Screen Cam Blackmail Scam.

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Screen Cam Blackmail Scam.

Post by SorenR » 2018-08-07 12:01

Got another one of these today. Usually I ignore them ... BUT ... this one caught my interrest. It's got a real live password in it, an old password, but nevertheless a password I know my wife have used!
I asked her and it seems it is a few years old and have been changed multiple times since then. However it could be an old website/forum she is not using anymore however unlikely that is.

GDPR made it so that if you do not respond to request of continued use, they should delete your profile - thus most old unanswered registrations on websites and forums should vanish. If not ... well, the GDPR boss lady in EU is Danish and does NOT take NO for an answer, so do you have a spare couple of million Euros lying around for a fine?

My concern is ... What website was hacked to obtain this password, and when?

Code: Select all

Return-Path: important@williehowell.com
Delivered-To: spam@acme.inc
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on datacenter.acme.inc
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.5 required=3.0 tests=BAYES_99,BAYES_999,INVALID_MSGID,KAM_NUMSUBJECT,
RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,TO_IN_SUBJ autolearn=disabled version=3.4.0
X-Spam-Virus: No
X-Spam-Report: *  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
               *      [score: 1.0000]
               *  2.6 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) 
               *      [46.161.42.91 listed in bl.mailspike.net] 
               *  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% 
               *      [score: 1.0000] *  0.6 INVALID_MSGID Message-Id is not valid, according to RFC 2822 
               *  0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 
               *  0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years 
               *  0.1 TO_IN_SUBJ To address is in Subject
Received: from mail.williehowell.com (mail.williehowell.com [46.161.42.91]) by mx.acme.inc ; 
Tue, 7 Aug 2018 09:21:11 +0200
From: "Luisa" <important>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=UTF-8
Mime-Version: 1.0 (1.0)
Subject: jane@acme.inc:tellno1
Message-Id: <B3608E88-D826-294D-27D4-588CF7900BE5@>
Date: Tue, 7 Aug 2018 00:20:12 -0700
To: jane@acme.inc
X-hMailServer-Spam: YES
X-hMailServer-Reason-2: RBL - Rejected by Barracuda Reputation Block List - (Score: 5)
X-hMailServer-Reason-3: Tagged as Spam by SpamAssassin - (Score: 7)
X-hMailServer-Reason-Score: 12
X-Envelope-To: jane@acme.inc
X-Envelope-OriginalTo: jane@acme.inc
X-Envelope-From: important@williehowell.com
X-hMailServer-LoopCount: 1

It appears that, (tellno1), is your password. You may not know me and you are most likely wondering why you are 
getting this e-mail, right?
 
actually, I setup a trojans on the adult vids (adult) web-site and guess what, you visited this website to have fun 
(you know very well what I mean). During the time you were watching videos, your internet browser started off 
functioning as a RDP (Remote Desktop) which gave me accessibility to your screen and web camera. after that, my 
computer software obtained your complete contacts from your Messenger, Outlook, FB, along with emails.
 
What did I do?
 
I produced a double-screen video. Very first part shows the recording you're seeing (you've got a good taste haha . 
. .), and Second part shows the recording of your webcam.
 
what exactly should you do?
 
Well, in my opinion, $1000 is really a reasonable price for your little hidden secret. You'll make the payment by 
Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).
 
BTC Address: 19DMNvvUXfXDe3S8e7NPQLzRZkfRXCMj7g
(It's case sensitive, so copy and paste it)
 
Very important:
You have some days in order to make the payment. (I have a unique pixel within this e-mail, and at this moment I 
know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos 
to all of your contacts including family, co-workers, and so on. Having said that, if I get the payment, I'll 
destroy the recording immidiately. If you want evidence, reply with "Yes!" and i'll certainly send your videos to 
your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding 
to this message.
Site is in Russia (who would have guessed it :mrgreen: )

Code: Select all

08/07/18 11:47:31 whois 46.161.42.91@whois.geektools.com

whois -h whois.geektools.com 46.161.42.91 ...
GeekTools Whois Proxy v5.0.6 Ready.

Checking access for ***.***.72.165... ok.

Final results obtained from whois.ripe.net.

Results:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the &quot;-B&quot; flag.

% Information related to &#39;46.161.42.0 - 46.161.42.255&#39;

% Abuse contact for &#39;46.161.42.0 - 46.161.42.255&#39; is &#39;webshieldsup@gmail.com&#39;

inetnum:        46.161.42.0 - 46.161.42.255
netname:        WebShield
descr:          WebShield Network
country:        RU
org:            ORG-WS171-RIPE
admin-c:        KIV106-RIPE
tech-c:         KIV106-RIPE
status:         ASSIGNED PA
mnt-routes:     MNT-PINSUPPORT
mnt-domains:    VSERVER-MNT
mnt-by:         MNT-PINSUPPORT
mnt-by:         MNT-PIN
created:        2018-03-12T18:06:50Z
last-modified:  2018-04-16T21:56:01Z
source:         RIPE # Filtered

organisation:   ORG-WS171-RIPE
org-name:       Barbarich_Viacheslav_Yuryevich
org-type:       OTHER
address:        Russia
address:        Marks
address:        5-ya liniya, d.17
abuse-c:        ACRO5735-RIPE
admin-c:        BVY17-RIPE
tech-c:         BVY17-RIPE
mnt-ref:        MNT-PIN
mnt-ref:        MNT-PINSUPPORT
mnt-by:         MNT-PINSUPPORT
created:        2017-04-01T16:43:45Z
last-modified:  2018-05-01T21:23:09Z
source:         RIPE # Filtered

person:         Kucharavenka Ihar Valerievich
address:        Lesi Ukrainki, 9
address:        Kiev
address:        Ukraine
phone:          +380 95 5037029
nic-hdl:        KIV106-RIPE
mnt-by:         MNT-PINSUPPORT
created:        2017-03-03T17:13:11Z
last-modified:  2017-10-30T23:40:32Z
source:         RIPE # Filtered

% Information related to &#39;46.161.42.0/24AS41995&#39;

route:          46.161.42.0/24
origin:         AS41995
mnt-by:         MNT-PINSUPPORT
created:        2018-04-04T19:26:44Z
last-modified:  2018-04-04T19:26:44Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.91.2 (WAGYU)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 18766
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Screen Cam Blackmail Scam.

Post by mattg » 2018-08-07 12:44

SorenR wrote:
2018-08-07 12:01
My concern is ... What website was hacked to obtain this password, and when?
As good an argument for plus addressing that I've seen
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: Screen Cam Blackmail Scam.

Post by jimimaseye » 2018-08-07 12:55

mattg wrote:
2018-08-07 12:44
SorenR wrote:
2018-08-07 12:01
My concern is ... What website was hacked to obtain this password, and when?
As good an argument for plus addressing that I've seen
I never use a primary address for anything now - all email addresses are disposable/plus addresses.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 323
Joined: 2017-09-12 17:57

Re: Screen Cam Blackmail Scam.

Post by palinka » 2018-08-07 14:01

I got several of the same from different sources. Some of them passed dkim, SPF, etc and spamassassin didn't pick them up unless it tripped on spamhaus, etc. One or 2 made it through completely clean.

I was going to post about these a few days ago but was busy. The scurvy dogs sending these are pretty sophisticated. The language used was very generic: "mature" instead of "adult", "going manual" instead of something akin to yanking the crank, no use of the word "porn". Very clean language, no links. No wonder some made it through. Bayes should catch any future ones, though.

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Screen Cam Blackmail Scam.

Post by SorenR » 2018-08-07 19:23

Well, I have now received the exact same email from "Louisa", "Brittany" and "Viola". All three Bitcoin addresses are different.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: Screen Cam Blackmail Scam.

Post by jimimaseye » 2018-08-07 19:30

You're a popular guy. Makes user wonder why all them girls were watching you play with your tallywacker. Maybe theyu like what they see. 😉 (big boy. )
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Screen Cam Blackmail Scam.

Post by SorenR » 2018-08-07 19:38

jimimaseye wrote:
2018-08-07 19:30
You're a popular guy. Makes user wonder why all them girls were watching you play with your tallywacker. Maybe theyu like what they see. 😉 (big boy. )
There are tape over all of our screen cams and the email was address to wife. :lol:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

fishlevel
New user
New user
Posts: 1
Joined: 2018-08-08 10:11

Re: Screen Cam Blackmail Scam.

Post by fishlevel » 2018-08-08 10:15

I have received the very same scam and have reported it to the domain authorities, which have opened a case and it seems they have taken down the domain now.
As for your question:
SorenR wrote:
2018-08-07 12:01
My concern is ... What website was hacked to obtain this password, and when?
That is rather easy, there is quite a large password list floating around the internet for quite a while, just google for BreachCompilation and you will find it (1.4 billion passwords).
You can also quickly find out if your email is part of this or another password list by using one of the popular sites like https://hacked-emails.com/ or https://haveibeenpwned.com/ (these sites also show which hacks have happened on sites where your email/password had been exposed to the hackers and when the breach happened)

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: Screen Cam Blackmail Scam.

Post by jimimaseye » 2018-08-08 10:21

fishlevel wrote:
2018-08-08 10:15
https://haveibeenpwned.com/ (these sites also show which hacks have happened on sites where your email/password had been exposed to the hackers and when the breach happened)
I checked this one last year and found several of our company email accounts on it. :roll:
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: Screen Cam Blackmail Scam.

Post by SorenR » 2018-08-08 11:32

Checked... Both wife and I have changed passwords on the mentioned sites multiple times since they were hacked, so no sweat.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

mattam
New user
New user
Posts: 1
Joined: 2018-08-08 17:16

Re: Screen Cam Blackmail Scam.

Post by mattam » 2018-08-08 17:22

I've received the same email (about half a dozen different times today) and was just googling some of the phrases to see if it's widespread and this thread popped up. I can confirm that, certainly in my case, the email address and password combination came from a data breach at Last FM. I use a catchall email domain with site specific addresses so it was immediately clear this was sourced from the Last FM data breach which occurred in 2012 but was made public in September '16. I doubt that whoever is sending this scammy emails only used data exclusively from this breach, but in my case I'm 100% certain that's where my data came from. YMMV.

(The password and email combination was obviously changed long, long ago)

"It took LeakedSource two hours to convert the data to visible passwords as they were stored using unsalted MD5 hashing, a method that the CMU Software Engineering Institute back in 2009 declared "cryptographically broken and unsuitable for further use." source: https://www.scmagazine.com/user-data-of ... le/530251/

palinka
Senior user
Senior user
Posts: 323
Joined: 2017-09-12 17:57

Re: Screen Cam Blackmail Scam.

Post by palinka » 2018-08-08 22:54

They're really rolling in now. So much for sophisticated. Of they were smart, they'd leave it at one message per email address. That would be scarier than seeing several and knowing for sure they're spam garbage.

Post Reply