This account has been hacked! Change all your passwords!
The 'You've been looking at porn sites' scam!
This one's my favorite so far, these scammers must have put their creative thinking caps on for this one! It is so well worded, non threatening, unverifiable, great geek terminology (that we all know) and plays on most people's insecurity about sex & porn. Of course I have changed the clients email address to a generic one.
Great isn't it! Keep in mind there is nothing they say that can be verified. except for the fact that it looks (LOOKS) like it comes from your email address, but it doesn't. Some will even have a password attached to them that is actually an old or current password depending on how vigilant you are with changing your passwords. So this is a little scarier, if it is your password in the scam email then CHANGE YOUR PASSWORD. More than likely it is a password that you've used before on another site that would have been hacked.
You can see if any of your common username and passwords are on this hacked database here: https://haveibeenpwned.com. Basically this scammer has a list of 5 billion or so hacked (and for the most part outdated) email addresses and passwords and is using a robot to send out millions of emails on a fishing expedition waiting for someone to bite.
By the way, this was the 2nd email sent to this client, the first one (that I don't have but is worded very similarly) had an email header that looked like this...
I know right, you're just thinking what does it all mean anyway? The Email header can't be faked and it tells the truth about where the emails was sent from. The scammer can add your email to the 'From:' field in the email but the header will let you know where it originated.
Let's break this header down...
You can see the below header which tells mails comes from 78.30.30.11, this was not my client's server IP anyway, so this means they couldn't have sent it from my clients email address. So right there, case closed!
Received: from [78.30.30.111] (port=4535 helo=static.masmovil.com) by host2.dphost.com.au with esmtp (Exim 4.91) (envelope-from ) id 1gGwNk-00DCh8-Ex for ; Mon, 29 Oct 2018 11:30:23 +1000
Wait, you want more, also in the end of that header, you can see the email software has detected this message as spam as well.
X-Spam-Report: Spam detection software, running on the system "host2.dphost.com.au", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details.
Content preview: Hello! I'm a programmer who cracked your email account and device about half year ago. You entered a password on one of the insecure site you visited, and I catched it. Of course you can will change y
Content analysis details: (13.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0
URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: clientwebsite.com.au]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [78.30.30.111 listed in bl.score.senderscore.com] 0.0
RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [78.30.30.111 listed in list.dnswl.org] 1.5
SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 2.0
PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 2.5
BITCOIN_PAY_ME Pay me via BitCoin 2.0
RDNS_NONE Delivered to internal network by a host with no rDNS 1.0
FROM_IN_TO_AND_SUBJ From address is in To and Subject 3.0
BITCOIN_MALWARE BitCoin + malware
Also that ip is blocked in RBL for the same kind of spamming as well and SPF check also says SOFT fail.
RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [78.30.30.111 listed in list.dnswl.org]
What do we do?
So let's get in contact with the server or hosting company and give them an ear full! Weeeeeell, It's more than likely the email came from a server that was hacked or an email account that has a low level password like 'pass1234' and it was hacked and sent out 80,000 emails before it was closed down.
Getting caught by a scammer is usually from a lapse of judgment or just coincidental
So you can imagine if last night you decided to visit a kinky adult site for the first time and the next morning you received this email. Or you're going for a loan at ANZ and the next morning you receive one of those 'Your Loan Has Been Approved, login to see more' scams. Even the smarties can get caught out.
Do I need to say this?
- change passwords regularly on important sites
- use a password manager
- never share passwords to friends
- always logout when finished (when on public computers)
- every email is a scam, until proven otherwise
- don't take what I am saying here as gospel, if in doubt, talk to a professional
- If it's too good to be true, THEN IT'S A SCAM!