Hacked!?
6 minutes
TL;DR — I recently received an email telling me that I've been hacked. Since I don't believe it, I thought I'd make fun of it instead.
A couple of weeks ago, I was lucky enough to receive an #email telling me how one of my email accounts (and the devices associated with it) had been hacked. Whatâs more, this email appeared to be âFromâ the hacked accounts, a feat designed to help me understand just how serious of a threat this hacker is.
And I do understand - theyâre a joke.
Now, I am not disrespecting ârealâ #hackers , the kind who are perfectly capable of destroying my bank account, doxxing my children, and generally ruining my life, so please, donât take this as some kind of a challenge. Instead, Iâm disrespecting a âscript kiddieâ, someone who canât actually hack, and instead spends their time trying to fake it by scaring people who donât understand the shiny magic boxes we commonly call computers (or, more generally, âdevicesâ).
Unfortunately for this lamer, I do understand these magic boxes enough to call their bluff, and have decided to post their weak-sauce attempt at extortion here (along with some commentary of my own). Although Iâve redacted the addresses that I received these messages from, Iâve kept most of the actual text of the messages intact, in hopes that someone searching for this text may come across this post and save themselves a truly unnecessary extortion payment.
The Email
From: [redacted-address]
To: [redacted-address]
Subject: [redacted-address] - this account has been hacked! Change all your passwords!Hello!
Hi!
I have bad news for you.
Uh-oh.
19/07/2018 - on this day I hacked your operating system and got full access to your account [redacted-address]
Oh, noes! You hacked my operating system to get access to my email address?
Wait, how does that work?
It is useless to change the password, my malware intercepts it every time.
Wow, thatâs some magical malware.
How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
Iâve always wondered how it was, so thanks for telling me.
By the way, I like how you use the generic term âdeviceâ - that must make it easier to mass-send bogus emails like this. I mean, which device associated with this email did you hack?
I only ask because⌠well, letâs not ruin the fun yet. đ
A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
Iâm talking about sites for adults.I want to say - you are a big, big pervert. You have unbridled fantasy!!!
You know, I used to play bass for Unbridled Fantasy back in high school.
After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.
Both my favorite intimate website and my âjoysâ, together in one picture? I gotta see this!
By the way, thanks for telling me how beautiful my âjoysâ look, itâs not often that I get a complement like that.
I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
And I am strongly belive that youâre not much of a writer. Or a hacker.
I think $741 is a very small amount for my silence.
Besides, I spent a lot of time on you!
OK, this just got weird.
I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC
But, what if I donât know to replenish a Bitcoin wallet?
You do not know how to replenish a Bitcoin wallet?
In any search engine write âhow to send money to btc walletâ.
Itâs easier than send money to a credit card!
I donât know, send money to a credit card is pretty easy.
For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes ⌠it has already started!After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your âjoysâ.
Well, itâs been over a week since I opened the âletterâ (approximately 168 hours, by my math), and so far, no âjoysâ.
I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.
Yeah, hereâs the thing about the email you âsentâ: you didnât actually send it, you just tried to send it (and you didnât even bother to hide the source IP!), but my email handling rules caught it, flagged it, and dumped it into my #spam folder, which is why it took me over a week to notice it.
P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.
Well, you sure seem trustworthy, so Iâm sure I can believe your âguaranteeâ. And your haxx0r âcode of honorâ.
From now on, I advise you to use good antiviruses and update them regularly (several times a day)!
Donât be mad at me, everyone has their own work.
Sure, if by âworkâ you mean âscaring technophobes from your parentsâ basementâ.
Farewell.
Bite me, lamer.
The Truth
Now, you may be asking yourself, âhow does he know that his devices havenât actually been hacked?â Well, in addition to all of the reasons raised above, there is one more I neglected to mention: the email account that this master haxx0r allegedly compromised isnât even associated with any devices. Itâs just a email address, plain and simple, and isnât used for logging into any application or device anywhere on the #internet . Whatâs more, Iâve been sending out and posting resumes with this address for a few weeks now, and suspect that this is how this wannabe got their hands on it.
So, in the end, how can one try and minimize their exposure to hacking threats (especially fake ones)? Well, IANAHOSE, but these are some of the ways that I do it:
- For years, Iâve tried to diversify my accounts, using different emails for different sites, and keeping those email addresses separate from the accounts I use on actual devices.
- To make this work, I had to buy a domain name (which costs about $10 / year) and setup a catch-all (or âwildcardâ) address. That way, I can use anything I want for the âlocal-partâ of the email address (aka the portion before the â@â symbol), and Iâll still get it at my main address (which I donât typically share).
- Likewise, I diversify my passwords, using a different password for each site / device. The easiest way to do this is with a good password manager.
- I also try to keep good backups, so if my devices do get hacked, I can wipe and restore them (relatively) easily.
- Finally, as alluded to above, I have Sender Policy Framework (SPF) rules setup to work with my domain, which helps to prevent others from sending unauthorized emails from an account I own.
Always try to remember: No matter how scary an email may look, donât believe everything that you read. Many (if not most) are from fakers just like this one, and are nothing more than poorly-weaponized spam. And, just like with regular spam, the only proper (and safe) way to react is to ignore it completely.