“Hacked Account” Blackmail Spam on the Rise—Beware!

Originally published at: https://tidbits.com/2018/11/14/hacked-account-blackmail-spam-on-the-rise-beware/

A relatively new form of spam is making the rounds on the Internet. It purports to be from a hacker who has taken over your computer and who will reveal your porn browsing to all your contacts unless you pay a Bitcoin blackmail. It’s fake, but its use of breached passwords as “proof” points toward a concerning future.

I just got one! But the pw is not one I have ever used. It’s a long randomly generated one.

Diane

Yeah, initially I thought “Well, that’s silly, they can’t even get my password right.” But that’s what made me realize that truth isn’t really an issue here, and part of why I got further into how this sort of attack could be truly problematic even with fabricated details.

I got one too, although it didn’t reveal my password. After a cautionary scan with Sophos, I was sure that it was a scam.

Thanks to TidBits for this article. Once again, this is something that affected me but that no one else covered. It’s why Im a subscriber.

Not sure what you consider “relatively new” but I’ve been dealing with it since Brian Krebs outlined it back in July

https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

-Al-

I think Adam wrote now because over the last several days, the number of such emails exploded. Two days ago, I got one for an email address that is primary a spammer honeypot (the only place it is listed is on my blog, and I never use it to send email). Coincidentally, yesterday, I got a message from Apple requiring me to reset my Apple ID password. I suspect that may have been from an accumulation of failed attempted logins by identities unknown.

Great article, Adam. A lot of people will sleep better after reading it.

I got it too. For one I knew that I had not been to sites such as what was being suggested, but I also immediately saw that the password was bogus. But the real give away was that it was sent to an email address I had only used for one web service about a decade ago and never for anything else. So not only did I immediately know the extortion attempt was bogus (and could be safely ignored and deleted), I also knew which web service had been hacked.

I run my own email server on the same box that hosts my domain. One of the greatest advantages of this setup (apart from the fact that I would never want to rely on a “free” email service like gmail) is that I have an infinite supply of working email addresses that I can define and put into use at any time. So every time I sign up for some kind of online account I use a unique email address that I never use for anything else. When spam starts coming to one of those addresses I know that either the service screwed me over or they got hacked (in which case they essentially also screwed me over). I can then simply discard that account and have any future emails sent to that address rerouted straight to /dev/null on the server. The best part is, you usually know when a service has been hacked before they admit to it in public or you start reading about it in the papers.

I can highly recommend running your own email server. It requires some knowhow (fortunately I have a couple of great friends who were happy to teach me back when I was 100% clueless), but it’s a very rewarding experience once you realize the potential.

Watch last week’s 60 Minutes segment that discusses privacy. Perhaps this is an analogy to security.

The internet was originally all about a cum-by-yah opportunity for the greater good. No one asked the what-if questions - how about the bad guys?

The segment discusses Europe’s GDPR vs USA’s unbridled use on monetizing information to achieve wealth, user’s be damned. Putting the genie back in the bottle is going to be hard.

I think Internet version 2.0 needs to be built.

I like the email server approach - I guess numerous email aliases would work.
Do you have tips for doing this or maybe Tidbits could create an article?

I recommend not running your own email server. It’s not necessary to create distinct email addresses for every site you wish. First, many email providers support subaddressing in some form; the downsides are some poorly written web forms will reject email addresses containing the plus (+) sign most commonly used and a human reading your subaddressed address will know what your real address is (but 99% of spamming is automated and won’t check for this). Some providers, like Fastmail, offer variants that avoid the plus sign issue and are less obvious.

I do recommend having your own domain name for your email. My shared web hosting & domain provider, Dreamhost, also makes it easy for me to create unlimited email addresses (and subdomains). They don’t actually host my email anymore, I got a small, free Google Apps for Domains when they still offered that. I will say it’s more tricky to send email with these email aliases than it used to be as SMTP servers have gotten more finicky and I think Mail.app has as well (that’s probably at least partially because I’m using it with Gmail instead of a “real” IMAP service). Fortunately, it’s almost never necessary to send email with such an address, only receive.

Yes, and we even pointed at Brian’s article back then:

However, as @aforkosh noted, the prevalence of these messages has skyrocketed of late, and lots of people I know outside the computer world are getting them, so I wanted to reiterate the warning and explanation.

Personally, I won’t ever run an email server again—it’s a toxic hellstew, to quote the “Take Control of OS X Server” book where we actively discouraged readers from turning on the Mail service. The attacks are non-stop—we were getting thousands or tens of thousands per day back when we last ran a server earlier this year. And if you make one mistake in setup, you can end up being used as a relay for spam, which can seriously harm your ability to send your own mail (aside from just being icky).

Email is best left to the experts and their security teams.

I forgot to mention that I run my mail server on a Linux box at a hosting provider. I have no idea how it would work on a Mac, but from what you say Adam, it sounds rather unpleasant.

As you say, it’s definitely not something that’s very forgiving, small mistakes can have serious consequences. That’s where savvy UNIX friends really helped me out. But despite that risk there are substantial benefits to running your own show. I really enjoy doing my own server-side filtering and graylisting. Once everything was set up it was really just a matter of editing one text file. That’s basically all I’ve been doing on the mail server side of things for the last decade or so. With all the privacy violations I read about these days, I could never choose something like gmail. Of course I realize those are my priorities. I suppose others can live with Google, Facebook, et al. as long as they then don’t have to worry about things like updating their network stack.

Actually, now that I think about it. when we started out it was still an old Sun workstation running Solaris. A couple of years ago we realized we needed new hardware and then we shifted to Linux on 19" x86 hardware. I miss those old Sun workstations and although I wasn’t a huge fan of Solaris I get all nostalgic just remembering it.

Funny, I was JUST about to start a topic here… the first one I got had what had been a legit password and email address from a forum I used to visit a decade or more ago (which is no longer). I am now being flooded with such messages, none have any passwords and most consist of phony names attached to my domain. We’re talking 4-8 per day.

Oh, my poor domain is being subject to a different abuse. I suspect it’s one person, but they are signing up for MANY ebay accounts using various obviously made up first parts attached to my domain. I get the welcome message then a few days later many times I get the “suspended for suspicious activities” message. I even sacrificed a bunch of my time to try and get through to some human AT ebay (it was NOT easy) to spell it out for them… it took quite a while to convince the person that ANY account using my domain WAS a fraud and they should prevent ANYONE from using my domain (I had had an account but it seems to have died around mid 2017 and I don’t do any business on ebay anyway, if I wanted to do any business I can always use a gmail address). She SAID she would send their “security” team a report, but the pattern I saw before the call has not changed at all… and it’s been over a week.

Not so sure I want to get into the business of creating my own incoming email server… I get the mail, smile at how dumb it is and stick it into a folder. NONE of them even have any attachments… not to mention even if they did, I have yet to hear about any MAC getting infected by just looking at an email attachment or just looking at it.

The other dumb thing about this is I bet 99.9% of them who are GETTING this scam have zero clue how to even use something like a bitcoin to send their money to. Seems to me anyone savvy enough to know HOW are way too smart to fall for such dumb shit in the first place.

What I AM very curious about is they all have what most likely ARE bitcoin addresses that DO lead to whomever they are. CAN they be backtraced Iyeah I know they are not SUPPOSED to, but nothing is 100% secure, a few Isrealies cracked apple a while back)? Maybe if the russian hackers start getting bombarded, we’d see some action!

I’ve been doing my own server-side filtering since about 2010, and I don’t run a mail server. My domain’s email is handled by Fastmail, and I filter using Sieve. I moved my Eudora filters to Sieve (and also switched to IMPA) so that I could change email clients without worrying about filters, and I’ve taken advantage of that flexibility.

I have a Fastmail account which allows me to create email addresses within my domain. I could do most of the filtering with the Fastmail UI, but I already had a long Sieve script by the time they enhanced the UI, plus as a retired programmer I tend to think like a programmer.

Seems to me I have the advantages of running my own mail server without the dangers and time suck.

Edward

What really angers me is that there seems to be little or no consequences for compromising OUR data. For instance the Equifax breach or the Apollo thing that “left a database containing billions of data points publicly exposed with no password”! Someone should be in jail for that. Perhaps then future keepers of our information might put a little more thought into protecting it.

It is very frustrating that we are so often required to provide so much personal information online knowing that chances are good it will end up in the wrong hands. How many times have we heard ‘your information is safe with us’? Bah.

I would imagine that civil lawsuits could apply at least in cases of negligence where it’s easy to show that the company didn’t do what was technically reasonable. @randy2, have you heard of any?

The problem with that is of course that it’s not very realistic for me to take on a huge company and try to prove that they were negligent and that some damage I suffered occurred as the direct consequence of that negligence.

IMHO personal data should be recognized as private property and the burden of proof be reversed. It’s my data. If anybody but myself has it, it’s their responsibility to safeguard it at all and any cost. If they lose it, regardless of how or why, they are liable.

Large data breaches like these could lead to fines, but unless those fines are astronomical, that will likely just be considered the cost of doing (sloppy) business and instead of breaches ending, corporations will just buy insurance. So I then wonder if instead of fines, large-scale negligent data breaches should lead to immediate government takeover and liquidation of the corporate entity responsible for the breach. That might sound drastic, but I’m afraid that’s the only thing that would get the likes of Facebook et al. to take the issue seriously. And if they have only the slightest doubt they can handle my data carefully, well then they can always chose not to take it in the first place. It’s my data after all, not theirs.

Just got this in email from a reader, who said I could share it here:

Thanks for the blackmail spam article. I run my own domains and use custom email addresses and *-addressing for online forums, banking, etc. I use a unique email address for every online resource I register with and have been doing so for 20+ years.

As a result, I’ve been able to track all of the blackmail spam messages back to their hijack source using these “custom” email addresses, that in turn go to my main email via a catch-all mailbox forwarder. For example, my address for your site is <tidbits@myowndomain.com>, which goes to my main email address. So basically any email addressed to my domain gets sent to my main email address. I use Gmail and Plesk to filter spam, and the combo is about 98-98% effective while still allowing legit custom email addresses through. Over the years carefully crafted email rules have taken care of addresses which get mistaken for spam, or vice versa. Header filters are a big help, too.

So, for example, if I were to receive spam email addressed to the “unique” address <tidbits@myowndomain.com>, I would know your site had been breached–and I’d let you know.

So why am I telling you all this?

Based on the email/password combos I have seen on the 5-6 of these most recent blackmail spam messages I have received, all of the hijacked email address / password combos came from online forums running an unpatched/outdated version of vBulletin. It has been my long experience that many, if not most, forum owners have little interest in keeping their sites secure. Since vBulletin has historically had lingering security issues, it’s long been a ripe target for hacking/harvesting. It’s free and easy to administer, but secure it is not.

In fact, this email address schema allowed me to report to TD Ameritrade some years ago that their servers had been hacked fully eight months before that major breach was made public. I have reported a dozen or more of these breaches over the years.

Your mileage may vary, but that’s been my experience FWIW.

No, I haven’t. And that’s likely because proving negligence requires (among other things) 1) that you prove that the defendant has some sort of legal duty to protect the plaintiff, and 2) that the harm suffered is both real, and it isn’t too attenuated from what might have been foreseeable given the defendant’s negligent act.

I’m not sure that anyone anywhere has defined what the duty of an online host is with respect to keeping their users’ user names and passwords private. There might be a contractually based duty, but I doubt it because it’s the big companies that write these contracts.

And what is the foreseeable harm? Merely that the plaintiff will have to change their password? Is blackmail foreseeable? I doubt that it is legally.

But I haven’t done any research through the literature on this. I’m just going off the top of my head. It’s easily possible that there has been a past case that covers all this. I just don’t know about it.

When I first got one of these a few weeks back I laughed. A week later a parent called in a panic over receiving one. I realized how vulnerable people are or feel!