeanor. The truth is, I actually setup a malware on the adult videos (porn material) and you visited this website to experience fun (you know what I mean). When you were watching video clips, your web browser began functioning as a Rdp (Remote control desktop) having a keylogger which gave me accessibility to your screen as well as cam. Right after that, my software obtained your complete contacts from your facebook, as well as email.

I then put in more time than I should’ve exploring into your life and created a two screen video. First part displays the video you were viewing and second part shows the video of your webcam (its you doing inappropriate things).

Honestly, I am ready to forget about you and allow you to continue with your daily life. And my goal is to provide you two options which will achieve that. The two option is either to ignore this letter, or just pay me $ 1900. Let us examine above 2 options in details.

Option 1 is to ignore this message. Let us see what will happen if you select this option. I will definately send your video to all of your contacts including close relatives, co-workers, and many others. It will not help you avoid the humiliation your household will have to face when friends and family learn your sordid videos from me.

Other Option is to pay me $ 1900. We’ll call this my “privacy charges”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You continue on with your lifetime as though nothing like this ever occurred.

Now you must be thinking, “I should call the cops”. Without a doubt, I have covered my steps to ensure this e mail cannot be tracked back to me plus it will not stay away from the evidence from destroying your health. I am not looking to dig a hole in your pocket. I just want to get paid for my efforts I put into investigating you. Let’s assume you decide to generate pretty much everything disappear and pay me the confidentiality fee. You will make the payment through Bitcoins (if you don’t know how, search “how to buy bitcoins” on search engine)

Required Amount: $ 1900
Receiving Bitcoin Address: 1N9M8prUzY1qKcn3SpxqDzLiK7PGEfVs6V
(It is cASe sensitive, so copy and paste it)

Tell nobody what will you be using the Bitcoins for or they may not sell it to you. The method to obtain bitcoin may take a day or two so do not delay.
I’ve a specific pixel within this email, and at this moment I know that you have read through this e mail. You now have 48 hours in order to make the payment. If I don’t get the BitCoins, I will send out your video recording to your contacts including friends and family, co-workers, and so on. You better come up with an excuse for friends and family before they find out. Nonetheless, if I receive the payment, I’ll erase the video immediately. It’s a non negotiable one time offer, so please do not waste my time and yours. The clock is ticking.

Example 2 from Hipolito Payton <hthzcolbyramseypc@outlook.com>

Mail server log

Jul 18 14:15:11 <my-server-ip> postfix/smtpd[25649]: B21782017D4B: client=mail-am5eur02hn0236.outbound.protection.outlook.com[104.47.4.236]

Jul 18 14:15:12 <my-server-ip> postfix/cleanup[25655]: B21782017D4B: message-id=<VI1PR04MB48322BFE83EB2E3A073A813FAB530@VI1PR04MB4832.eurprd04.prod.outlook.com>

Jul 18 14:15:12 <my-server-ip> postfix/qmgr[1913]: B21782017D4B: from=<hthzcolbyramseypc@outlook.com>, size=12288, nrcpt=2 (queue active)

Jul 18 14:15:12 <my-server-ip> postfix/pipe[25656]: B21782017D4B: to=<me>@<my-domain>, orig_to=<me>@<my-domain>, relay=dovecot, delay=1.1, delays=1.1/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)

Jul 18 14:15:12 <my-server-ip> postfix/smtpd[25649]: disconnect from mail-am5eur02hn0236.outbound.protection.outlook.com[104.47.4.236]

Email header

Return-Path: <hthzcolbyramseypc@outlook.com>
Delivered-To: <me>@<my-domain>
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02hn0236.outbound.protection.outlook.com [104.47.4.236])
by <my-mailserver> (Postfix) with ESMTPS id B21782017D4B
for <me>@<my-domain>; Wed, 18 Jul 2018 14:15:11 +0930 (ACST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=AIPs8rP4MKGzLGqpAo3E32u2sY39Dke1Y5RJ7rLKnb4=;
b=MTB5vRSvJJEHzOFORGc5xmsgI9hJ+6RHt9nbsYn8u/QDKbpSxYPjHQhKY6wOTQOlBf1zovNabVfCLBZYBjQgdJXwB+6kxRqnAxPUYnWLOxLc2ZF6MyVIcsXQXMGzY2XxF0i/2Bo/YsMESCJz4l3aEB2lFkVIaevHksfn5ATiLMVBmvNqgoixF2mnwPdP+phsHl3elYAR6XCdwSCZsl5fdew9w6yaaSyW0cXl9f22n3sxlnFk9P7il8Te5q5Kp/SGvrcXBuNY0yGD5WPGcLc6ZVdvZlMmIcSfEdcQJnAoO9yanrjCqqGTb9R6Od3zWJ/KJvfwvVCQaW/1d3MQmXPS+A==
Received: from HE1EUR02FT018.eop-EUR02.prod.protection.outlook.com
(10.152.10.59) by HE1EUR02HT058.eop-EUR02.prod.protection.outlook.com
(10.152.11.98) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.952.17; Wed, 18
Jul 2018 04:45:08 +0000
Received: from VI1PR04MB4832.eurprd04.prod.outlook.com (10.152.10.54) by
HE1EUR02FT018.mail.protection.outlook.com (10.152.10.248) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.20.952.17 via Frontend Transport; Wed, 18 Jul 2018 04:45:08 +0000
Received: from VI1PR04MB4832.eurprd04.prod.outlook.com
([fe80::9843:f103:17bc:ed45]) by VI1PR04MB4832.eurprd04.prod.outlook.com
([fe80::9843:f103:17bc:ed45%3]) with mapi id 15.20.0952.021; Wed, 18 Jul 2018
04:45:08 +0000
From: Hipolito Payton <hthzcolbyramseypc@outlook.com>
To: “<me>@<my-domain>” <me>@<my-domain>
Subject: RE: <me> – <old password>
Thread-Topic: <me> – <old password>
Thread-Index: AQHUHlIaFeVP6c2NIkWjNfoHwcJDZw==
Date: Wed, 18 Jul 2018 04:45:08 +0000
Message-ID: <VI1PR04MB48322BFE83EB2E3A073A813FAB530@VI1PR04MB4832.eurprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:E0108DA1969701BD0CF9BB1D51E5DF0FA20957C34168C7E619ACA39A6184560B;UpperCasedChecksum:8FAE9B4278A61C4330C8AAD12F0C3B2BFA1D71D83BEAD649B542B21549992B83;SizeAsReceived:6815;Count:43
x-tmn: [cwao4IvyUCk5Pq3g/+zRopq/Fr2U4PMo]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;HE1EUR02HT058;7:zQ0K3OSr0L/wR3ryxmLFk1hDN1YNA6Xk73qeCKAnx7G8yKUa4FqqPPOeePxBF14aQkt4ZCexy2hxWwYcqQyXVGWE62C6LAx7RJBKQGckjmgfOwvHN3myMwMLWHUWyozrbZ90NQL4QyVQGpyyCENEpMkr18CXRoDeIDXvyjvWR20vHDQiGCCzwUHpOry9ja1z57Ax607yrx+GKlnmDHGPm2VvpwvBbyEcAqQ6eyJ82hO3iKEL2JuzsX8pBW9y3iDZ
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125500)(1701031045);SRVR:HE1EUR02HT058;
x-ms-traffictypediagnostic: HE1EUR02HT058:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(82015058);SRVR:HE1EUR02HT058;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR02HT058;
x-forefront-prvs: 0737B96801
x-forefront-antispam-report: SFV:SPM;SFS:(7070007)(199004)(189003)(5640700003)(8676002)(106356001)(6246003)(53906005)(81156014)(1730700003)(33656002)(55016002)(25786009)(68736007)(5660300001)(8936002)(54896002)(6916009)(97736004)(82202002)(6436002)(20460500001)(229853002)(104016004)(2351001)(56003)(10156002)(87572001)(2900100001)(14454004)(105586002)(7696005)(5250100002)(2501003)(476003)(99286004)(256004)(426003)(86362001)(6346003)(74316002)(26005)(19627235002)(102836004)(14444005)(486006)(173224004)(332134003);DIR:OUT;SFP:1501;SCL:5;SRVR:HE1EUR02HT058;H:VI1PR04MB4832.eurprd04.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:;
received-spf: None (protection.outlook.com: outlook.com does not designate
permitted sender hosts)
authentication-results: spf=none (sender IP is )
smtp.mailfrom=hthzcolbyramseypc@outlook.com;
x-microsoft-antispam-message-info: 4LeUQuT9XD4pJC0w1AB7KInKONvikyLBkGisZ2zqdbjxB2Y+o1w8ipwTAZWsKcDx8xtp9VEOb9EGmkAjDq8gMsLmhnbDWhauq1dzfL+xR6DHcxfGFfQ8/rEy4wjyakoEPHZaCc00HOju3rJQONSJCqWUlDfEaxmREv9GhKsxWZC91KUYj7lG2+LJTwpaq5J1J6DH4GAWc2eMrAfFvPKMJ0d9o3l3G67szlmQrGc8La4=
Content-Type: multipart/alternative;
boundary=”_000_VI1PR04MB48322BFE83EB2E3A073A813FAB530VI1PR04MB4832eurp_”
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: dd759f05-a917-4aa0-a2f5-4cc35c50e0c8
X-MS-Exchange-CrossTenant-Network-Message-Id: bcb58153-0a80-4fa7-aa42-08d5ec693cf3
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: dd759f05-a917-4aa0-a2f5-4cc35c50e0c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2018 04:45:08.0647
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR02HT058

Email message

Let’s get straight to the point. I’m aware <old password> is your pass word. Most importantly, I know your secret and I’ve evidence of it. You don’t know me personally and nobody employed me to check out you.

It is just your hard luck that I came across your blunder. Actually, I actually placed a malware on the adult videos (pornography) and you visited this web site to have fun (you know what I mean). While you were watching videos, your web browser began working as a Rdp (Remote control desktop) with a key logger which gave me access to your screen as well as cam. Just after that, my software gathered all your contacts from fb, as well as e-mail.

After that I put in more time than I should’ve looking into your life and created a two view video. 1st part displays the recording you were viewing and 2nd part shows the recording of your web camera (its you doing nasty things).

Frankly, I am ready to forget details about you and let you get on with your life. And I am about to give you 2 options that may achieve that. The above choices either to ignore this letter, or simply pay me $3200. Let us investigate above 2 options in more details.

Option One is to ignore this e-mail. Let us see what is going to happen if you pick this option. I definitely will send your video recording to all of your contacts including members of your family, coworkers, and so on. It doesn’t protect you from the humiliation you and your family will need to feel when friends and family find out your sordid details from me.

Other Option is to pay me $3200. We will name this my “privacy tip”. I will explain what happens if you choose this choice. Your secret remains your secret. I’ll destroy the recording immediately. You go on with your life that nothing like this ever happened.

At this point you must be thinking, “I should call the cops”. Without a doubt, I’ve covered my steps in order that this e-mail can’t be traced back to me plus it won’t stop the evidence from destroying your daily life. I’m not looking to dig a hole in your pocket. I just want to get compensated for time I place into investigating you. Let’s hope you have chosen to create all of this disappear and pay me the confidentiality fee. You will make the payment via Bitcoin (if you do not know how, type “how to buy bitcoins” on google search)

Amount to be paid: $3200
Bitcoin Address to Send to: 1F8dxmQMskgBowr6AW33P3biLfvopLTmYf
(It’s cASe sensitive, so you should copy and paste it carefully)

Expalin no-one what will you be using the bitcoin for or they may not provide it to you. The method to acquire bitcoins may take a few days so do not delay.
I have a specific pixel within this e-mail, and right now I know that you have read this email message. You have 2 days to make the payment. If I don’t receive the Bitcoins, I will definitely send your video recording to your contacts including friends and family, coworkers, and many others. You better come up with an excuse for friends and family before they find out. Nevertheless, if I do get paid, I will erase the proof immediately. It’s a non-negotiable offer, so don’t ruin my personal time & yours. Your time has started.

Example 3 from Lonnie Killip <ernesttgdpender@outlook.com>

Mail server log

Jul 20 05:58:15 <my-server-ip> postfix/smtpd[6114]: connect from mail-oln040092253041.outbound.protection.outlook.com[40.92.253.41]

Jul 20 05:58:16 <my-server-ip> postfix/smtpd[6114]: 02A962017D4B: client=mail-oln040092253041.outbound.protection.outlook.com[40.92.253.41]

Jul 20 05:58:16 <my-server-ip> postfix/cleanup[6116]: 02A962017D4B: message-id=<HK0PR06MB2868FE5B0945AD8061C23776B8520@HK0PR06MB2868.apcprd06.prod.outlook.com>

Jul 20 05:58:16 <my-server-ip> postfix/qmgr[1913]: 02A962017D4B: from=<ernesttgdpender@outlook.com>, size=12372, nrcpt=2 (queue active)

Jul 20 05:58:16 <my-server-ip> postfix/pipe[6117]: 02A962017D4B: to=<me>@<my-domain>, orig_to=<me>@<my-domain>, relay=dovecot, delay=0.57, delays=0.55/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)

Jul 20 05:58:16 <my-server-ip> postfix/smtpd[6114]: disconnect from mail-oln040092253041.outbound.protection.outlook.com[40.92.253.41]

Email header

Return-Path: <ernesttgdpender@outlook.com>
Delivered-To: <me>@<my-domain>
Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253041.outbound.protection.outlook.com [40.92.253.41])
by <my-mailserver> (Postfix) with ESMTPS id 02A962017D4B
for <me>@<my-domain>; Fri, 20 Jul 2018 05:58:15 +0930 (ACST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=IlBxuf2ZLh05mMk/H4w1BTOQa4+CmoMm2hMqJNFeH1I=;
b=RWSWViNPJnRsEAirkGlTFsC14MQ94q7K7chE7aStaKPTC8nxnhKDOBm67iGlAX7e02xp6mpjLBA762p8WU7cveh9UJxEDIiMix4usd/SxAikEBD7df3lQO10ptatycfQGieV8WMFYrseHfU6HxVNR3bH43BYNWgJprUOtC9vxKdx60GFeKZoDjWjaVQiGCDd+a3luJA8fOGqpHW+Ct68C6rsyDYE/9WbwDjmADWhP7fRjzlGFXuViPCiY0lkzowtODJ95lGYseB8ml9WkrdIW37Woy5zh4BSSwk8yiT9m2GTamFd+WpxfgHZJfm1N1a4ckMPs5r0rwtTYnjmlcIYjA==
Received: from SG2APC01FT117.eop-APC01.prod.protection.outlook.com
(10.152.250.51) by SG2APC01HT027.eop-APC01.prod.protection.outlook.com
(10.152.251.187) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.952.17; Thu, 19
Jul 2018 20:28:13 +0000
Received: from HK0PR06MB2868.apcprd06.prod.outlook.com (10.152.250.51) by
SG2APC01FT117.mail.protection.outlook.com (10.152.250.221) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.952.17 via
Frontend Transport; Thu, 19 Jul 2018 20:28:13 +0000
Received: from HK0PR06MB2868.apcprd06.prod.outlook.com
([fe80::d055:4d90:6f46:34d5]) by HK0PR06MB2868.apcprd06.prod.outlook.com
([fe80::d055:4d90:6f46:34d5%4]) with mapi id 15.20.0973.018; Thu, 19 Jul 2018
20:28:12 +0000
From: Lonnie Killip <ernesttgdpender@outlook.com>
To: “<me>@<my-domain>” <me>@<my-domain>
Subject: <me> – <old password>
Thread-Topic: <me> – <old password>
Thread-Index: AQHUH58CO4tIvvWliUC+BwtlOuFZPw==
Date: Thu, 19 Jul 2018 20:28:12 +0000
Message-ID: <HK0PR06MB2868FE5B0945AD8061C23776B8520@HK0PR06MB2868.apcprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:DEF7FFAA3509CB477B67633892F3FC4BF88D3F70B21EF005913B47663E7D7120;UpperCasedChecksum:3E8C400CF84C3C597C96F9B289F1FCF4093FFFB95C5ACBE0E8BA6D899C25BD6E;SizeAsReceived:6808;Count:43
x-tmn: [gebqJzZRv9XeXgkj1lbw2mTLjxgUf9xv]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;SG2APC01HT027;7:Fx2gLzCHm2mfbCegizpMgjFiXVVuuD8n3Qul4Vabhny3zvl8DBIax7v0ekZNFdHh380DFSAIzirH+sF/wcrQVN4cZ/TxohAIq0okGp9P9pY7as9lfqfOVyUciyOVSDTQZFp7OMvY/iC5dX7Q4trmICYM4SQKIlOm9rfOuZ84y0sWsa2lcS/kmFujjTLdZ5gnwzrPg2PjUquhOQoYkooZNRVVOrDtWGr3VcUe/kxfwDXRDRpV4bnhe2kxd6L/VYhs
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125500)(1701031045);SRVR:SG2APC01HT027;
x-ms-traffictypediagnostic: SG2APC01HT027:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(82015058);SRVR:SG2APC01HT027;BCL:0;PCL:0;RULEID:;SRVR:SG2APC01HT027;
x-forefront-prvs: 0738AF4208
x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(199004)(189003)(486006)(68736007)(2900100001)(6436002)(99286004)(26005)(97736004)(2501003)(105586002)(106356001)(2351001)(87572001)(7696005)(104016004)(5250100002)(25786009)(55016002)(54896002)(5640700003)(14454004)(33656002)(102836004)(53906005)(6346003)(14444005)(5660300001)(20460500001)(476003)(256004)(82202002)(86362001)(8936002)(1730700003)(6916009)(8676002)(426003)(74316002)(81156014)(56003)(19627235002)(10156002)(551544002)(173224004)(98824002)(42262002);DIR:OUT;SFP:1901;SCL:1;SRVR:SG2APC01HT027;H:HK0PR06MB2868.apcprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:;
received-spf: None (protection.outlook.com: outlook.com does not designate
permitted sender hosts)
authentication-results: spf=none (sender IP is )
smtp.mailfrom=ernesttgdpender@outlook.com;
x-microsoft-antispam-message-info: arijTiCiK4kZkCu8/T7W69tnxEgSlFRu+drROB9nI6BDqQl+Rm81vjm1KGU3zyx422h5D/JCXOdd+o7WFk1RcNgYwCIwG3R+fGGoD8vnMqWU3umrJT/bGNaB3E91LiTo3pYMkTf98Fo53nA+iPFDV9tXoVy4/Wlr9SU1MEjZwlhhwoVbmVr+SEpk1L8oxuh2aiIlyY1mAy+x21WAjzHEqDk4hB7h4aUeZmTdcu3zHbs=
Content-Type: multipart/alternative;
boundary=”_000_HK0PR06MB2868FE5B0945AD8061C23776B8520HK0PR06MB2868apcp_”
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 5dab7a8a-ebdc-4bd9-9cfd-67cde50b170b
X-MS-Exchange-CrossTenant-Network-Message-Id: 60e021e1-ecf6-4aa5-11a9-08d5edb62694
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 5dab7a8a-ebdc-4bd9-9cfd-67cde50b170b
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2018 20:28:12.9171
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT027

Email message

Let’s get straight to the point. I’m aware <old password> is your password. More importantly, I know your secret and I’ve evidence of it. You don’t know me and no one employed me to investigate you.

It’s just your hard luck that I stumbled across your bad deeds. Well, I actually installed a malware on the adult video clips (porn) and you visited this website to have fun (you know what I mean). When you were watching video clips, your internet browser began operating as a Rdp (Remote desktop) that has a keylogger which provided me with access to your screen as well as webcam. Right after that, my software program obtained every one of your contacts from your messenger, facebook, and e-mail.

After that I gave in much more time than I should’ve looking into your life and created a two screen video. First part shows the recording you had been watching and second part displays the view from your webcam (its you doing inappropriate things).

Frankly, I want to forget details about you and let you continue with your daily life. And my goal is to present you 2 options which will make it happen. Those two choices are to either ignore this letter, or perhaps pay me $ 3900. Let’s explore above two options in details.

First Option is to ignore this e-mail. You should know what will happen if you select this option. I will send out your video to your entire contacts including relatives, colleagues, and so on. It will not save you from the humiliation your self will need to face when relatives and buddies learn your unpleasant videos from me.

Option 2 is to make the payment of $ 3900. We will name it my “privacy fee”. I will explain what happens if you choose this choice. Your secret will remain your secret. I’ll erase the video immediately. You go on with your routine life like none of this ever happened.

Now you may be thinking, “I will go to the cops”. Let me tell you, I’ve covered my steps to ensure that this email can’t be tracked back to me and yes it will not steer clear of the evidence from destroying your daily life. I’m not trying to dig a hole in your pocket. I am just looking to get paid for time I put in investigating you. Let’s assume you have decided to produce this all go away and pay me the confidentiality fee. You’ll make the payment via Bitcoins (if you don’t know how, search “how to buy bitcoins” in search engine)

Transfer Amount: $ 3900
Bitcoin Address to Send to: 1B4ox92miD4EJbL6CmJLkGFKnJYhs8vi8
(It’s cASe sensitive, so copy and paste it)

Share with no one what will you be utilising the Bitcoins for or they may not sell it to you. The process to obtain bitcoins can take a few days so do not put it off.
I have a special pixel within this email, and at this moment I know that you have read this mail. You now have 24 hours in order to make the payment. If I do not receive the BitCoin, I will send your video to all of your contacts including friends and family, colleagues, and so on. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll destroy the video and all other proofs immediately. It’s a non-negotiable offer, so don’t waste my personal time and yours. Your time has started.

Outlook.com response to my reports so far

After reporting the above, I’ve received from outlook.com the following automated response. I’m curious how long I’ll be receiving the extortion attempts for.

You recently reported a message as junk or abuse. We wanted to thank you and let you know that your report has been received.

If you need anything else, please visit the Microsoft Community at http://answers.microsoft.com/

Sincerely,

Outlook.com Team

Microsoft

One Microsoft Way. Redmond, WA 98052, USA.

This entry was posted in General and tagged , , , , , . Bookmark the permalink.