You’ve probably seen an email very similar to the below land in your inbox recently, as there’s a lot of these doing the rounds. Scams like this aren’t new, but what is adding an air of authenticity to it is the inclusion of an older password I used to use when I was a uni student.

 

Dear user of philconway.co.uk!

I am a spyware software developer.
Your account has been hacked by me in the summer of 2018.

I understand that it is hard to believe, but here is my evidence:
- I sent you this email from your account.
- Password from account redacted@philconway.co.uk: stupidpassword02 (on moment of hack).

The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).

I went around the security system in the router, installed an exploit there.
When you went online, my exploit downloaded my malicious code (rootkit) to your device.
This is driver software, I constantly updated it, so your antivirus is silent all time.

Since then I have been following you (I can connect to your device via the VNC protocol).
That is, I can see absolutely everything that you do, view and download your files and any data to yourself.
I also have access to the camera on your device, and I periodically take photos and videos with you.

At the moment, I have harvested a solid dirt... on you...
I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit.

I note that it is useless to change the passwords. My malware update passwords from your accounts every times.

I know what you like hard funs (adult sites).
Oh, yes .. I'm know your secret life, which you are hiding from everyone.
Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :)

I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera.
Believe it turned out very high quality!

So, to the business!
I'm sure you don't want to show these files and visiting history to all your contacts.

Transfer $802 to my Bitcoin cryptocurrency wallet: 
Just copy and paste the wallet number when transferring.
If you do not know how to do this - ask Google.

My system automatically recognizes the translation.
As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system.
Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position.
You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it.

Since opening this letter you have 48 hours.
If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted,
and from my server will automatically send email and sms to all your contacts with compromising material.

I advise you to remain prudent and not engage in nonsense (all files on my server).

Good luck!

Straight away, there are a number of issues with this email that grab my attention without looking at anything more technical, mainly that I don’t own a webcam, and outside of music websites, technology websites, and a selection of dank memes, my browser history is pretty vanilla….

I also don’t use the password quoted for my email address. However, the inclusion of an older password is concerning – where did this info come from?

So lets take a closer look at this email and where it originated – are the claims of it being sent from my own email account genuine?

Return-Path: <redacted@philconway.co.uk>
X-Original-To: redacted@philconway.co.uk
Delivered-To: default-philconway.co.uk@foundation.nucastle.co.uk
Received: from [83.66.170.15] (unknown [83.66.170.15])
	by foundation.nucastle.co.uk (Postfix) with ESMTP id 4C6C416A326C
	for <redacted@philconway.co.uk>; Thu, 15 Nov 2018 13:34:19 +0000 (GMT)

Here’s the first bit that stands out. The IP address listed in the header doesn’t belong to my email server, and the hostname is listed as “unknown”. If this truly was an email to myself from my own account, foundation.nucastle.co.uk would be listed as both the sending server and the receiving server, with it’s IP address listed. This isn’t the case here.

X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

Also present in the headers, a reference to the mail client in use being Windows Live Mail. I don’t use Windows Live Mail in any way.

Looking at the extended headers, more info stands out which marks this as a hoax:

Content analysis details:   (17.0 points, 5.0 required)

pts rule name              description
—- ———————- ————————————————–
0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
[score: 0.5547]
2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                            [83.66.170.15 listed in psbl.surriel.com]
1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
                            https://senderscore.org/blacklistlookup/
                            [83.66.170.15 listed in bl.score.senderscore.com]

0.0 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=redacted%40philconway.co.uk;ip=83.66.170.15;r=foundation]
0.0 TVD_PH_BODY_ACCOUNTS_POST No description available.
 0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
 3.2 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam
                            (FTSDMCXX/boundary variant) + no rDNS
0.0 TVD_PH_BODY_META_ALL   No description available.
 1.2 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
                            (FTSDMCXX/boundary variant) + direct-to-MX
1.5 BITCOIN_SPAM_07        BitCoin spam pattern 07
3.0 BITCOIN_MALWARE        BitCoin + malware
0.0 MIMEOLE_DIRECT_TO_MX   MIMEOLE + direct-to-MX
 2.5 TO_EQ_FM_DIRECT_MX     To == From and direct-to-MX
0.0 TO_EQ_FM_SPF_FAIL      To == From and external SPF failed
0.0 TO_EQ_FM_DOM_SPF_FAIL  To domain == From domain and external SPF
failed

The scoring information in the extended header comes from SpamAssassin, an open-source free utility running on my mail server. It scans and scores incoming email for potential spam by carrying out a number of checks on the message, it’s headers, where it was sent from and the content. For every check that is failed, an arbitrary score is added to the message. Once it hits a score of 5 or above, the message is considered spam. This message has hit a wopping 17 points, which is pretty impressive.

So what do the bits in red mean?

 2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                            [83.66.170.15 listed in psbl.surriel.com]
 1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
                            https://senderscore.org/blacklistlookup/
                            [83.66.170.15 listed in bl.score.senderscore.com]

This portion indicates that the IP address the message came from is listed in two blacklists that SpamAssassin checks when it receives incoming email. Both blacklists list this IP address as an open relay – basically that it will accept and send email on behalf of anyone, without a username or password. Spammers use these to send email anonymously.

0.0 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=redacted%40philconway.co.uk;ip=83.66.170.15;r=foundation]

This portion is slightly more complicated, but also marks out the email as bogus. My email server uses SPF (Sender Path Framework) to indicate that only certain email servers are allowed to send email on behalf of philconway.co.uk (in this case, foundation.nucastle.co.uk). No other servers have an SPF authority to do so. Because this email wasn’t sent from that server, it fails the SPF test.

The rest of the messages highlighted in red indicate this email was sent directly to the receiving email server without following the MX records for the domain (which also indicate spam).

Onto the body of the message itself:

I understand that it is hard to believe, but here is my evidence:
– I sent you this email from your account.
– Password from account redacted@philconway.co.uk: stupidpassword02 (on moment of hack).

The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).

1) The address quoted isn’t actually an email account – it’s an alias. It directs email to another inbox which isn’t publicly listed. I used to use this email, but don’t any more and thats the address has an alias – so I don’t need to check multiple accounts that I used to use. You can’t use this address to log in to anything, so this isn’t true.

2) I never used this password for email (even as a IT newbie at uni, I understood the importance of password seperation for different accounts). This couldn’t have been used to log into anything other than an old social media account, so this isn’t true either.

3) The Cisco Router vulnerability is interesting – CVE-2018-0296 affects a number of Cisco ASA firewalls and firewall appliances, but no routers. It’s added in there for extra scare factor. Needless to say, I don’t access the internet via a Cisco ASA, and you can’t hack something that isn’t there, so this isn’t true either.

I can see how to the uninitiated, the contents of this email might be scary or even plausible (especially with it containing old passwords I used to use). Where did this info come from?

The answer is fairly straightforward – all those big data breaches you’ve heard of involving internet websites? If the company in question has been really poor in their data security, then they haven’t hashed or salted stored passwords (a best practice which prevents any data breach from including passwords in plain text and allowing them to be re-used). In this case, the email address and password quoted are from the MySpace breach of 2016 – they used to be my account details. These details, along with an estimated 360 million others, were grabbed by hackers when MySpace was breached some time before 2013 (and then leaked onto the dark web).

Hackers have been using this info for “credential stuffing” attacks for years, basically testing these old usernames and passwords against different sites to see if they still work. If you’ve ever witnessed spam being sent from a friend’s email address or similar, this is probably how it’s happened – reuse of passwords. It’s human nature, but also a poor security practice. The access logs on my email server are full of people trying to access these old accounts that no longer exist on a daily basis, using these old passwords.

So what can you do to prevent yourself falling victim to this?

1) Use different passwords for each level of security/sensitivity on websites. I use one set of passwords for email accounts, another for social media, another for higher-sensitivity accounts like banks (with the high sensitivity accounts having their own passwords that aren’t re-used). If a password is compromised, I bin it, change where it’s used and never re-use it.

2) Use a credential storage app like 1Pass, LostPass or KeepPass. Humans can’t remember every password they use, so store them somewhere safe to make it easier.

3) Use multi-factor authentication or two-factor authentication if you can. Facebook, Steam and others (mostly financial apps) support this, so if someone gets your password and uses it, they still can’t get in without your phone or access to your MFA device.

4) Subscribe to the excellent free service https://haveibeenpwned.com/. This site is an excellent free resource ran by Troy Hunt, a Microsoft security expert. As new data breaches are discovered on the internet, Troy imports the emails into his site database, and you’ll get a notification if your email address appears in the list. HaveIBeenPwned confirmed that the email address used here was stolen from Myspace.

5) Don’t get sucked into or respond to these emails, either in email or by paying funds. These emails are being sprayed all over the internet, if a hacker had this level of information on you they’d be calling you on your actual cell/mobile and demanding payment (at which point you should be involving the police). This email is nothing more than a contrived and clever scam, made more believable by the inclusion of personal information.