I’m an IT consultant. I work mostly with Email and security.

I’d like to think I’ve seen it all.

It’s unreal how many people are fooled by scams.

And it’s crazy how many people are suckered into paying the scammer.

This post is about one of the scams I’m seeing more frequently.

For some reason, this one seems to cause an absolute panic in the person that receives it.

Here is a recent message I received from a customer:

“The server has been hijacked, at least that’s the message we got and the hijacker is asking for a ransom to be paid in bitcoins.”

And here is another more frantic one:

“I just got a ransom demand from someone who hacked xxxxx.xxx email.
I will need to have security scrub my email and laptop.
Please text me any communications until further notice.
The demand is attached for your information.”

Hey, can we all just keep calm for a minute?

The server isn’t hacked.

It was never hacked.

And guess what, your email account probably wasn’t hacked either.

I take it personally when a customer says that my server has been hacked.

That’s a serious accusation and the implications are massive.

So naturally, I will investigate, look for clues, and prove it one way or the other.

In every case that I’ve investigated, I’ve been able to prove that it’s all bullshit.

Here’s one of the Messages

And Here’s where I debunk this message and call B.S. on everything that is said

  • The email did not come from the recipients email at all. It was spoofed from an outside address. It’s easy to determine this based on the email headers that are present. You can see three (3) different IP Addresses in the mix. If it had come from the same email address as asserted in the message, none of these headers (or the IP Addresses in them) would be present because it would have never left (or entered) the system. It doesn’t really matter what the headers show, the mere presence of them indicates it came from an outside system.  But in this case, it looks like it came from the country of Belarus (Borders Russian to the west). Lots of financial fraud originates from this region.

    Return-path: <aaron962smith@yahoo.jp>
Received: from smtp.redjuju.com ([192.168.2.17])
by ocazfs01.redjuju.net with ESMTP (TLS encrypted); Wed, 07 Nov 2018 22:59:55 -0700
Received: from mm-241-193-212-37.grodno.dynamic.pppoe.byfly.by ([37.212.193.241]:24443 helo=yahoo.jp)
by smtp.redjuju.com with smtp (Exim 4.82_1-5b7a7c0-XX)
(envelope-from <Aaron962Smith@yahoo.jp>)
id 1gKdMA-0001Bu-0a
for xxxxxxxx@xxxx.org; Wed, 07 Nov 2018 22:59:55 -0700
Received: from [4.26.118.92] by qnx.mdrost.com with LOCAL; Thu, 08 Nov 2018 00:41:50 -0500
Received: from smtp.mixedthings.net ([Thu, 08 Nov 2018 00:29:43 -0500])
by rly04.hottestmile.com with NNFMP; Thu, 08 Nov 2018 00:29:43 -0500
Received: from mx.reskind.net ([120.173.226.215])

  • The email as shown in the headers (previous item) was delivered at 10:59pm on 11/7/2018.  There are no login attempts to the email from around that time frame. If this account was truly compromised as stated, I would have seen a login report and the associated IP address. The IP address would likely come from a foreign country, probably Indonesia or Belarus in this case. I was able to account for ALL logins to the “hacked” account, and they were all from legitimate sources initiated by the user in question.

  • In the message above, at the end you see “Scanned by Symantec Email Security.cloud service. I believe this is a legitimate statement added to the email before it was delivered into the user’s mailbox. This again proves the message originated externally. It also proves that Symantec didn’t do a very good job of blocking it (I strongly recommend Sophos security).

  • In many cases, I have full control of the systems that claimed to be “hacked”. I take security seriously, and I went through the systems meticulously. The hacker claimed he had access to the users’ email account (And had sent the email from inside the account).  I could find no trace of any access from any location whatsoever to this account, except for logins from the user that I was able to prove were valid and legitimate. Furthermore, I could find no trace of any other nefarious activity related to this. Other than the spoofed email itself, there were no logs or indicators in my firewall or servers suggesting that anything had been compromised.

And here are some other things to consider in general.

  • Spoofing is a common tactic to trick users into thinking they have been hacked.  It’s really nothing more than a spam. They are just hoping the recipient will send money no questions asked. A Spoofed email looks like it comes from someone else, when in fact, it didn’t.

  • The Threat of Non-Payment. The “Hacker” threatens to embarrass you by exposing all your dirty secrets. I believe that if someone actually had real dirt on you, they would send you proof. If they want to be taken seriously, they need to provide photos of you in compromising situations. Otherwise, these are just vague and general threats with no teeth whatsoever.

    “After payment, my virus and dirty screenshots with your enjoys will self-destruct automatically. If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your “enjoys”. 

    “I want to say – you are a BIG pervert.”

    “I made a screenshot of the adults sites where you have fun (do you understand what it is about, huh?)”

  • In the email headers that I posted above, the return email address is aaron962smith@yahoo.jp.   If you follow this link, you can see that this email address is a known bitcoin abuser (In the ransom request, it provided his bitcoin address): https://www.bitcoinabuse.com/reports/1Jg9dAvCNbm1SMhKrdEieSA5aSJJnBExbB

  • Bitcoin by design is anonymous. Send money to this Bitcoin user and he’ll have no idea where it came from or who sent it. There’s absolutely nothing you can do to prove you actually paid. But who cares, this hacker does not have control of your system nor does he have control of your email. He simply sent a spoofed email that sounded mean and threatening.

    And if that’s not enough, you can do a quick search on the Bitcoin wallet listed in the message I posted and find that this is a widely reported scam. See the report here: https://www.bitcoinabuse.com/reports/182PJESsEWbuJ8PEgfM58p64jbok3i1gNU

  • In some cases, the “hacker” will include the user’s password to prove that the account is hacked. Even if it is the correct password, it doesn’t prove at all that their email account was hacked. It just means the “hacker” somehow got their password. And worst case, they could have logged into the account (I’ve never found evidence to confirm this has happened). There’s a big difference between “Login” and “Hacked”.
    In this situation, I’m led to believe that the password was likely used in lots of places on the Internet, not just the email account. Lots of people use the same password for everything. This is a very dangerous thing to do.
    Nowadays, it’s common to hear about a website that was compromised, where millions of email accounts and passwords were stolen. It would be easy to assume that this could have been the case in this situation. The email address and password were then sent to scare the user and exploit them for money.

  • The “hacker” uses a bunch of techno jargon. It’s just a bunch of random items that really aren’t connected. Overall it just doesn’t make a lot of sense. While there are situations where this type of thing happens, and there could be truth to it, it generally wouldn’t happen across this many systems all at once. Furthermore, the “hacker” implies that all the systems, as well as your workstation are within the same facility. But in fact, that’s not true at all. And these claims are ridiculous.

    • Software of the router
    • Hacked this router
    • Placed my malicious code on it
    • Trojan was installed when you went online
    • Full dump of your disk
    • Hacked your OS and got full access to your account

So what should you do? How do you protect yourself?

Let’s say you get an email like the one above.

You know it’s probably phony.

But what if they have your password?

What can you do to make sure you’re safe?

Here are some quick tips to protect yourself regardless of the situation.

  • If your password has been compromised, change it immediately.

  • Stop using the same password for all of your logins. Using unique passwords will minimize your exposure should one of them get compromised.

  • Use a secure password. Stop using your dog’s name or the name of your grandkid.

  • A secure password is typically considered something with 8 or more characters, with a combination of letters (Upper and Lower case), numbers, and characters.

  • A password should never be a simple word that could be found in the dictionary. They are way too easy to crack.

  • Use a password tool that generates random passwords for you and stores them in a secure location. I love the online tool https://passpack.com.

  • Don’t overreact and yell at your IT person just because you got fooled. Learn the common signs of a spoof. And don’t be such a noob.