Analysis of the available data of the January attack, in which virtual threats had to really respond

    In past years, centralized attacks were carried out using IP telephony, now a new round, but using email. Let us analyze the available electronic data on this attack.

    Updated information on 02/01/2019.


    2017: “The anonymity of the call is ensured by the fact that an attacker, using IP telephony, can substitute any number of the caller, including the numbers of real non-involved subscribers from anywhere in the world. This IP telephony feature makes it difficult for security officials to work. The connection of the voice gateway of IP-telephony to the networks of telecom operators often occurs illegally, with the substitution of the caller’s number, IP addresses and other identifiers ”

    2019: According to the press services of the administrations and from the staff of medical institutions and schools in different regions and cities, to their electronic Mail received messages with threats and the requirement to perform certain actions.

    Law enforcement agencies together with the executive authorities began to act in accordance with their powers, which meant checking each message.

    Institutions that were listed in the text of the letters, began to hold emergency events.

    None of the facts on the received threats were confirmed, the work of the institutions was resumed in full.

    Initial data:
    Попробуем абстрагироваться от ситуации в целом и пройтись по пунктам из некоторых опубликованных в открытом доступе электронных писем, фото которых представлены ниже.

    Данных по информации по «служебным заголовкам» в письмах нет.

    Data analysis:

    All emails were sent by using the free mail service mailfence dot com, which positions itself as a “secure and confidential email service.”

    At the moment, some providers in the Russian Federation have restricted access to this service.

    We will try to enter this service and register. We get such a refusal:

    With the use of a VPN plug-in, you can go a little further and register:

    However, here we have this choice from the possible email addresses.

    Thus, there is a suspicion that the email addresses that were used in the attack were created quite a long time ago on this system, when there was such an opportunity to choose another domain name earlier. This means that the attack was not spontaneous, and the addresses were created earlier by some pool.

    And why do we need to create a mailbox in this service?

    When registering, you must specify your working email address, which will send a link to confirm registration with the service.

    Next, we check how the password reset process takes place in this service .

    Enter your username and / or your e-mail address: Enter the username or e-mail
    (in the test case we have and we get:

    To reset your password, an e-mail was sent to:

    Thus, we can find out the first three characters of the user name and the last 5 characters of the second-level mail domain. (thanks michaelkl for the comment! )

    Moreover, when requesting a password reset, you can specify a username or email.

    And according to the addresses from the sent e-mails, when requesting a password reset, you can specify only e-mail.
    was sent to:
    To reset your password, it was not sent :

    A single thread leads to
    to reset your password, an e-mail was sent to:

    Here you can search for the full address, but for a long time:

    This address By the way, it’s knocked out of the whole list by the fact that it has a connection with

    Another address is in the same

    There is a suspicion that it is a simulator, like an option, which is on the wave Newsletters also contributed, but with mercenary purposes, to commit their evil intent in place in the confusion of events (theft, deletion of data, when no one is near, etc.).

    Further, if somewhere in the address numbers have, then, a little bit of changing or cleaning, we can still check these addresses:
    the To the reset your password, an an e-mail sent to WAS:
    poc *** @ ***
    about your password, an e-mail was sent to:
    To reset your password, an e-mail an WAS sent to:
    the to the reset your password, an an e-mail sent to WAS:

    Thus, you can still expect to receive letters from these email addresses.

    And here, nevertheless, for the registration in the mailfence dot com, the service temp-mail dot org was used,

    As a result, two different mail services were used in eight email addresses.

    Addition: new letters also come from the free mail mail dot bg mail server.
    about your password, an e-mail was sent to:

    Data from Mosigra:
    the to the reset your password, an an e-mail sent to WAS:

    How chosen victim for the attack, according to the mailing lists shows that the addresses were copied from websites of state institutions or " They were driven in "manually, because this data is in the public domain.

    The range of simultaneous recipients in the letters (2-6-10) is small, so that the mail servers do not restrict the distribution and the letters do not fall into the "Spam" folder.

    Excerpts from the service headers:
    Received: from ( [])
    (Client certificate not present)
    domain of designates as permitted sender,
    rule=[ip4:]); dkim=pass
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
    X-Priority: 3
    Reply-To: Putin FSB <>
    From: Putin FSB <>
    X-Mailer: ContactOffice Mail
    X-ContactOffice-Account: com:188677102

    Received: from ([])
    by with LMTP id a6sJli0I
    for <>; Tue, 5 Feb 2019 11:00:14 +0300
    Received: from ( [])
    by (nwsmtp/Yandex) with ESMTPS id jttuF4mQRo-0DAa1MBL;
    Tue, 05 Feb 2019 11:00:13 +0300
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (Client certificate not present)
    X-Yandex-TimeMark: 1549353613
    Authentication-Results:; spf=pass ( domain of designates as permitted sender, rule=[ip4:]); dkim=pass
    X-Yandex-Spam: 2
    X-Yandex-Fwd: MzM4MDAwNDcyNDYzOTM2Mzg1OSwyMTg3Njc1NDQ5ODIwMzIwNzMz
    Received: from ( [])
    by (Postfix) with ESMTP id 16350329D;
    Tue, 5 Feb 2019 09:00:13 +0100 (CET)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
    s=20160819-nLV10XS2; t=1549353613;
    Date: Tue, 5 Feb 2019 09:00:10 +0100 (CET)
    Message-ID: <>
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: base64
    Subject: =?utf-8?B?0L7RgtCy0LXRgiDQvdCwINC30LDQv9GA0L7RgQ==?=
    X-Priority: 3
    Reply-To: laki kak <>
    From: laki kak <>
    X-Mailer: ContactOffice Mail
    X-ContactOffice-Account: com:190697286
    X-Yandex-Forward: c4503a689c840ee5c1704413e6045827


    Whenever possible, system administrators of institutions check emails more often, create a filter for letters from “mailfence dot com” in a separate folder and immediately report them, according to their job descriptions, save service headers and all data for further analysis.


    Just the same question - why are so many email addresses used in mailing lists?

    The answer is simple - the Achilles' heel of the service used is the monetization of services and the possibility of registering through one-time mailboxes (one-time mail service).

    1. So, most likely, all accounts used for mailing are now on a free plan, which includes only 500 MB emails.

    If this box is “filled up” with messages with attachments and overfilled, then it will first have to be cleaned in order to make further distribution. Paid plans are already payment for services and additional opening of your bank data.

    So, you can help with this by sending letters as large as possible to the addresses below.
    kiano .lok @

    2. Taking control of mailboxes by resetting the password and selectinglogin through a one-time mail service .

    Theoretically, it is possible to get access to the mailboxes listed in item 1 if you can perform a large amount of actions:
    - pick up the desired login and domain in the temp-mail dot org
    - send a password reset command to the mailfence address dot-com
    - get a reset letter password in the temp-mail org dot
    - log in to the mailfence account at the com dot

    Data for the selection (where * is one or more characters (1-4 Latin letters most likely) in the user name):

    Difficult situation:
    password reset - putin.fsb1 @
    one-time mail service - joo*
    one-time mail service - joo * @ b
    one-time mail service - joo*

    password reset -
    one-time mail
    service - bud*
    one-time mail service - bud* one-time mail service - bud * @ utooemail .com

    There is only one domain to check:

    password reset -
    disposable mail service - kul*

    password reset -
    disposable mail service - bep*

    reset password -
    disposable mail service - bbl*

    3. As an option, by searching (pressing the "delete" button in the service) the staffed suggested logins(length 4-8 characters) find from the proposed new login something that starts with kul / bep / bbl / bud / joo .

    Item 3 can be implemented using software methods.

    If anyone is interested and can find access to at least one mailbox through a large brute force of data on the login in the one-time mail service and can (block) stop the mailing from it - it will be great.

    We will not dwell on the linguistic and stylistic analysis of the content of the letters, although, coupled with spelling errors and some consonant syllables in the text, there is something to think about. However, it is possible that this dialectic was introduced into the text specifically for compromise.

    This article is related to analytical topics, please follow the rules of the resource in the comments and not go beyond the generally accepted framework.

    Also popular now: