An Odd and Very Demanding Message
Last Friday night, I received a note from “Hyman Cipolletta” using the Outlook.com account firstname.lastname@example.org. The message header shows that the message originated in a North American server (Namprd12.prod.outlook.com) in the common Office 365 infrastructure shared by Exchange Online and Outlook.com.
My interest was tweaked by the subject, composed of an old password and my Gmail account name. The message (Figure 1) started off:
“I won’t beat around the bush. I am aware xxxx is your password. Moreover, I know about your secret and I’ve evidence of your secret. You do not know me personally and nobody hired me to investigate you.”
0.75 BTC is EUR5,276 or US$6,147 at today’s rate, so the sender of this note had serious intentions. They demonstrated that they knew something about me (my Gmail address and an old password) and laid out a rational explanation for what might had happened. The flaw in the argument was that I knew I hadn’t been near any adult video sites, so the description of a keylogger being installed on my PC couldn’t have happened. And without the keylogger, no contacts from Facebook, Messenger, and email could have been gathered.
But if you had been tempted to go near such sites, it’s possible that what was described might have happened, which is why scammers lay out a plausible story in the hope that some of the millions of people they send email to will panic and believe that their watching habits would soon become public.
Internet to the Rescue
You might blame the internet for making porn easy to access. When it comes to scam, the internet is pretty fast at reporting their techniques and letting people know what’s really happening. A quick search revealed many descriptions of similar emails. Here are two:
Brian Krebs broke the story on July 12 and it seems like since then scammers have been working their way through a store of stolen email addresses and passwords to try and convince as many as they can to send them various sums of money. I guess I should feel good that my demand was at the high end of the spectrum as others have been asked for far less.
Payments Flowing In
What’s distressing is that some people are paying the scammers. @SecGuru has been able to keep track on some payments (Figure 2) and it seems like the scam is profitable.
How Did the Scammers Get My Data?
If you go to Troy Hunt’s Have I Been Pwned site, you can find a list of sites where attackers have stolen email addresses and passwords. Looking through the list, I find sites that I use, like LinkedIn, where over 164 million addresses were compromised, and Disqus, also with sites that I occasionally used, like Ancestry.com. A simple check revealed that my email address is on 4 breached sites, so the scammers have a choice of sources where they can find my address.
What to Do
In any case, the password cited in the email is an old one that I don’t use today. This means that the combination isn’t worth much to hackers, especially as I use multi-factor authentication (MFA) whenever possible to protect any important site that I use.
If you receive an email that contains a password you still use, you should obviously change that password on any site where it is still active. And if possible, take the choice to use multi-factor authentication to improve security. Services like Gmail, LinkedIn, and Office 365 support MFA.
Above all, don’t respond to the scam. Ignore the message, unless you feel that you should report it to the local police force (as recommended by some experts). Personally, I don’t think that most police forces can do much about this kind of scam. I reported the email to Microsoft (use Outlook’s Report Message add-in) so that they can improve their ability to block rubbish like this in their anti-malware tools.
Scams are a Pain
The popularity of email as the lingua franca for communication across the internet means that attackers like finding new ways of poking at human vulnerability to make money. This is just another example of a scam that’s popular right now. Do the right thing and secure your passwords and you’ll be fine. Stay safe!
Follow Tony on Twitter @12Knocksinna.
Thanks for bringing some attention to this recent scam. As a corporate e-mail admin, I take responsibility for minimizing the impact these types of attacks have on my users. When I learned about 3 of my users receiving similar messages last Monday, I quickly gathered the messages and started analyzing the headers in order to determine if I could create a transport rule to quarantine any future messages. Since they are all coming from “legitimate” systems (every one was from a Microsoft hosted outlook.com or hotmail.com sender), that was a dead end. So I turned my attention to the content and found the text “BTC address” in each message. My rule quarantines and notifies when it finds that text in the message body. Hardly a perfect solution, but appropriate for my business which doesn’t do any BitCoin transactions. I’m calling it a marginal success, since it has caught several more messages.
However, since every reported instance I have seen is originating from a Microsoft hosted account, I’m curious what steps MS is taking to help mitigate this. Any insights you can share?
I’ve asked Microsoft if they can do anything. I’ll report here if they can say anything in public.
Yes please Tony,
The below servers to name a few is the source of the phishing email that my users typically getting attacked from:
Received: mail-eopbgr70051.outbound.protection.outlook.com [188.8.131.52]
Received: mail-sn1nam01on0040.outbound.protection.outlook.com [184.108.40.206] Received: mail-pu1apc01on0105.outbound.protection.outlook.com [220.127.116.11] Received: mail-pu1apc01on0080.outbound.protection.outlook.com [18.104.22.168] Received: mail-eopbgr60067.outbound.protection.outlook.com [22.214.171.124]
What would be the best way to mitigate the Spear Phishing coming from the Exchange Online Protection server?
I’ve had a couple of those too and I copied the BTC addresses into a BTC tracker to see fortunately no one had made any payments to the addresses I was told to send to…
I got one i couldn’t help but reply , I told them I wasn’t to clever about bitcoin but if they forwarded an address id send a cheque or money order
Trying to open my email to get a code that was sent to this email and can’t pull it up