Sextortion Scammers Using Email Address Spoofing to Fool Victims


written by Brett M. Christensen February 1, 2019
www.hoax-slayer.net

Fake blackmail sextortion scams are increasingly common. Typically, sextortion scammers send out thousands or even millions of identical emails claiming that they have captured video of the recipient visiting a porn site. The scammers threaten to send the compromising video to all of the recipient’s contacts if they do not receive a “keep quiet” payment via Bitcoin. But, the scammers have not created a compromising video. Nor have they hijacked the recipient’s contact list. The whole thing is a bluff. However, the scammers know that at least a few recipients will be panicked into sending the requested money. To increase their chances of success, the scammers use a variety of dirty tricks to convince potential victims that the claims in their fake blackmail messages are true.

Email Spoofing Trick
One such trick is to make it appear that the email was sent from your OWN account thereby supposedly proving that they have indeed compromised your device as claimed.

Here’s an example from a typical scam email:

Your account has been hacked by me in the summer of this year.I understand that it is hard to believe, but here is my evidence:
– I sent you this email from your account.
– Password from account [email address removed]: [password removed] (on moment of hack).

If you look at the sender address of the email, it will display YOUR email address. So, it may seem that the sender has indeed broken into your account to send the email. But the scammer has simply forged the header of the email so that your email address appears as the sender. This is a technique known as “spoofing’ and is not difficult to do. In other words, the email did not come from your account at all. It just looks that way because of the forged email headers.

Other Dirty Tricks
As I discuss in more detail in another report, the scammers often include user passwords in their scam emails as a way of making their false claim seem more plausible. And, in another variation, the scammers include the recipient’s phone number along with the password. The scammers are extracting passwords and phone numbers from old data breaches and automatically matching them to the corresponding email address. They can then distribute vast numbers of emails that are identical except for the password and phone number that matches each email.

Don’t Respond — Just Hit “Delete”
If you receive one of these scam emails, don’t be fooled. By including real passwords and real phone numbers, and making it appear that the recipient’s account sent the message, the scammers significantly increase the likelihood that their claims will be taken seriously. More people will fall for the ruse and send their money to the criminals. But, despite these clever tricks, the emails are still just empty bluffs. To reiterate, the sender has not hacked your computer and has not created a compromising video of you.

Don’t respond. Just hit the “delete” key.

New Phishing Email – Don’t get caught

There is a new phishing email doing the rounds claiming your incoming emails are on hold and to click one of the actions listed in the email. ( see below )

There are a number of clues to prove its spam.

Firstly the from address on service@vienna.taskwunder.com – not any Office 365 admin email address I’ve ever heard of! 🙂

Secondly – hover (don’t click) the links – they link to www.nlsandton.me – again not any email provider anyone’s ever heard of.

If you get this mail – simply delete it! 🙂

Lloyds Bank fake email “FW: Incoming BACs Documents”

Just received the email below – proporting to be from Lloyds Bank – looks genuine enough but clearly it is just another phishing email looking to grab some details off you or drop some malware or Virus on your PC. If you receive this email – delete it. Do not click on the PDF link in the email

If you have already done so – contact me and I can clean your PC for you. If you don’t have a decent anti-virus – I can help you there too as I resell BitDefender GravityZone – one of the best on the market.

Look out for Office 365 Phishing email

I received this email this morning (below) which looks genuine enough at the first glance – however – hover over the ‘rectify issue’ button and you get taken off to some bizarre phishing site were you to click the link – be aware and don’t fall for these emails – if in doubt ask somebody in the know or simply hover over the button to display the destination ( this one went to http://fatebegins.com/localization/customize/index.php – clearly not a Microsoft site!

Beware new WhatsApp Scam

A scam text message has been doing the rounds stating that WhatsApp is about to start charging people to use the service. It is not true.

The text message invites people to click on a link and pay 99p for a lifetime subscription to the service because their current subscription has come to an end.

However, it is a scam and anyone who receives it should delete it immediately, do not click in the link and certainly don’t hand over your bank details.

If you have clicked the link then you’re probably wise to run antivirus software.

When it was launched, WhatsApp did charge 99p after the first year but that was later scrapped.

It was not immediately clear where the scammers had got people’s telephone numbers from.

Google Phishing Scam : Beware new scam targeting Googlemail

A huge scam is sweeping the web and anyone with a Gmail account may be vulnerable.

 

A huge scam is sweeping the web and anyone with a Gmail account may be vulnerable. Huge numbers of people may have been compromised by the phishing scam that allows hackers to take over people’s email accounts. It’s not clear who is running the quickly spreading scam or why. But it gives people access to people’s most personal details and information, and so the damage may be massive.

The scam works by sending users an innocent looking Google Doc link, which appears to have come from someone you might know. But if it’s clicked then it will give over access to your Gmail account — and turn it into a tool for spreading the hack further.
As such, experts have advised people to only click on Google Doc links they are absolutely sure about. If you have already clicked on such a link, or may have done, inform your workplace IT staff as the account may have been compromised. The hack doesn’t only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google’s email service too.

If you think you may have clicked on it, you should head to Google’s My Account page. Head to the permissions option and remove the “Google Doc” app, which appears the same as any other.
You’ll be able to tell if it is the malicious app if it has a recent authorisation time. That app has full access to a person’s Google account as well as being able to send emails that appear to be from them, making the attack especially dangerous. The email itself comes addressed to hhhhhhhhhhhhhhhh@mailinator.com — which is the only way to know that the email is malicious. They otherwise look completely legitimate, including the account in the “from” field.

Facebook Hoax

If you get a Facebook message with the follwing text

Tell all contacts from your list not to accept a video called the “Sonia disowns Rahul “. It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on the radio.

Do not share it as it is a hoax. It will not format your mobile and you probably won’t ever be sent the so called video

http://www.snopes.com/sonia-disowns-rahul-hoax/

Phishing email that knows your address

Something you need to be aware of, posted on the BBC ( http://www.bbc.co.uk/news/technology-35977227 )

emailscam

A new type of phishing email that includes the recipient’s home address has been received by thousands of people, the BBC has learned.
Members of the BBC Radio 4’s You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms.
The firms involved have been inundated with phone calls from worried members of the public.
One security expert warned clicking on the link would install malware. You and Yours reporter Shari Vahl was one of the first on the team to receive an email. “The email has good spelling and grammar and my exact home address…when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address. “My tummy did a bit of a somersault when I read that, because I wondered who on earth I could owe £800 to and what was about to land on my doormat.” She quickly realised it was a scam and did not click on the link. “Then, a couple of minutes later, You and Yours producer Jon Douglas piped up as he’d received one and then another colleague said he’d received one too, but to his home email address,” she added.
The You and Yours team decided to contact the companies that were listed in the emails as being owed money.
A spokesman for British Millerain Co Ltd, a waxed cotton fabric manufacturer, told the programme that the firm “had more than 150 calls from people who don’t owe us money”.

And a spokeswoman for Manchester shelving firm Greenoaks said: “My colleague took a call from an elderly gentleman and he was very distressed because his wife had had one of these emails.”

Dr Steven Murdoch, principal research fellow at the department of computer science at University College London, told You and Yours: “Most likely it was a retailer or other internet site that had been hacked into and the database stolen, it then could have been sold or passed through several different people and then eventually it got to the person who sent out these emails.” He said that the email bore the hallmark of previous phishing attempts from gangs in Eastern Europe and Russia. He said that clicking on the link would install malware such as Cryptolocker, which is a form of ransomware that will encrypt files on Windows-based computers and then demand a fee to unlock them.
Anyone receiving such an email is advised to delete it and report it to the national fraud and cybercrime reporting centre Action Fraud.

Facebook to alert you of impersonation accounts

Apparently Facebook is testing a ‘troll detection’ engine that will scan its billions of users for accounts which appear to be impersonating others, and flag up imitations. According to Mashable it has been in development since November but is now live for 75 percent of the world.

Antigone Davis, the social network’s head of global safety, said impersonation alerts were intended to minimise the harassment of women on the platform. “It’s a real point of concern for some women in certain regions of the world where it [impersonation] may have certain cultural or social ramifications,” Davis said.

When the new feature detects a user with the same name and profile picture as another, the new tool will send an alert to the suspected target. Mashable reports that the alert will ask the person to confirm the impersonation by using personal information. The process is automated but profiles that are flagged as fake will be reviewed by Facebook staffers.

Impersonation of another user is outlawed because it falls under the company’s controversial ‘real names’ policy. Since its launch the company has insisted that users provide their real names, rather than a pseudonym or other names a person may use to ensure they are not easily found on the site. “We require people to provide the name they use in real life; that way, you always know who you’re connecting with,” Facebook’s policy page on the issue says.

However, after a coalition of human rights and privacy groups complained that the name policy “exposes its users to danger, disrespects the identities of its users, and curtails free speech,” Facebook introduced new tools to make verification easier. In December Mark Zuckerbrerg’s company started testing a tool, in the US, that allows those required to prove their identity to say if they have a “special circumstance”.

The UK is also moving to make it easier for authorities to prosecute trolls who use fake profiles online. The move from the Crown Prosecution Service aims to clampdown on those that post “damaging or embarrassing” material.

As well as the impersonation feature Facebook is also reportedly testing new ways for people to report nonconsensual intimate images — commonly referred to as revenge porn — that are posted to the site.

Facebook is apparently testing a new way of reporting nudity; when someone reports an inappropriate photo they will have the ability to identify themselves as the person in the photo. Facebook will then review the images as standard, but Mashable reports that when this happens it will provide links to support groups and potential legal options.

Recently WIRED reported on the cases of several users who had sensitive photos posted to Facebook. The issue, which is a growing one across all social media platforms, was described by legal experts as having “no silver bullet”.

Mary Anne Franks, Law professor, University of Miami School of Law, said that as a society we need to change laws, technology and culture.

This article was published on www.wired.comhttp://bit.ly/1MlPnCR )

Beware Crypto Ransomware

Last week one of our staff opened a zip attachment that squirmed it’s way through the mail filters. Boom – queue a host of fileservers with files infected by cryptoware – it encrypts your files and renames them to the extension .locky – you can pay to have them unlocked! Nice – luckily I found the offending machines, re-imaged them and deleted all files and restored from backup. Problem solved – well apart from blocking zip attachments (probably something I should have done ages ago!)

Here’s so more info, found on Neowin.net

We already know that ransomware has become a growing threat to users around the world. Last week, Mac users saw their first such attack on Apple’s operating system. By encrypting a user’s local files and holding them ransom for payment in the hundreds of dollars, the perpetrators have become increasingly sophisticated in their methods to extract money. The software is so difficult to deal with that the FBI advises people and businesses to just pay up to unlock their files.

Now, according to Trend Micro, the past 24 hours have seen a rash of new crypto-ransomware spreading through popular websites. The attack, dubbed Angler Exploit Kit, is taking advantage of vulnerabilities in Adobe Flash and Microsoft Silverlight, among others, to feed the malware through compromised ad networks.

Malwarebytes is reporting that the “malvertising” is hitting the BBC, MSN, nfl.com, The New York Times, my.xfinity.com and many others in the form of clickable banners. The anti-malware company provided lots of detail around the exploit, reporting a number of suspicious domains through which the ads are apparently served. Google’s ad network carried trackmytraffic[.]biz, while the AOL, Rubicon and AppNexus ad networks carried talk915[.]pw as well. Other suspicious domains include brentsmedia[.]com, evangmedia[.]com and shangjiamedia[.]com.

According to a blog post by SpiderLabs at Trustwave, as reported by Ars Technica, the team inspected a JSON-based file and wrote the following:

If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble. Google’s ad network was compromised in this attack, according to MalwareBytes. Last year, Google reported to have made progress in filtering ad injectors and malicious sources across the ad networks it manages. However, it would appear that the ad network still has work to do.

Credit John Devon – neowin.net