Quick & Dirty: Finding the domain behind a scam E-Mail and shut it down

spam-964521_960_720

Standalone tools used: TracerouteNG / FOCA / Maltego / Nmap
Online tools used: IP Tracker & Blockchain

We all know the annoying scam E-Mails which flood our mailboxes. In recent months a new scam mail popped up claiming to have filmed the victim masturbating while watching porn and that if no money is sent to a certain bitcoin wallet the video will be released.

Though the E-Mail has all the red flags in it to show that it is indeed a scam E-Mail (bad wording, no proof/facts of the video, not addressed by name of the victim) people have payed the money to various bitcoin wallets in the past.

After again receiving such an E-Mail I saw something different this time: It was not a “throw away” E-Mail address but an E-Mail address tied to an actual existing webpage/domain name called davidstephensusc.com (mail.davidstephensusc.com with an AX record also exists). So this caught my attention and I did a quick research to find out where the page is hosted and whether I can gather any additional information and check if there is a possibility to shut down the domain for good.

Continue reading

Advertisements