Computers & Electronics

Observations on a recently experienced ransomware scam

  • Last Updated:
  • Jan 10th, 2019 7:04 am
[OP]
Deal Addict
Dec 12, 2009
3455 posts
1300 upvotes
Toronto

Observations on a recently experienced ransomware scam

I've been getting some emails lately wanting a bitcoin payment or they would take over my computer and expose my internet activities. The first one went into my mailbox, the remainder were caught by Bell's spam filters.

They are craftily worded, yet obviously English is not their first language. The first one came in with a subject line of a Password that I used on a different forum with a similar yet distinctly different username. Yep, I remember the password, it was unique to that site. I also remember the site came up as a site that was affected by Cloudbleed and the data leak was verified by https://cloudbleedcheck.com Although initially unnerving, it didn't take long to realize the threat was based on an abandoned password and an email address known to be in the wild.

The last email came in with my computer model as the subject. Equally unnerving. Then I realized I posted the computer model here in the forums and remembered that RFD was also subject to a data breach https://www.redflagdeals.com/latest-new ... ry-9-2017/ The commonality of data between the 2 breaches is simply my email address and two close but not identical user names. Everything the email author has used has come from linking the data contained in 2 known data breaches posted in the wild. Then doing a search of RFD.

Citing the computer model to expose my claimed suspicious internet activity is where they blew it. The computer in question is only used for one piece of business software that contains client data. That's it - security and privacy by design. Which tells me all the claimed activities on that computer are pure BS.

I'm hoping that by posting my observations this post might serve as a PSA to someone else that might be getting similar threats. My suggestion is to stop and think the emails out before you freak out or pay. My bet goes to the emails being a scam.
If you are getting different credit scores from different sources please post them here:
Comparing the consumer accessible credit scores
17 replies
Deal Addict
Apr 28, 2017
1339 posts
1555 upvotes
These emails are common. I get them all the time stating they've caught me through my webcam with video of me masturbating.
Thing is, I don't have a webcam.

They are all hilariously written in broken English. Just toss them and don't worry.
Sr. Member
User avatar
Dec 24, 2007
914 posts
847 upvotes
BC
Same here.

They got hold of an old signon (old email address and password) don't even remember where I used it to register. Then, they wrote a long message saying that they have tracked my usage and used the signin on some suspicous site and if I don't send them some bitcoins, they will send it to all my contacts to let them know what I have been up to.

What a joke... if I received such an email from a personal contact would I even care read the spam.

I guess some people who don't take such precautions might panic and think they got something.
Deal Addict
User avatar
Dec 1, 2010
1665 posts
781 upvotes
GTA
Can I ask what email clients are you guys using that you are receiving these messages?
Sr. Member
User avatar
Dec 24, 2007
914 posts
847 upvotes
BC
Mine was from a Community Net email server I haven't used for over a decade. Never deactivated the account but had it on email forwarding when I switched out.

Knew right away it was nonsense.

Be safe...don't use your personal email account with identifying information for registering websites - use a "junk" email account. Why give up your privacy so easily.
Last edited by WetCoastGuy on Oct 27th, 2018 11:05 pm, edited 1 time in total.
Deal Addict
User avatar
Feb 14, 2009
1280 posts
513 upvotes
ROYinTO wrote:
Oct 27th, 2018 9:24 pm
I've been getting some emails lately wanting a bitcoin payment or they would take over my computer and expose my internet activities. The first one went into my mailbox, the remainder were caught by Bell's spam filters.

They are craftily worded, yet obviously English is not their first language. The first one came in with a subject line of a Password that I used on a different forum with a similar yet distinctly different username. Yep, I remember the password, it was unique to that site. I also remember the site came up as a site that was affected by Cloudbleed and the data leak was verified by https://cloudbleedcheck.com Although initially unnerving, it didn't take long to realize the threat was based on an abandoned password and an email address known to be in the wild.

The last email came in with my computer model as the subject. Equally unnerving. Then I realized I posted the computer model here in the forums and remembered that RFD was also subject to a data breach https://www.redflagdeals.com/latest-new ... ry-9-2017/ The commonality of data between the 2 breaches is simply my email address and two close but not identical user names. Everything the email author has used has come from linking the data contained in 2 known data breaches posted in the wild. Then doing a search of RFD.

Citing the computer model to expose my claimed suspicious internet activity is where they blew it. The computer in question is only used for one piece of business software that contains client data. That's it - security and privacy by design. Which tells me all the claimed activities on that computer are pure BS.

I'm hoping that by posting my observations this post might serve as a PSA to someone else that might be getting similar threats. My suggestion is to stop and think the emails out before you freak out or pay. My bet goes to the emails being a scam.
Me and another person here recalled that password in received similar email was from LinkedIn.
in last months there was at least 2 threads on this.

You actually suggested interesting thing -- that two ( at least ) different sources were analyses!
Can it be that they obtained just two independent lists and sent scam emails to everybody,
without eliminating and cross-analyzing repeating entries ?

Or you clearly see cross-analysis from two hacks ?

Or you suspect that only one hack (of two) was cross-analyzed with RFD ?

Thanks.

Cheers!
Sr. Member
Feb 4, 2018
969 posts
48 upvotes
Got one of these about a month ago. Saying they caught me browsing porn sites, and they'd send all the sites I've been to, to all my contact list.

I would have replied and told them to go nuts, but that would have just confirmed to whoever these as@wipes are, that my E-mail addy was legit.

So just to add, never reply to e-mails like that. You are only digging the hole further.
[OP]
Deal Addict
Dec 12, 2009
3455 posts
1300 upvotes
Toronto
heyyahblah wrote:
Oct 27th, 2018 10:40 pm
Can I ask what email clients are you guys using that you are receiving these messages?
I prescreen everything using Bell's web mail, which I believe is Outlook.

I'll have to follow @WetCoastGuy lead and check my other rarely used email accounts.
If you are getting different credit scores from different sources please post them here:
Comparing the consumer accessible credit scores
[OP]
Deal Addict
Dec 12, 2009
3455 posts
1300 upvotes
Toronto
tequilla wrote:
Oct 27th, 2018 11:05 pm
You actually suggested interesting thing -- that two ( at least ) different sources were analyses!
Can it be that they obtained just two independent lists and sent scam emails to everybody,
without eliminating and cross-analyzing repeating entries ?

Or you clearly see cross-analysis from two hacks ?

Or you suspect that only one hack (of two) was cross-analyzed with RFD ?
I think there was some form of cross analysis. The common denominator being an email address. Which is a fairly unique string for most people. Computers are good at finding matching strings.

The dump from the 1st forum gave them an email plus password. The dump from RFD gave them "The database contained RedFlagDeals forum usernames, email addresses and an encoded password hash and salt. " Combine the 2 dumps based on email and you start to compile info that can be used in a scam.

The computer model they cited has only been posted here on RFD. With a RFD user name obtained in a breach you can search posts. It only took a few minutes for me to see you have an Asus P8B75-M mother board.
https://forums.redflagdeals.com/need-ad ... #p28366019

The first email citing a password gives them a hook for you to think about. Then they come back with some hardware specifics that are meant to get you thinking maybe these guys are not scammers. There is just enough technical gibberish in the emails to possibly fool the odd person. Tech savy people have to stop and read through the munged English to determine what is being said.

For example the first email said something about a single pixel image embedded to track you reading the email. That does not cut it with someone reading email through a web browser. you have to press a button to show images. No button = no image embedded which means it is likely a scam.
If you are getting different credit scores from different sources please post them here:
Comparing the consumer accessible credit scores
[OP]
Deal Addict
Dec 12, 2009
3455 posts
1300 upvotes
Toronto
WetCoastGuy wrote:
Oct 27th, 2018 10:14 pm
Then, they wrote a long message saying that they have tracked my usage and used the signin on some suspicous site and if I don't send them some bitcoins, they will send it to all my contacts to let them know what I have been up to.

What a joke...
We both see through this. Others may not. The authors are looking for suckers and exploiting fud, fear uncertainty and doubt.
If you are getting different credit scores from different sources please post them here:
Comparing the consumer accessible credit scores
Newbie
User avatar
Aug 22, 2018
53 posts
Moncton
Got it too lol didnt bother just weird uses ur real email but password was wrong tho
No external links allowed in signatures.
Member
User avatar
Nov 21, 2009
375 posts
168 upvotes
Moncton
User381785 wrote:
Oct 27th, 2018 9:27 pm
These emails are common. I get them all the time stating they've caught me through my webcam with video of me masturbating.
Thing is, I don't have a webcam.

They are all hilariously written in broken English. Just toss them and don't worry.
Guess they watched that episode of Black Mirror Smiling Face With Open Mouth And Cold Sweat
Deal Addict
User avatar
Feb 14, 2009
1280 posts
513 upvotes
ROYinTO wrote:
Oct 28th, 2018 3:26 am
I think there was some form of cross analysis. The common denominator being an email address. Which is a fairly unique string for most people. Computers are good at finding matching strings.

The dump from the 1st forum gave them an email plus password. The dump from RFD gave them "The database contained RedFlagDeals forum usernames, email addresses and an encoded password hash and salt. " Combine the 2 dumps based on email and you start to compile info that can be used in a scam.

The computer model they cited has only been posted here on RFD. With a RFD user name obtained in a breach you can search posts. It only took a few minutes for me to see you have an Asus P8B75-M mother board.
https://forums.redflagdeals.com/need-ad ... #p28366019

The first email citing a password gives them a hook for you to think about. Then they come back with some hardware specifics that are meant to get you thinking maybe these guys are not scammers. There is just enough technical gibberish in the emails to possibly fool the odd person. Tech savy people have to stop and read through the munged English to determine what is being said.

For example the first email said something about a single pixel image embedded to track you reading the email. That does not cut it with someone reading email through a web browser. you have to press a button to show images. No button = no image embedded which means it is likely a scam.
Thanks!
Deal Fanatic
Sep 29, 2005
5084 posts
859 upvotes
Montreal
This is an email my wife received today:
The name on the ermail was wrong but the from and to addresses were hers.
Dear


Yоu maу nоt know me and you arе prоbаbly wondering whу уou are getting this е mаil, right?

I'm а haсkеr whо craсked уour dеviсes a few months ago.

I sеnt уou an email frоm YOUR hаckеd ассount.

I sеtup a malwаre on thе adult vids (porno) wеb-site and guess what, уоu visitеd this site tо hаve fun (уou know whаt I mеаn).

While уou werе watching videоs, уоur intеrnеt brоwser startеd out funсtioning as а RDP (Rеmоtе Contrоl) having а keуlogger which gаve me aссessibilitу tо yоur sсreen аnd web саm.

аftеr that, mу softwarе prоgrаm оbtаined аll of your cоntасts and files.

Yоu еntered a passwords on thе wеbsitеs уou visitеd, аnd I intеrcеptеd it.

Of сoursе уоu cаn will сhаngе it, or аlrеady сhangеd it.
But it doеsn't matter, my mаlwarе updаted it еvеry timе.

Whаt did I do?

I crеatеd a dоublе-sсrеen videо. 1st pаrt shows the vidеo уou wеre watсhing (yоu'vе gоt а gооd tastе haha . . .), and 2nd part shоws the rеcording of уour wеb сam.
Dо not trу tо find аnd dеstrоу my virus! (All уоur dаtа is alreadу uplоadеd tо а remote sеrvеr) – Do nоt try to сontact with me – Vаrious sеcurity sеrviсеs will nоt hеlp you; fоrmаtting а disk оr dеstrоying a dеviсе will not hеlp еither, sincе уоur dаta is alreadу on а rеmоtе server.

I guarаnteе уоu thаt I will not disturb you again after pаymеnt, аs уou are nоt mу singlе viсtim. This is а hасker code оf honor.

Don’t be mad аt mе, evеryоnе has thеir оwn work.
ехасtly what shоuld yоu dо?

Wеll, in mу оpinion, $500 (USD) is а fair priсе for оur little sеcret. Yоu'll makе the payment bу Bitcoin (if уоu do nоt knоw this, sеаrch "hоw tо buy bitcoin" in Gооglе).

Mу Bitсoin wallet Address:
1BPkc1939fmU8fkyNS56cJpDjhyEVLsppe

(It is сAsE sensitivе, sо copy and paste it)

Impоrtаnt:
Yоu have 48 hour in оrdеr to make the pауmеnt. (I've а fасeboоk pixеl in this mail, аnd аt this moment I know that you hаvе read through this emаil mеssagе).
Tо trасk the rеading of а messagе and the aсtions in it, I use the faсеbоok piхеl.
Thanks tо them. (Everуthing thаt is usеd for thе authoritiеs can help us.) If I dо nоt gеt thе BitCоins, I will сertainlу send оut your vidео rесording tо all оf yоur contaсts including relativеs, сowоrkеrs, and sо оn. Having said thаt, if I reсеivе thе paуment, I'll destrоу thе vidео immidiatеly.
If you neеd еvidеnce, rеplу with "Yes!" and I will certainly sеnd оut уоur videо rесording tо уоur 6 cоntасts. It is a nоn-nеgоtiаble оffеr, that being sаid don't wаste mу personal timе and уоurs by rеspоnding to this mеssаge.
Phils

Top