hacker email

Pada suatu hari yang indah saya mendapatkan ancaman email atau surel dari Hacker. Email tersebut dikirimkan ke kontak[at]kaklabs[dot]com dan saat saya cek pengirimnya ternyata juga dari kontak[at]kaklabs[com] dengan isi sebagai berikut:

Judul email:

you are infected

Isi Pesan:

Hi, your account is infected! Change your pswd right this moment! You may not heard about me and you really are most probably wondering why you are receiving this particular letter, is it right? I’mhacker who burstyour emailand OSseveral months ago. It will be a time wasting to try to talk to me or look for me, in fact it’s not possible, since I sent you this message using YOUR hacked account. I’ve set up special program to the adult vids (porno) site and guess that you have spent time on this website to have fun (think you understand what I really mean). When you have been keeping an eye on vids, your browser began operating as a RDP (Remote Control) that have a keylogger that provided me the ability to access your desktop and webcam. Next step, my software programgotall data. You wrote passcodes on the online resources you visited, I caught all of them. Needless to say, it’s possible to change them, or have already changed them. However it doesn’t matter, my app updates needed data every time. What actually did I do? I got a backup of the system. Of all the files and each contact. I got a dual-screen movie. The 1 section presents the clip that you were watching (you have got an interesting taste, ahah…), and the 2nd part presents the tape from your webcam. What must you do? Good, in my opinion, 1000 USD is a good price for this little secret. You will make the payment by bitcoins (if you do not recognize this, try to find “how to buy bitcoin” in Google). My bitcoin wallet address: 1LAWGnA2K5njVSshERU9bcUSrW2YWwtXs1 (It is cAsE sensitive, so just copy and paste it). Attention: You have 2 days to perform the payment. (I have an exclusive pixel to this letter, and at this time I understand that you have read through this email). To trackthe reading of a messageand the actionsin it, I set upa Facebook pixel. Thanks to them. (Everything thatcan be usedfor the authorities may also helpus.)

In case I do not get bitcoins, I will undoubtedly direct your video to all your contacts, including family members, colleagues, and so forth?

Dengan menggunakan email yang sama untuk pengirim dan penerima, hacker tersebut ingin memberikan opini bahwa dia berhasil login email saya.

Email tersebut membuat saya penasaran dan memutuskan untuk menelusuri pengirimnya dengan memanfaatkan header pada email.

Setiap email yang terkirim memiliki header yang berisi informasi pengirim dan berikut ini adalah contoh mendapatkan informasi header pada Gmail:

  1. Buka email yang ingin Anda periksa header-nya.
  2. Di samping Balas Balas, klik Panah bawah Panah Bawah.
  3. Klik Tampilkan yang asli.
  4. Salin teks pada halaman.
  5. Buka Fitur header pesan.
  6. Di bagian “Tempel header email di sini”, tempelkan header Anda.
  7. Klik Analisis header di atas.

Jika menggunakan Yandex Mail:

  1. Buka Pesan
  2. Klik Ikon “…”
  3. Pilih “Message Properties”

Setelah mendapatkan data header, ada dua hal yang saya lakukan, yaitu melacak email dan membandingkan header dari email saya sendiri.

Cara Melacak Email

Saya menggunakan service dari https://whatismyipaddress.com/trace-email untuk menelusuri header email dan berikut ini adalah hasilnya:

Received: from mxfront6g.mail.yandex.net ([127.0.0.1]) by mxfront6g.mail.yandex.net with LMTP id CboZ0k7Y for <kontak@kaklabs.com>; Wed, 20 Feb 2019 23:37:40 +0300
Received: from extsmtp74.orange.ci (extsmtp74.orange.ci [196.201.64.74]) by mxfront6g.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id mtWjL9I9J5-bcrmdAEq; Wed, 20 Feb 2019 23:37:39 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client certificate not present)
Return-Path: gchalloub@gidci.com
X-Yandex-Front: mxfront6g.mail.yandex.net
X-Yandex-TimeMark: 1550695059
X-Yandex-Spam: 2
X-Yandex-Fwd: MzI0OTM5NDgzMDc4NTEzNjUwMCwxNzgwMDg1MTE2ODA5NzQ4NTg5Ng==
Received: from ictmessmta1.ictmess-orange.ci (ictmessmta1.ictmess-orange.ci [196.201.92.139]) by extsmtp74.orange.ci with ESMTP id x1KKbLB8021241-x1KKbLBH021241 for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:37:37 GMT
Received: from localhost (localhost [127.0.0.1]) by ictmessmta1.ictmess-orange.ci (Postfix) with ESMTP id 9D3C2203969 for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:36:43 +0000 (GMT)
IP address 127.0.0.1 was ignored because it is a Loopback address.
X-Virus-Scanned: amavisd-new at ictmess-orange.ci
Received: from ictmessmta1.ictmess-orange.ci ([127.0.0.1]) by localhost (ictmessmta1.ictmess-orange.ci [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fvZc6OH_Tkhx for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:36:42 +0000 (GMT)
IP address 127.0.0.1 was ignored because it is a Loopback address.
Received: from [85-15-42-208.shatel.ir] (unknown [172.31.0.5]) by ictmessmta1.ictmess-orange.ci (Postfix) with ESMTPA id E58CA20396E for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:36:41 +0000 (GMT)
IP address 172.31.0.5 was ignored because it is a Private-Use Network address.
From: <kontak@kaklabs.com>
X-Complaints-To: <abuse@gidci.com>
Message-ID: <39A8A8A2570AB87E06B318DA2C08E5B2@C8CA67ED>
X-Mailer: Kegsnab
Date: Wed, 20 Feb 2019 21:36:41 +0100
To: kontak@kaklabs.com
List-Subscribe: <https://gidci.com/lists/?p=subscribe>
X-CSA-Complaints: whitelist-complaints@gidci.com
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
Subject: kontak
Errors-To: "wgnoz" <no-reply@gidci.com>
X-Yandex-Forward: f0ae30341f4946c81d5613d9d8957648

Source:
The source host name is "ictmessmta1.ictmess-orange.ci" and
the source IP address is 196.201.92.139.

Diketahui IP address pengirim adalah 196.201.92.139, selanjutnya saya melakukan penelusuran terhadap IP address tersebut melalui https://tools.kaklabs.com/ip-address-lookup.html?ip=196.201.92.139 dan berikut ini adalah hasilnya:

NameValue
IP Address196.201.92.139
ASNAS29571 ORANGE COTE D’IVOIRE
ISPOrange Côte d’Ivoire
Country CodeCI
Latitude5.30406
Longitude-4.00871
TimezoneAfrica/Abidjan
AddressAvenue 17, Nanan Yamousso, Zone 2b, Treichville, Abidjan, ABIDJAN 01, Côte d’Ivoire

Sedangkan melalui https://whatismyipaddress.com/ip/196.201.92.139 hasilnya tidak jauh berbeda:

NameValue
IP196.201.92.139
Decimal3301530763
Hostnameictmessmta1.ictmess-orange.ci
ASN29571
ISPOrange Cote d’Ivoire
OrganizationOrange Cote d’Ivoire
ServicesNone detected
TypeBroadband
AssignmentStatic IP
Blacklist-
ContinentAfrica
CountryIvory Coast
Latitude8  (8° 0′ 0.00″ N)
Longitude-5  (5° 0′ 0.00″ W)

Bandingkan Header Email Kiriman Sendiri

Selanjutnya saya mencoba membandingkan dengan header email yang saya kirimkan sendiri dengan isi email berupa kata “hello world” dan berikut ini adalah perbandingannya.

Header Email Ancaman Hacker

Received: from mxfront6g.mail.yandex.net ([127.0.0.1])
	by mxfront6g.mail.yandex.net with LMTP id CboZ0k7Y
	for <kontak@kaklabs.com>; Wed, 20 Feb 2019 23:37:40 +0300
Received: from extsmtp74.orange.ci (extsmtp74.orange.ci [196.201.64.74])
	by mxfront6g.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id mtWjL9I9J5-bcrmdAEq;
	Wed, 20 Feb 2019 23:37:39 +0300
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(Client certificate not present)
Return-Path: gchalloub@gidci.com
X-Yandex-Front: mxfront6g.mail.yandex.net
X-Yandex-TimeMark: 1550695059
X-Yandex-Spam: 2
X-Yandex-Fwd: MzI0OTM5NDgzMDc4NTEzNjUwMCwxNzgwMDg1MTE2ODA5NzQ4NTg5Ng==
Received: from ictmessmta1.ictmess-orange.ci (ictmessmta1.ictmess-orange.ci [196.201.92.139])
	by extsmtp74.orange.ci  with ESMTP id x1KKbLB8021241-x1KKbLBH021241
	for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:37:37 GMT
Received: from localhost (localhost [127.0.0.1])
	by ictmessmta1.ictmess-orange.ci (Postfix) with ESMTP id 9D3C2203969
	for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:36:43 +0000 (GMT)
X-Virus-Scanned: amavisd-new at ictmess-orange.ci
Received: from ictmessmta1.ictmess-orange.ci ([127.0.0.1])
	by localhost (ictmessmta1.ictmess-orange.ci [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id fvZc6OH_Tkhx for <kontak@kaklabs.com>;
	Wed, 20 Feb 2019 20:36:42 +0000 (GMT)
Received: from [85-15-42-208.shatel.ir] (unknown [172.31.0.5])
	by ictmessmta1.ictmess-orange.ci (Postfix) with ESMTPA id E58CA20396E
	for <kontak@kaklabs.com>; Wed, 20 Feb 2019 20:36:41 +0000 (GMT)
From: <kontak@kaklabs.com>
X-Complaints-To: <abuse@gidci.com>
Message-ID: <39A8A8A2570AB87E06B318DA2C08E5B2@C8CA67ED>
X-Mailer: Kegsnab
Date: Wed, 20 Feb 2019 21:36:41 +0100
To: kontak@kaklabs.com
List-Subscribe: <https://gidci.com/lists/?p=subscribe>
X-CSA-Complaints: whitelist-complaints@gidci.com
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
Subject: kontak
Errors-To: "wgnoz" <no-reply@gidci.com>
X-Yandex-Forward: f0ae30341f4946c81d5613d9d8957648

SGksIHlvdXIgYWNjb3VudCBpcyBpbmZlY3RlZCEgQ2hhbmdlIHlvdXIgcHN3ZCByaWdodCB0aGlz
IG1vbWVudCENCllvdSBtYXkgbm90IGhlYXJkIGFib3V0IG1lIGFuZCB5b3UgcmVhbGx5IGFyZSBt
b3N0IHByb2JhYmx5IHdvbmRlcmluZyB3aHkgeW91IGFyZSByZWNlaXZpbmcgdGhpcyBwYXJ0aWN1
bGFyIGxldHRlciwgaXMgaXQgcmlnaHQ/DQpJJ21oYWNrZXIgd2hvIGJ1cnN0eW91ciBlbWFpbGFu
ZCBPU3NldmVyYWwgbW9udGhzIGFnby4NCkl0IHdpbGwgYmUgYSB0aW1lIHdhc3RpbmcgdG8gdHJ5
IHRvIHRhbGsgdG8gbWUgb3IgbG9vayBmb3IgbWUsIGluIGZhY3QgaXQncyBub3QgcG9zc2libGUs
IHNpbmNlIEkgc2VudCB5b3UgdGhpcyBtZXNzYWdlIHVzaW5nIFlPVVIgaGFja2VkIGFjY291bnQu
DQpJJ3ZlIHNldCB1cCBzcGVjaWFsIHByb2dyYW0gdG8gdGhlIGFkdWx0IHZpZHMgKHBvcm5vKSBz
aXRlIGFuZCBndWVzcyB0aGF0IHlvdSBoYXZlIHNwZW50IHRpbWUgb24gdGhpcyB3ZWJzaXRlIHRv
IGhhdmUgZnVuICh0aGluayB5b3UgdW5kZXJzdGFuZCB3aGF0IEkgcmVhbGx5IG1lYW4pLg0KV2hl
biB5b3UgaGF2ZSBiZWVuIGtlZXBpbmcgYW4gZXllIG9uIHZpZHMsIHlvdXIgYnJvd3NlciBiZWdh
biBvcGVyYXRpbmcgYXMgYSBSRFAgKFJlbW90ZSBDb250cm9sKSB0aGF0IGhhdmUgYSBrZXlsb2dn
ZXIgdGhhdCBwcm92aWRlZCBtZSB0aGUgYWJpbGl0eSB0byBhY2Nlc3MgeW91ciBkZXNrdG9wIGFu
ZCB3ZWJjYW0uDQpOZXh0IHN0ZXAsIG15IHNvZnR3YXJlIHByb2dyYW1nb3RhbGwgZGF0YS4NCllv
dSB3cm90ZSBwYXNzY29kZXMgb24gdGhlIG9ubGluZSByZXNvdXJjZXMgeW91IHZpc2l0ZWQsIEkg
Y2F1Z2h0IGFsbCBvZiB0aGVtLg0KTmVlZGxlc3MgdG8gc2F5LCBpdCdzIHBvc3NpYmxlIHRvIGNo
YW5nZSB0aGVtLCBvciBoYXZlIGFscmVhZHkgY2hhbmdlZCB0aGVtLg0KSG93ZXZlciBpdCBkb2Vz
bid0IG1hdHRlciwgbXkgYXBwIHVwZGF0ZXMgbmVlZGVkIGRhdGEgZXZlcnkgdGltZS4NCldoYXQg
YWN0dWFsbHkgZGlkIEkgZG8/DQpJIGdvdCBhIGJhY2t1cCBvZiB0aGUgc3lzdGVtLiBPZiBhbGwg
dGhlIGZpbGVzIGFuZCBlYWNoIGNvbnRhY3QuDQpJIGdvdCBhIGR1YWwtc2NyZWVuIG1vdmllLiBU
aGUgMSBzZWN0aW9uIHByZXNlbnRzIHRoZSBjbGlwIHRoYXQgeW91IHdlcmUgd2F0Y2hpbmcgKHlv
dSBoYXZlIGdvdCBhbiBpbnRlcmVzdGluZyB0YXN0ZSwgYWhhaC4uLiksIGFuZCB0aGUgMm5kIHBh
cnQgcHJlc2VudHMgdGhlIHRhcGUgZnJvbSB5b3VyIHdlYmNhbS4NCldoYXQgbXVzdCB5b3UgZG8/
DQpHb29kLCBpbiBteSBvcGluaW9uLCAxMDAwIFVTRCBpcyBhIGdvb2QgcHJpY2UgZm9yIHRoaXMg
bGl0dGxlIHNlY3JldC4gWW91IHdpbGwgbWFrZSB0aGUgcGF5bWVudCBieSBiaXRjb2lucyAoaWYg
eW91IGRvIG5vdCByZWNvZ25pemUgdGhpcywgdHJ5IHRvIGZpbmQg4oCcaG93IHRvIGJ1eSBiaXRj
b2lu4oCdIGluIEdvb2dsZSkuDQpNeSBiaXRjb2luIHdhbGxldCBhZGRyZXNzOg0KMUxBV0duQTJL
NW5qVlNzaEVSVTliY1VTclcyWVd3dFhzMQ0KKEl0IGlzIGNBc0Ugc2Vuc2l0aXZlLCBzbyBqdXN0
IGNvcHkgYW5kIHBhc3RlIGl0KS4NCkF0dGVudGlvbjoNCllvdSBoYXZlIDIgZGF5cyB0byBwZXJm
b3JtIHRoZSBwYXltZW50LiAoSSBoYXZlIGFuIGV4Y2x1c2l2ZSBwaXhlbCB0byB0aGlzIGxldHRl
ciwgYW5kIGF0IHRoaXMgdGltZSBJIHVuZGVyc3RhbmQgdGhhdCB5b3UgaGF2ZSByZWFkIHRocm91
Z2ggdGhpcyBlbWFpbCkuDQpUbyB0cmFja3RoZSByZWFkaW5nIG9mIGEgbWVzc2FnZWFuZCB0aGUg
YWN0aW9uc2luIGl0LCBJIHNldCB1cGEgRmFjZWJvb2sgcGl4ZWwuIFRoYW5rcyB0byB0aGVtLiAo
RXZlcnl0aGluZyB0aGF0Y2FuIGJlIHVzZWRmb3IgdGhlIGF1dGhvcml0aWVzIG1heSBhbHNvIGhl
bHB1cy4pDQoNCkluIGNhc2UgSSBkbyBub3QgZ2V0IGJpdGNvaW5zLCBJIHdpbGwgdW5kb3VidGVk
bHkgZGlyZWN0IHlvdXIgdmlkZW8gdG8gYWxsIHlvdXIgY29udGFjdHMsIGluY2x1ZGluZyBmYW1p
bHkgbWVtYmVycywgY29sbGVhZ3VlcywgYW5kIHNvIGZvcnRoPw0K

Header Email Kiriman Sendiri

Received: from mxback11g.mail.yandex.net ([127.0.0.1])
	by mxback11g.mail.yandex.net with LMTP id YRX3MAld
	for <kontak@kaklabs.com>; Thu, 21 Feb 2019 02:59:11 +0300
Received: from mxback11g.mail.yandex.net (localhost.localdomain [127.0.0.1])
	by mxback11g.mail.yandex.net (Yandex) with ESMTP id 8386738212DB
	for <kontak@kaklabs.com>; Thu, 21 Feb 2019 02:59:11 +0300 (MSK)
X-Yandex-Internal: 1
Received: from localhost (localhost [::1])
	by mxback11g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id WHogrSYxc1-xAgWbEQj;
	Thu, 21 Feb 2019 02:59:11 +0300
X-Yandex-Front: mxback11g.mail.yandex.net
X-Yandex-TimeMark: 1550707151
X-Yandex-Spam: 1
X-Yandex-Sender-Uid: 1130000020756675
Received: by iva8-3af116a85b74.qloud-c.yandex.net with HTTP;
	Thu, 21 Feb 2019 02:59:10 +0300
From: KAK Labs <kontak@kaklabs.com>
To: KAK Labs <kontak@kaklabs.com>
Subject: kontak
MIME-Version: 1.0
X-Mailer: Yamail [ http://yandex.ru ] 5.0
Date: Thu, 21 Feb 2019 06:59:10 +0700
Message-Id: <20740691550707150@iva8-3af116a85b74.qloud-c.yandex.net>
Content-Transfer-Encoding: 7bit
Content-Type: text/html
Return-Path: kontak@kaklabs.com
X-YandexSms-Digest: a6b636ba54b9c0a767601d3385921e10

<div xmlns="http://www.w3.org/1999/xhtml">hello world</div>

Dari informasi header kiriman saya sendiri terdapat beberapa perbedaan dimana email yang saya kirimkan sendiri memiliki:

  1. Header lebih pendek.
  2. X-Mailer berisi Yamail [ http://yandex.ru ] 5.0.
  3. Bagian Received berisi kata depan mxback.
  4. Tidak memiliki List-Subscribe dan informasi selain dari domain Yandex.

Bagaimana Email Ancaman Hacker Tersebut Dikirimkan?

Saya tidak tahu apakah menggunakan suatu tool atau membuat program sendiri. Untuk mengetes aplikasi saya pernah mengirimkan email ke diri sendiri, kode yang dituliskan pun tidak panjang. Berikut adalah contoh kode untuk mengirim email:

Mail.deliver do
  from     'me@example.com'
  to       'me@example.com'
  subject  'testing email'
  body     File.read('body.txt')
  add_file '/full/path/to/somefile.png'
end

Kesimpulan

Kesimpulan dari hasil melacak email ancaman hacker dan membandingkan header email yang saya kirim sendiri adalah sebagai berikut:

  • Email dikirimkan seseorang melalui server di Afrika melalui domain ictmessmta1.ictmess-orange.ci dan IP address 196.201.92.139. Detil mengenai informasi pemilik ictmessmta1.ictmess-orange.ci ada dibawah.
  • Server dengan IP address 196.201.92.139 tersebut kemungkinan didalamnya terdapat program untuk melakukan email blast.
  • Email ancaman tersebut ada kaitan dengan domain gidci.com. Dari domain ini tidak ada informasi yang bisa saya dapat.
  • Header email asli yang saya kirim sendiri lebih pendek dan bagian received memiliki kata depan mxback.
  • Email ancaman hacker terdapat X-Mailer: Kegsnab sedangkan header email asli memiliki X-Mailer berisi Yamail [ http://yandex.ru ] 5.0 dan hanya berisi domain terkait Yandex.
  • Email ancaman hacker terdapat List-Subscribe: https://gidci.com/lists/?p=subscribe, mungkin menggunakan tool yang biasanya digunakan untuk email marketing.
  • Hasil penelusuran Google terhadap bitcoin 1LAWGnA2K5njVSshERU9bcUSrW2YWwtXs1 ternyata tidak hanya saya yang dikirimkan email ancaman tersebut.
  • Karena satu dan lain hal, khusus alamat email saya tersebut memang sengaja tidak saya pasang 2 Factor Authentication / 2FA dimana menggunakan SMS atau Google Authenticator untuk tambahan login. Namun setelah mendapatkan email ancaman ini sepertinya ada urgensi untuk memasang 2FA agar lebih aman.

Informasi Whois domain ictmessmta1.ictmess-orange.ci yang mengirimkan email:

Domain Name: ictmess-orange.ci
Domain ID: 4745-CoCCA
WHOIS Server: whois.nic.ci
Updated Date: 2019-02-18T19:27:50.990Z
Creation Date: 2013-01-01T05:00:00.0Z
Registry Expiry Date: 2020-01-01T00:00:00.0Z
Domain Status: ok https://icann.org/epp#ok
Registrar: AVISO
Registrar Abuse Email: email@orange.com
Registrant ID: 57988-CoCCA
Registrant Name: Artci
Registrant Street: 18 BP 2203 Abidjan 18
Registrant Street: 18 BP 2203 Abidjan 18
Registrant City: Abidjan
Registrant Country: CI
Registrant Phone: +225.2034433463
Registrant Email: email@nic.ci
Admin ID: 57987-CoCCA
Admin Name: Artci
Admin Street: 18 BP 2203 Abidjan 18
Admin City: Abidjan
Admin Country: CI
Admin Phone: +225.20344373
Admin Email: email@nic.ci
Tech ID: 57987-CoCCA
Tech Name: Artci
Tech Street: 18 BP 2203 Abidjan 18
Tech City: Abidjan
Tech Country: CI
Tech Phone: +225.20344373
Tech Email: email@nic.ci
Name Server: webhosting.aviso.ci
Name Server: yakro.aviso.ci
Name Server: abidjan.aviso.ci
DNSSEC: unsigned