Warning: strpos() [function.strpos]: needle is not a string or an integer in /home/beardedd/public_html/home/comments.php on line 34
hOme.beardedDonkey - PSA: Very sneaky scammers are at it. (November 2018)
PSA: Very sneaky scammers are at it. (November 2018) 
Be aware of them and don't fall for their tricks.

This morning I noticed an email in my personal email account which is hosted on my own domain that I pay a webhost company for. I've had this website at this host company for the last 15 years. The email was in broken English and is very similar to most scam emails you will get, saying they've hacked you, they've got dirt on you (photos and videos) and to pay them in Bitcoin and they'll delete the stolen files (LOL)


The one I got quoted an old, easily brute force cracked, password that I use/used on throwaway accounts like discussion forums and it appears to have come from my own email account, like when you send yourself an email. So the initial reaction is "hey this is for real they got into my email account" but I knew the old easy to crack password doesn't give them access to that email account to send an email to myself. I also know that old password isn't used to access any other computers or devices I have. So I had to figure out how they got into my personal email account.

First thing I did was Google for the subject line of the email, which gives you this website: https://foodsho.typepad.com/blog/2018/11/you-password-must-be-need-changed.html which contains the text from the body of the email. I couldn't see the body of the email (I think Outlook was blocking it) so when I read the message I already suspected it was scammy and not legit. So then I used some logic to decide if they would've been able to access my personal email account at all.

The answer is: they didn't!

The old password and association of it to my personal email address was most likely obtained from some data that came from a website breach. http://www haveibeenpwnd.com/ will tell you if any accounts you have on websites have ever been breached. My email has about 6 breaches against it and they used that email address and the old easy-to-brute-crack password.

So how did I verify they never got into my email account? Used an email header analyzer website: https://mxtoolbox.com/EmailHeaders.aspx

I took the scammers email headers and analyzed then using that website, then sent myself an email and analyzed those headers.

The scammer email traces back to ono.com which is a provider in Spain and the first email server it was transferred through is blacklisted. So it seems like whatever spam protection software I have on my personal email didn't catch that and mark it as spam.

How to prevent this? You'll never stop websites you have accounts on getting hacked and the user account data stolen so you should always use really strong passwords. The longer the better, upper and lower case letters, numbers, symbols. These scammers could make a really convincing looking email because they were able to brute force crack my weak password from breached data.

You should never use the same password on multiple accounts that offer access to further accounts. For instance, most people have a gmail account. If someone gets into your Gmail account, they can easily search it and find other things you have accounts for and then do all sorts of things like password resets etc.

For example, you shouldn't use the same password for your gmail account as you do for your Facebook account. If Facebook gets hacked and your encrypted password is compromised from the Facebook attack, with enough time (and/or like me, with a really weak password) anyone that gets access to the stolen login data can eventually crack your password (if it's weak).

This scam/phish attempt was pretty tricky, but it does rely on your being fooled just enough to believe someone has something over you. It's easy to get overwhelmed with fear when you see once of your passwords in a strange email, but if you think it all through you can work out what has happened.

Comments 
Comments are not available for this entry.