© 2020 Dan Weis

danweis.me

Recent Blackmail Campaign

When there is money to be made, you can always count on the scum of the earth trying to make a quick buck.Last week I received a Blackmail email from a generic Outlook account. Now dodgy emails are not uncommon, I get around 10-12 Phishing emails per week, some well crafted, some not so well crafted, and are usually imitating say Westpac, or Paypal or similar. Blackmail campaigns have been on the increase over the last 6 months over Phishing emails due to their ability to bypass a lot of email solutions, you can expect this trend to continue. This one caught my interest though.Office365 performed well in dropping the email to my Junk on first detection. The email claimed to be from one 'Binnie Winston' with the subject line containing an old password I can't even remember when I used last, atleast 8-10 years ago id say.

Looking at the mail headers, it targeted an email address I had not used in many years also:

This was my first indication that they probably pulled my email address and password from one of the old dumps that has been online. This is referred to and normally used for; 'Credential Stuffing' which has been blogged on extensively by Troy: https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/ The process attackers normally use, is to try passwords found from older breaches (combo lists) to see if these passwords are reused across other systems. Obviously they are now using this info/combo lists in blackmail campaigns.Here is the rest of the email. Its well written using a believable scenario for most users. Even though being a security guy, I know its 100% not legit, the human factor still kicks in and you get that sinking feeling, any normal person would get a bit of anxiety from an email like this:

First up the email claims that at some point or another I visited a porn site and while watching the video the browser apparently became compromised and then compromised my machine and started a remote control desktop with a keylogger and access to my webcam. Few problems here buddy, no.1 I dont visit porn sites (although many people do), secondly, yes you can be hit by a drive-by-download attack with malware deployed via a website, but this requires you to have an older browser which doesnt have all the recent security features that every current browser has, and also requires you to have no AV/endpoint protection whatsoever (I use edge for everything too) and would have also prompted me to enable the attack, a java popup or something like that. Third, you cant just gain remote access to a machine through a web browser!Additionally, you generally need to have admin right on your machine to enable a keylogger to work as intended, let alone allow direct access to my webcam. So apparently he took a 'double screen video' of me getting dirty with some porn and used my webcam. Even if I wanted to be one of those people that watch freebie porn, I've always utilised webcam stickers to cover my webcam and and I disable the webcam via my BIOS and OS (I never really use it).As you can see in the email, the attacker is asking me to make a reasonable bitcoin payment of $1200.00 and even gives me instruction on how to get bitcoin:

This part brought a smile to my face:

Apparently the attacker has embedded a unique pixel into this message, so he knows when I read it. But hang on, you have remote access to my computer right??? surely you would already know that I have read it as you are 'watching my screen'!Guys, if an email is junked, like mine did to this one, Outlook automatically blocks all images, links and other functionality, so nothing like that can execute. Also the only way to get this info back, is if you manually clicked on an image within an email, or reply to a read receipt request. In either case an image in an email does not have access to send back info on whether something was read in most cases.

Where did she/he pull my password from?

I'm a strong supporter of the brilliant haveibeenpwned service run by troy hunt, this site catalogues the various data breach dumps and combo lists, as well as pastebin sites and advises if any of your details have been pwned. If your not already using this service, it is a must and you should sign up asap.So I searched for the email address referenced in the email. I found 2 matches:

So there is a good chance the attacker got my password from either the Adobe breach or Avast breach. Failing that there are many sites and forums out there offering data breach data and combo lists for these types of nefarious purposes. One such site is raidforums, as you can see this one forum alone has a ton of breached data available for download, including Adobe and Avast!

And these types of places are where they grabbed my (and your) password from.

They come at me again.

Around 24 hours later I got another email, this time it was to my Hotmail email address. This time from a different Outlook.com address and claiming to be from one 'Jody Hertzmark'.This time it utilised a different format but still the same "you looked at porn and I compromised your machine". But this time its expanded, take a look:

As you can see its 'the same but different'. A quick check of my hotmail on haveibeenpwned and a comparison against my **.com address and there isnt one breach in common, however they most likely grabbed this password from one of these identified breaches:

The problem seems to be widescale and a large campaign, as yesterday I was approached by a colleague of mine saying he has a friend who is getting blackmailed over email. "Sounds Familiar" I tell him, "Pass me the email".Notice its the same format, from a generic Outlook.com address and from one 'Rice Dratch', however his one is asking for over double the amount of dollars, and also tells him he has 48 hours to make payment.

Needless to say this worried the individal. I did a quick pwned check, and can see his address is listed in 2 breaches, but was also listed in February on this Pastebin combo list:

A quick check on the list shows that it has been pulled down. I know the affected individual is reading this post; so you have nothing to worry about, they got your password most likely from this list which has since been pulled down, do not pay anything!

Wrapping up

So in short, these emails are quite common at the moment, they are designed to leverage fear, and due to the widescale use of free porn sites, i'm sure they will yield a degree of success. As you saw above, they will leverage any number of different variants but still be predominantly the same.They pull these credentials from various dumps and combo sites. The technical jargon they talk is complete rubbish, and there is a reason why Outlook junks these types of emails.What can you do to protect yourself, especially if you get one of these emails?

  • Sticker your webcam if you don't use it.

  • Don't re-use passwords, and use a password manager like LastPass or 1 Password (with MFA enabled)

  • Enable MFA across all your accounts

  • Register your details at haveibeenpwned.com

  • Ensure you use Edge for your browser or if you prefer a different browser, make sure it is the latest version with all patches applied (this is for both the browser and your Operating System like Windows)

  • If you are going to access porn sites, take the necessary precautions and use an inprivate browsing mode and a sandbox like Sandboxie to prevent any access to the OS.

  • Ensure you have suitable endpoint protection / antivirus installed. the 2 products I recommend are Bitdefender (Home and Commercial version) and Carbon Black (Commercial Only).

  • Do not use an administrator account where possible, have a standard everyday account and a separate account for admin access to install software etc. Use the RunAs command in Windows. (Right Click, RunAs)

  • Don't be fooled, if in doubt throw the email out.

  • Use common sense, bypass your initial reaction and emotions and think through the information and you will quickly determine that it doesn't make sense

I Hope you all found this post valuable, if you have any questions feel free to reach out to me. Until next time. Stay safe.#Phishing #PhishersSuck #Blackmail #cybersecurity #staysafeonline #DanWeis