I'm surprised it doesn't include a link to a "security site" with a domain like "passwordcheck.ru" to verify that the new password is secure.
The thing that confuses me about this is that it includes the password. Certainly most people would go "that's not my password" and ignore it. Are they trying to filter out the results to only people with atrocious passwords?
Looks similar enough I assume the same script was involved.
Googling the bitcoin addresses I was given gave me zero results, DuckDuckGo gave a small handful of results, so I guess those addresses are also used in bitcoin mining adverts or similar?
They definitely are using real passwords. I’ve seen them use 3 of my passwords I know were in password dumps. Fortunately I haven’t used those passwords for years, but other people will be seeing their current password.
So what happened is someone signed up for LinkedIn or something using the LKML as the email address and a bogus password. I'm somewhat surprised you can post to the LKML without being a member, that's a pretty common restriction for online listservs.
I've received some in French that were really well written (it's often not the cas) containing old valid passwords.
To begin I freaked out a bit, then understood it was too old to be meaningfull.
But seeing a password you know in the subject of the mail is a bit scary.
On a side note, while checking here and there, I found a website [0] displaying password leaked associated with emails. I don't know if they are ok or dangerous, so be carefull.
I tried with emails I knew where in Troy Hunt DB and it gave me the passwords.
It seems that now they just give you the 3 first letters, which is better than last week when you could test other people email just in case !
a lot of people get this spam. I received as similar one. it's spam filter configuration of lkml and I doubt that it is an actual targeted attack.
> After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
> I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.
+1 for social engineering.
and very similar to the thousands of other such mails sent out every day by scammers.
I'm guessing a lot of people aren't familiar with this recent spam.
They're using email/password combinations from lists of leaked accounts. I use a distinct email address for every site (qmail's scheme: x-foo@mydomain), and so the setup was very transparent to me. But I can see the technique totally working on a basic user who reuses passwords and email addresses.
I have been getting a variation of this email for months sent to mailer-daemon@ on a mail server on a VM that hosts absolutely no personal information or credential about anyone.
If you Google some phrases from it it seems like it's been going around nearly verbatim for years.
I think they are probing for mail servers which don't try to force any kind of authentication on From: headers. So mailing lists would probably be a fit for them. They have no idea who their targets are. They are just looking for gullible people to scam.
Note how this email includes a password. This particular form of scam relies on taking weak passwords acquired from database dumps and sending the scam email to the password owner, in the hopes that they'll recognize the password and think the email is legitimate (this is especially effective if the owner reuses passwords).
I'm not sure how a mailing list would end up in a dump like that though, as people don't generally sign up for sites using addresses belonging to mailing lists.
I wouldn't discount the idea that they made up a password rather than got it in a database dump. Even an incorrect password might be enough to freak somebody out.
I think these are not terribly sophisticated actors, they're running some scripts and looking for someone gullible enough to give them hundreds of dollars worth of Bitcoin based on what is in the end a pretty far fetched story.
Every previous instance of this particular scam I've seen mentioned before used a password that the recipient recognized.
I personally received this exact email just the other day, containing a password that I confirmed I actually used a very long time ago on a now-defunct site (which was known to be in at least one password dump).
I don't buy the "an incorrect password might freak someone out" argument, because the whole point of this scam is that the recipient recognizes the password. Without that password recognition, the inclusion of the password is harmful (because it proves the sender is full of shit) and at best makes the email have no more persuasive power than one that didn't include a password at all.
Hm. The mails my mailer-daemon account gets have a nearly identical message body but do not mention a specific password.
People do freak out and miss details. Kind of like what people say about 419 scams having poor grammar and spelling. This somewhat ensures that respondents are people who don't read carefully.
So now that all the crimes are a matter of public record, how do they get the money out without it being traced directly back to them? Shady local exchanges?
For some reason, several addresses have their first transaction for the equivalent of a few cents USD. Some also leave change when cashing out. I wish they cleaned up properly, because if the address is disposable, those fractions of btc are lost forever.
We're receiving these spams from practically every continent. They ask for about 850 USD in btc, so tey always make about 6-12,000 USD per operation. They usually cash out in less than 5 days.
I grew tired of reporting their IP addresses to their ISPs, which definitely don't care. Specially the Asians.
Had me right there. The entertainment value alone would be worth it, if I did not also have to calm down those (few) of my clients who are a little more, shall we say, persuadable?
Then out comes the "good security practices" text, along with credit card monitoring recommendations text, etc.
"I know it's true, 'cause I saw it on tv." - John Fogerty
I've been getting these emails for a while now. If you realize that it's just a scam, they're providing a service similar to Have I Been Pwned, delivered directly to your inbox!
I've seen similar emails in my DMARC rejected email reports.
The unique thing about these ones is that they send it from your own address. I.e. they spoof your address so that it looks like your account really has been compromised.
38 comments
[ 3.4 ms ] story [ 82.7 ms ] threadThe thing that confuses me about this is that it includes the password. Certainly most people would go "that's not my password" and ignore it. Are they trying to filter out the results to only people with atrocious passwords?
1) Real 2) Only ever used on one website 3) Was for a LiveJournal account I’d forgotten to delete
https://kitsunesoftware.wordpress.com/2018/08/09/anatomy-of-...
Looks similar enough I assume the same script was involved.
Googling the bitcoin addresses I was given gave me zero results, DuckDuckGo gave a small handful of results, so I guess those addresses are also used in bitcoin mining adverts or similar?
To begin I freaked out a bit, then understood it was too old to be meaningfull.
But seeing a password you know in the subject of the mail is a bit scary.
On a side note, while checking here and there, I found a website [0] displaying password leaked associated with emails. I don't know if they are ok or dangerous, so be carefull.
I tried with emails I knew where in Troy Hunt DB and it gave me the passwords.
It seems that now they just give you the 3 first letters, which is better than last week when you could test other people email just in case !
[0] https://ghostproject.fr/
> After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
> I made a screenshot of the intimate website where you have fun (you know what it is about, right?). After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.
+1 for social engineering.
and very similar to the thousands of other such mails sent out every day by scammers.
They're using email/password combinations from lists of leaked accounts. I use a distinct email address for every site (qmail's scheme: x-foo@mydomain), and so the setup was very transparent to me. But I can see the technique totally working on a basic user who reuses passwords and email addresses.
How informative and thoughtful of them.
If you Google some phrases from it it seems like it's been going around nearly verbatim for years.
I think they are probing for mail servers which don't try to force any kind of authentication on From: headers. So mailing lists would probably be a fit for them. They have no idea who their targets are. They are just looking for gullible people to scam.
I'm not sure how a mailing list would end up in a dump like that though, as people don't generally sign up for sites using addresses belonging to mailing lists.
And yet some dingus in hyderabad keeps using my email address to sign up on all the job boards in india. Users are weird.
I think these are not terribly sophisticated actors, they're running some scripts and looking for someone gullible enough to give them hundreds of dollars worth of Bitcoin based on what is in the end a pretty far fetched story.
I personally received this exact email just the other day, containing a password that I confirmed I actually used a very long time ago on a now-defunct site (which was known to be in at least one password dump).
I don't buy the "an incorrect password might freak someone out" argument, because the whole point of this scam is that the recipient recognizes the password. Without that password recognition, the inclusion of the password is harmful (because it proves the sender is full of shit) and at best makes the email have no more persuasive power than one that didn't include a password at all.
People do freak out and miss details. Kind of like what people say about 419 scams having poor grammar and spelling. This somewhat ensures that respondents are people who don't read carefully.
I like the cut of whoever sent 0.00000666 BTC's jib.
[1] https://www.blockchain.com/btc/address/15ZHnf1MPn6ybb8yUeAoC...
Total Received 2.98619488 BTC (apx $19k USD)
So not an unsuccessful campaign I guess
I grew tired of reporting their IP addresses to their ISPs, which definitely don't care. Specially the Asians.
Had me right there. The entertainment value alone would be worth it, if I did not also have to calm down those (few) of my clients who are a little more, shall we say, persuadable?
Then out comes the "good security practices" text, along with credit card monitoring recommendations text, etc.
"I know it's true, 'cause I saw it on tv." - John Fogerty
This is my favorite
The unique thing about these ones is that they send it from your own address. I.e. they spoof your address so that it looks like your account really has been compromised.
Like this:
From: me@example.com
To: me@example.com
The most impressive part of this hack is that he got read receipts for emails!