An Odd and Very Demanding Message

Last Friday night, I received a note from “Hyman Cipolletta” using the Outlook.com account rriivoryorz@hotmail.com. The message header shows that the message originated in a North American server (Namprd12.prod.outlook.com) in the common Office 365 infrastructure shared by Exchange Online and Outlook.com.

My interest was tweaked by the subject, composed of an old password and my Gmail account name. The message (Figure 1) started off:

“I won’t beat around the bush. I am aware xxxx is your password. Moreover, I know about your secret and I’ve evidence of your secret. You do not know me personally and nobody hired me to investigate you.”

Figure 1: The message demanding a Bitcoin payment

The Scam

0.75 BTC is EUR5,276 or US$6,147 at today’s rate, so the sender of this note had serious intentions. They demonstrated that they knew something about me (my Gmail address and an old password) and laid out a rational explanation for what might had happened. The flaw in the argument was that I knew I hadn’t been near any adult video sites, so the description of a keylogger being installed on my PC couldn’t have happened. And without the keylogger, no contacts from Facebook, Messenger, and email could have been gathered.

But if you had been tempted to go near such sites, it’s possible that what was described might have happened, which is why scammers lay out a plausible story in the hope that some of the millions of people they send email to will panic and believe that their watching habits would soon become public.

Internet to the Rescue

You might blame the internet for making porn easy to access. When it comes to scam, the internet is pretty fast at reporting their techniques and letting people know what’s really happening. A quick search revealed many descriptions of similar emails. Here are two:

• BusinessInsider
• UK Independent

Brian Krebs broke the story on July 12 and it seems like since then scammers have been working their way through a store of stolen email addresses and passwords to try and convince as many as they can to send them various sums of money. I guess I should feel good that my demand was at the high end of the spectrum as others have been asked for far less.

Payments Flowing In

What’s distressing is that some people are paying the scammers. @SecGuru has been able to keep track on some payments (Figure 2) and it seems like the scam is profitable.

Figure 2: Cash flows in for the scammers

How Did the Scammers Get My Data?

If you go to Troy Hunt’s Have I Been Pwned site, you can find a list of sites where attackers have stolen email addresses and passwords. Looking through the list, I find sites that I use, like LinkedIn, where over 164 million addresses were compromised, and Disqus, also with sites that I occasionally used, like Ancestry.com. A simple check revealed that my email address is on 4 breached sites, so the scammers have a choice of sources where they can find my address.

What to Do

In any case, the password cited in the email is an old one that I don’t use today.  This means that the combination isn’t worth much to hackers, especially as I use multi-factor authentication (MFA) whenever possible to protect any important site that I use.

If you receive an email that contains a password you still use, you should obviously change that password on any site where it is still active. And if possible, take the choice to use multi-factor authentication to improve security. Services like Gmail, LinkedIn, and Office 365 support MFA.

Above all, don’t respond to the scam. Ignore the message, unless you feel that you should report it to the local police force (as recommended by some experts). Personally, I don’t think that most police forces can do much about this kind of scam. I reported the email to Microsoft (use Outlook’s Report Message add-in) so that they can improve their ability to block rubbish like this in their anti-malware tools.

Scams are a Pain

The popularity of email as the lingua franca for communication across the internet means that attackers like finding new ways of poking at human vulnerability to make money. This is just another example of a scam that’s popular right now. Do the right thing and secure your passwords and you’ll be fine. Stay safe!

Follow Tony on Twitter @12Knocksinna.