Hughesnet Community

Scary Email Scams...

cancel
Showing results for 
Search instead for 
Did you mean: 
MarkJFine
Professor

Scary Email Scams...

Just got a beaut...

 

Email claims to have captured me in a compromising video by hacking my webcam and will send it to everyone in my addressbook unless I send $1900 to his bitcoin account. Includes an old password of mine as 'proof'.

 

As if... Did a little research and apparently four people have already fallen for this. The Bitcoin account was flagged as fraudulent: https://bitcoinwhoswho.com/address/1JHwenDp9A98XdjfYkHKyiE3R99Q72K9X4

 

Came through an MS Outlook.com server, so I reported it to their abuse and legal and offered to assist in any prosection. Let's see how far that goes (not expecting much).

 

Be careful out there folks...


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
45 REPLIES 45
GabeU
Distinguished Professor IV

@MarkJFine

 

Did it look like this?  

 

Capture.JPG

I blacked out a section due to it being a little too racy to be on here.

 

The hilarious thing is that the last time I used a webcam was to face time with my father through Yahoo Messenger.  It was about seven or eight years ago.  My laptop and notebook have their built in webcams covered with electrical tape.  

 

The password listed is correct, though one that I used on numerous, non sensitive websites.  When I say nonsensitive I mean nothing more than my name and email address and no financial information whatsoever.  They were also from years ago, before websites started needing more info.  Wikipedia, original Youtube, etc.  I started using real passwords for every site years ago, though there are almost certainly sites out there that still use that password.  I'll change the ones I can think of, if they still exist.  

 

And, interestingly enough, the bitcoin address isn't showing as fraudulent...yet.  

 

https://bitcoinwhoswho.com/address/1Abom759v2dr6oFnXvC395zWJz5qqLguZr

 

Edit:  I would so love to reply and request 80s synth music to be added to the alleged video before it's sent out.  😛 

maratsade
Distinguished Professor IV

So how are they doing this? Have they hacked your computers? 

 

Edit: Found this article about this scam:  https://techcrunch.com/2018/07/12/ransomware-technique-uses-your-real-passwords-to-trick-you/

GabeU
Distinguished Professor IV

@maratsade

 

Interesting read, and it makes sense with the password they posted.  Had they shown one from today I'd be a bit more nervous, though I would just change it and archive the email.  

maratsade
Distinguished Professor IV

 

 

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

 

Source:  https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

GabeU
Distinguished Professor IV

@maratsade

 

And the number of people who do and/or don't do those things is ridiculous.  When it comes to the bad guys getting people ignorance is the key, and there's still a lot of it out there, unfortunately.  

 

I still know someone who uses the same password for multiple things, including sites in which he divulges sensitive information.  When I warn him how dangerous that is, he uses the same password with one extra character, or something like that.  SMH.  It's scary stupid.  He's one of those people who isn't going to learn his lesson until he gets nailed, and even then, I don't know.  😞  

maratsade
Distinguished Professor IV

Password1

TrustNo1!

 

LOL

 

I imagine if they really want to get you, there are ways....

GabeU
Distinguished Professor IV


@maratsade wrote:

Password1

TrustNo1!

 

LOL

 

I imagine if they really want to get you, there are ways....


True, but one doesn't want to make it too easy for them.  Ya gotta make them at least work for it.  😛  

maratsade
Distinguished Professor IV

That's good advice.  Let these people make a good clever effort, at least.

 


@GabeU wrote:

 

I imagine if they really want to get you, there are ways....


True, but one doesn't want to make it too easy for them.  Ya gotta make them at least work for it.  😛  


 

maratsade
Distinguished Professor IV

This whole sextortion thing makes me miss the good old days of the Nigerian princes who needed people to keep their millions safe.


@maratsade wrote:

-Turn off [and/or cover] any web cameras when you are not using them.


Funny thing is that because we're behind a double NAT (the same reason why XBox Live doesn't work right) I doubt they could access our cameras if they wanted to... There is a silver lining here.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.

Yup, that's it.

 

You should know that the majority of what's in there is fake.They have nothing else on you - no video, no nothing. There is usually no active pixel image in the html, either (the kind that spams use to validate you've opened it - why you should never, ever download remote images in an email).

 

Your email/password combination was likely obtained from a prior breach posted to the dark web, and retrieved by whoever created this thing. Have to admit that combined with the text, it adds a pretense of credulity.

 

The bitcoin accounts are always valid, otherwise they'd have no way of getting compensated, and yes they are barely traceable back to the offender. Seems they've not received a dime on that account tho.

 

But, if you have the headers you can look at the first "received from" line, reverse lookup the IP and figure out what the last server was used to send it to you (anything past that in the headers is likely forged). You might want to forward to their abuse/legal team and hint at possibly prosecuting the illicit activity. That's what I did with Microsoft - they'll sit up and take notice of that.

 

My advice is to send it to the abuse/legal team of the server that sent it last as well as possibly the FBI via the link that's earlier in the thread. I would also definitely change any passwords - especially the one stated in the email. However, I would not do anything to engage these people in any way, not even jokingly, because you validate youe existence and you don't know what they'll do as a response.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
maratsade
Distinguished Professor IV

"They have nothing else on you - no video, no nothing."

 

OR DO THEY??????? MUAHAHAHAHHAHAHA!

GabeU
Distinguished Professor IV


@MarkJFine wrote:

 

But, if you have the headers you can look at the first "received from" line, reverse lookup the IP and figure out what the last server was used to send it to you (anything past that in the headers is likely forged). You might want to forward to their abuse/legal team and hint at possibly prosecuting the illicit activity. That's what I did with Microsoft - they'll sit up and take notice of that.

 

My advice is to send it to the abuse/legal team of the server that sent it last as well as possibly the FBI via the link that's earlier in the thread. I would also definitely change any passwords - especially the one stated in the email. 


The only thing I could figure out to do in order to see anything more than the sender email address is to "View Message Source", and it shows a huge amount of info, all of which is foreign to me.  I don't know what it is I'm supposed to be looking for or seeing.  

maratsade
Distinguished Professor IV

There's all kinds of info in the message source, but one thing you see (I haven't looked at a message source in a long time, but I imagine they haven't changed much) is where the email comes from (gmail, for instance).  Sometimes there are IP addresses there too.  Most of the rest makes no sense to me, but I'll be happy to send it to the Feds. 

 


@GabeU wrote:

 


The only thing I could figure out to do in order to see anything more than the sender email address is to "View Message Source", and it shows a huge amount of info, all of which is foreign to me.  I don't know what it is I'm supposed to be looking for or seeing.  


 

The trick is to always look for the first "Received From" then there will be an IP in square brakets. That is the IP of the server that HELO'd your email server before it sent it. Everything else can be forged, including the servername that's supposed to be associated with the IP. Not likely the IP itself was was forged during a HELO handshake.

 

Edit: Looks like this:
Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sg2apc01hn0245.outbound.protection.outlook.com [104.47.125.245])


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
GabeU
Distinguished Professor IV

@MarkJFine

@maratsade

 

I sent PMs to you two that included a picture of the info I think I'm supposed to be looking at.  I didn't want to post it in public for the reason given in the PMs.  

maratsade
Distinguished Professor IV

That part's missing from Gmail emails, right?  I thought Gmail didn't include the sender's IP in the header.

 


@MarkJFine wrote:

The trick is to always look for the first "Received From" then there will be an IP in square brakets. That is the IP of the server that HELO'd your email server before it sent it.


 


@maratsade wrote:

That part's missing from Gmail emails, right?  I thought Gmail didn't include the sender's IP in the header.


Hmmm. Haven't noticed, tbh.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
maratsade
Distinguished Professor IV

They may have changed this -- I remember a long time ago reading that Google did not include the sender's IP address in the headers.  I haven't really checked, as my knowledge of this is extremely basic. 

After almost two weeks of inactivity, just got a third one. Here's the tally:

 

     Date            Email Server       Amt     BTC Account

----------------   --------------------   ---------   ----------------------------------------------------------

10 Jul 2018   104.47.125.245   $1900   1JHwenDp9A98XdjfYkHKyiE3R99Q72K9X4 (3.35 collected, 17 xactions)

11 Jul 2018   40.92.70.69         $2900   1YAy8oEjEXsxos5u7y5k7siJ4tSmA71sU (0 collected, 0 xactions)

24 Jul 2018   40.92.253.58       $7000   1GLuqSSnZg8jq6AQdypjLYQoRPveX9uDxb (0 collected, 0 xactions)

 

They seem to be getting even bolder with their demands.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
maratsade
Distinguished Professor IV

Stop doing the lip sync challenge, Mark, and they will stop filming you! LOL