Journal Entries By Tag: #email

Assorted journal entries with the tag #email.


Hacked - Extortion Wall of Shame

TL;DR — I've received even more emails telling me that I've been hacked. Since I still don't believe their empty threats, I'm posting their bitcoin addresses.

👓 2 minutes

Since my last few posts about script-kiddies and the fake extortions they try to commit, I’ve received upwards of 50 such emails, each with a different bitcoin address, and many with slight differences in text, style, or form, but all basically the same: an email from myself (gasp) claiming that I have been hacked, that some nondescript OS or “device” I own has some magical virus installed on it, and that, if I don’t pay the hacker a ransom in bitcoin, my life will be ruined.

However, I know from past experience that these messages are little more than spam, sent out en masse in hopes that they can rope in some poor sucker who falls for this. I know most of these are bogus from the beginning because the email I use for my phone is completely unrelated to the ones that keep receiving these messages. Other times, the email will make vague references to programs I don’t even have installed, again betraying their carbon-copied nature. In truth, I have never paid ransom, even though I’ve personally received dozens of these messages, and my life has yet to be ruined by these lamers.

So, as a public service, I have included the bitcoin addresses for these script-kiddies, in hopes that some other would-be victim finds this page (possibly through a web search) and learns that they, too, can ignore this BS.

All addresses listed here have been reprinted as they were received.


====== BEGIN WALL OF SHAME ======
====== UPDATED: 2024-01-02 ======
1DYfqwqz7Tq93Fau61YFXBAoogQv56FvJz
1LbbzFmNMMFMwsketCSzxAur6yinXBSiQQ
185kB82fakN7BCDpcS9tfzbDc8uytm5Wo
13g3WtdxuoB9AVyy54QW9xxbDtFjE2iNHk
17WhVHdWCW3yNNAo4LXsPRpTCnhN8wVtG8
15NCWERN56DQNf4WiPLR2txgiEF2np5Q2g
bc1qvcsx0sjzqc9yy69qumjaa2jz57rr480a89tpxl
1Pp5DTCTRSzoFyaHbrSEWGDWZZRp3rMsWv
1DxrzqzwqDBw1jcHUZv1Qb9eFFfYzdiXCY
1MQj3F Sm2kcent MBiDfNZj AMP4VYf QRriC
12aJgkbT9o zAZnVwiKDg76 FNpS6FcCeVvS
19yaJM8qhsyXnwoQP7zQbMkqJStoMYxPmE
1EPeB1Ea1v1XAg7L2yFFuhifFsX1sswDKG
12nEVuGNtRFMVjeVmLtD4nt2sHX68S47yH
1M6WbcKrAu3WtyTSUz1hk4eaHRD3oUNKtp
15mSqySLsJ8MZqNQ7RfXiq54HGyt7uh3Cn
bc1qkudmdasfmlhkesgqxy7f3jtt22665wwgfsqrmq
1GwaVJAdZHQEJFdD1tpDw4KvYas1XAJyic
bc1q47rckymrjwrrld5gtpps2tshx429z2w4elwspn
1GyYujUxs2eJpECpYu3Ns6F4RvZqsp8NT6
1GdVKgGS8iXeSSrynTfHyDugrpchwVDmdZ
1AsRkzQSorZAc66fdXof9NHTNJdU4T8nC8
1FmKjxWybWDuoD17pKvKaVH81gb5HGBpyP
bc1qgfef9nlwffftl6m5qet95yxa0x7arah0h580gs
1GfBNY2DfHRQRuCHLRP1vNFUjGGLCtgTab
1DxxqP5uWPWsGgfaYwJ47wRYp1NH9tj1G2
1LzA9kzQkGDTYSfbbLE8gK5RAJ5ke32ntC
1771s891APz1wNKdn5fe3Vknmf5pN18cWu
12vuAcRSYDWuGHEVNVtQaEjBCBevps3ZcE
bc1qvksfej36d72yl46f4726yrpj9kjcgqq783ypl8
bc1qezg9c02afe3xadp9qqr0u7n8j7hlfjngv8d2f5
1GjZSJnpU4AfTS8vmre6rx7eQgeMUq8VYr
18eBGkYam1wjz1S77jz3VmADuYYFzhA3vB
376XVFQ2GDHow9kBDJ49Q3vRW7TC35L2Hx
142e8SgyTLnkvwkDkNNon9jMtKY4UDvQqr
14aFMWfDdBW9FpWxu8myFsXY7Pfy9fBp5C
17qQSJatXXj5DnjMLjNGXx9BT7NUhqimRx
1JRfE57ZF8Eaqa7DktHmVCoAneA8q4fpP2
17hMTFUWqa1oHKj7PHA361qjpZoBaChTWY
15tGbgpiksnzBY1tef2LgUbJ9pZvoDjCbs
1HUHBgNHYCz9Djy9z615adkgd2NYQNMVUd
1C242L8qAXRxudv6KBAahi81GHS5wpc8cF
1GRHyZf18sQ65CdG66YCYs7vhrzUEV1HVs
1LAWGnA2K5njVSshERU9bcUSrW2YWwtXs1
1MZsUfERBoQp6PJW4Gcx9PvgH2S6WcLiyv
1PLfzxybxkTKbcxRwhRw23TxcYDJ9wsphS
13rkwLUVuWeLtnB1JdxJGo4vin15V2poS5
1Hxkqd6fib8ZrXyYj2iqQVfDxw8vjrc1aA
14qpWY7GxcimEVbPe7x6vnbV6qDaALr7Nb
1Cboy74YFQy1pLJTRrnibYfqiVo3FXv9fe
1QEkESQ8xR13P54vt8QKBHvhKjkrCBybzk
163qcNngcPxk7njkBGU3GGtxdhi74ycqzk
1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio
1Je9xULKJK191a1JV68QuMiPgHJduSpYf6
34ZQ4zk5ep53LdTdsikrKBVn2egPa7N1NA
3MmuobsivmP6SBwdX9b2X4vs8SKBrLvRFt
14DvFghvkzQujf5Kd5AL2VKjxaYm5KidxR
14tfS3yWL2cABhXVJZ97XRhuDXC69aWH6Y
1FzjogU6vMPcJAsTgc7Fw7tMu7nmwom6QD
1CHXVoouz5b8YykXr6T1t5y4rv6enPLKjS
16j8quu5c51swAN6QUdeMEcSidxD4JdtoS
19Vok4UYuig3XC9ixoASteqXUvB378qAUR
1DEjEBAsw7rLaKnKj2mthpwPDXy6f6rXMh
15iiic5PmfGvE3TyMP1JyYh1W9KxQLGQL6
1DDRvdiUZMeF9c4zjMLHWvacJYhPcbzumf
15pY2U8WBZBJRVxGhh8WRXsdkXQbMKD8k9
1FQBA6LYwjFYfSgrHTwizV6aLPUuG3cMBa
1KiY2X9tww3zDgZmuoFRvZ7ssWx1b4moC9
1H1K8MfLEJgjCCfDEkTJmv9GJjD3XzEFGR
163qcNngcPxk7njkBGU3GGtxdhi74ycqzk
3616S7LW7c4rPpoS44eAb74gVvcY1nHo2w
18js3UK28bD11rwP1RJPjZUT93z3s3s77k
1K5gLeGFrhbsKXBQQK23TPGfqrAwgqgPkC
3Npm2ipM11TYyMymJhMW3jhmMVR91fNaod
14LYbckmC9gKJ6LR1JAWaKSsCojZfURbzH
1KE1EqyKLPzLWQ3BhRz2g1MHh5nws2TRk
36QKFL786hVNqEfkPHqvu47ZvzkXrokPSK
3KAjh4JnH2eWo7yXkMMXz5Nnf4mr13RNpr
1Ji2K8EVzxDRnpuXts1kKAjMwTrV2LTnRS
18i5utJSShwVTGdtSrmi2M3XpyRBfnpdPw
3JRHity7zbykme4uriFnroxWj0VhML780lhIC9taBjdmYd5LcVIy9N1P8UeSn1F9pAYfKV59ET0RyoiJgxWucM
MBV4M5vH2W519JEJ9T4yvqVhNaaYECxaTS
35xURRetkiCKCZNjWtlJ21sm3dWxmV48cKtIV1ygfJU7thXjc1r
1KVX9hCnQ9MfSoEFyxqAXGFXdTFNyzD22n
1KJ3ZrhrkXBVjGyAU635sapjLpLSFgpqYe
342yJ6g29rQQVehf1nbPX5UDquKUSKw4ev
19p63VSjmRLPNP34ASWPEixUDYhvGQxTFK
17z8ACS2tJouyxuoqEBoDDmaEZzFTzQg1Z
17cPvTgQ4vsG9D6iZqTL3JChjd8ApFYTPA
12ELWfXgRgqhtt8KenQbAfuBbAb1Rd3GJ7
19PRxthVN1P9hsXcStqc2Kp8Yy4hXyXVau
1BwDYXp1YCa2NLfGiF5Gfnkmgf61MqupHb
15KquhG7RGkyXvEVT1aXLgPt4qgBEVe8rN
bc1qznsh6ahq9h05pgekemygh7mdvc4egkvfvf3ltc
19Ya5oeV6zqsHa9TSyurpeF1LpYJqm84Yv
15DMMwLTqV4RmYpJZDoNUZvzNikX1m6j4R
bc1q4s9vnxa7a008rxcuus0fqk94dyc0r2z88cs6c4

======= END WALL OF SHAME =======

Again, if you received an ominous email about your device being hacked and it uses one of these bitcoin addresses, just know that I received one of those messages, too, and I never paid. Since I’m still here, posting this, obviously none of their doomsday prophecies came to pass - no mass email to my contacts, no embarassing footage, no ruined life… and no hacked device.


Hacked!? Again!?

TL;DR — I've received some more emails telling me that I've been hacked. Since I still don't believe them, I thought I'd make fun of another one instead.

👓 3 minutes

Since my last post about script-kiddies using spam to try and commit fake extortion, I’ve recevived plenty of other threatenting emails from lamers, so here’s another one from the (spam) vault:

From: [redacted-address]
To: [redacted-address]
Subject: Security Warning. Third party accessed to [redacted-address].

Hello!

I’m is very good coder.

Just not much of a writer, apparently.

I am known by my nickname finn29.

Look, man - I’ve known The Finn since 1984. And you, sir, are not The Finn.

I hacked this mailbox more than six months ago,
through it I infected your operating system with a virus (trojan) created by me and have been spying for you a very long time.

Somehow, I find this hard to believe.

I understand it is hard to believe, but you can check it yourself.
I’m sent this e-mail from your account. Try it yourself.

No, “you’re” didn’t send this email from my account. In fact, if I had to guess, you tried to send it from your parents’ basement (which I have the IP for, by the way), but my SPF rules caught it, flagged it, and dumped it into my spam folder. As they should have.

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer
and automatically saved access for me.

I think you’ve been watching too much CSI: Cyber.

I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

Oh noes, all of the contacts stored on my computer? What is this, 1998?

I was most struck by the intimate content sites that you occasionally visit.
You have a very wild imagination, I tell you!

I do, actually, but not in the way you want.

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.
Oh my god! You are so funny and excited!

I don’t even know what to say to that.

I think that you do not want all your contacts to get these files, right?
If you are of the same opinion, then I think that $643 is quite a fair price to destroy the dirt I created.

$600 to erase the pictures and videos you don’t have? What a bargain!

Send the above amount on my BTC wallet (bitcoin): 19kXyFbvetft819v4QV5g9vzrjwNqRtvgA
As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Well, you seem trustworthy, so I’m sure I can believe your “guarantee”.

Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it!

I’ve spent the last 10 minutes trying to figure out what he’s saying here, but I just can’t make sense of it.

Since reading this letter you have 48 hours!
After your reading this message, I’ll receive an automatic notification that you have seen the letter.

Doubtful, since it’s now been 96 hours since you sent the message, and my contacts still haven’t received anything from you. I mean, me. Whatever.

I hope I taught you a good lesson.
Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere!
Good luck!

Indeed, you have taught me a lesson: how not to extort money from someone.


Hacked!?

TL;DR — I recently received an email telling me that I've been hacked. Since I don't believe it, I thought I'd make fun of it instead.

👓 6 minutes

A couple of weeks ago, I was lucky enough to receive an #email telling me how one of my email accounts (and the devices associated with it) had been hacked. What’s more, this email appeared to be “From” the hacked accounts, a feat designed to help me understand just how serious of a threat this hacker is.

And I do understand - they’re a joke.

Now, I am not disrespecting “real” #hackers , the kind who are perfectly capable of destroying my bank account, doxxing my children, and generally ruining my life, so please, don’t take this as some kind of a challenge. Instead, I’m disrespecting a “script kiddie”, someone who can’t actually hack, and instead spends their time trying to fake it by scaring people who don’t understand the shiny magic boxes we commonly call computers (or, more generally, “devices”).

If you really wanna be a fake hacker, this book will tell you how!

Unfortunately for this lamer, I do understand these magic boxes enough to call their bluff, and have decided to post their weak-sauce attempt at extortion here (along with some commentary of my own). Although I’ve redacted the addresses that I received these messages from, I’ve kept most of the actual text of the messages intact, in hopes that someone searching for this text may come across this post and save themselves a truly unnecessary extortion payment.

The Email

From: [redacted-address]
To: [redacted-address]
Subject: [redacted-address] - this account has been hacked! Change all your passwords!

Hello!

Hi!

I have bad news for you.

Uh-oh.

19/07/2018 - on this day I hacked your operating system and got full access to your account [redacted-address]

Oh, noes! You hacked my operating system to get access to my email address?

Wait, how does that work?

It is useless to change the password, my malware intercepts it every time.

Wow, that’s some magical malware.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

I’ve always wondered how it was, so thanks for telling me.

By the way, I like how you use the generic term “device” - that must make it easier to mass-send bogus emails like this. I mean, which device associated with this email did you hack?

I only ask because… well, let’s not ruin the fun yet. 😉

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I’m talking about sites for adults.

I want to say - you are a big, big pervert. You have unbridled fantasy!!!

You know, I used to play bass for Unbridled Fantasy back in high school.

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.

Both my favorite intimate website and my “joys”, together in one picture? I gotta see this!

By the way, thanks for telling me how beautiful my “joys” look, it’s not often that I get a complement like that.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.

And I am strongly belive that you’re not much of a writer. Or a hacker.

I think $741 is a very small amount for my silence.
Besides, I spent a lot of time on you!

OK, this just got weird.

I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC

But, what if I don’t know to replenish a Bitcoin wallet?

You do not know how to replenish a Bitcoin wallet?
In any search engine write “how to send money to btc wallet”.
It’s easier than send money to a credit card!

I don’t know, send money to a credit card is pretty easy.

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes … it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your “joys”.

Well, it’s been over a week since I opened the “letter” (approximately 168 hours, by my math), and so far, no “joys”.

I want you to be prudent.

  • Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
  • Do not try to contact me (this is not feasible, I sent you an email from your account)
  • Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

Yeah, here’s the thing about the email you “sent”: you didn’t actually send it, you just tried to send it (and you didn’t even bother to hide the source IP!), but my email handling rules caught it, flagged it, and dumped it into my #spam folder, which is why it took me over a week to notice it.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.

Well, you sure seem trustworthy, so I’m sure I can believe your “guarantee”. And your haxx0r “code of honor”.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don’t be mad at me, everyone has their own work.

Sure, if by “work” you mean “scaring technophobes from your parents’ basement”.

Farewell.

Bite me, lamer.

The Truth

Now, you may be asking yourself, “how does he know that his devices haven’t actually been hacked?” Well, in addition to all of the reasons raised above, there is one more I neglected to mention: the email account that this master haxx0r allegedly compromised isn’t even associated with any devices. It’s just a email address, plain and simple, and isn’t used for logging into any application or device anywhere on the #internet . What’s more, I’ve been sending out and posting resumes with this address for a few weeks now, and suspect that this is how this wannabe got their hands on it.

So, in the end, how can one try and minimize their exposure to hacking threats (especially fake ones)? Well, IANAHOSE, but these are some of the ways that I do it:

  • For years, I’ve tried to diversify my accounts, using different emails for different sites, and keeping those email addresses separate from the accounts I use on actual devices.
    • To make this work, I had to buy a domain name (which costs about $10 / year) and setup a catch-all (or “wildcard”) address. That way, I can use anything I want for the “local-part” of the email address (aka the portion before the “@” symbol), and I’ll still get it at my main address (which I don’t typically share).
  • Likewise, I diversify my passwords, using a different password for each site / device. The easiest way to do this is with a good password manager.
  • I also try to keep good backups, so if my devices do get hacked, I can wipe and restore them (relatively) easily.
  • Finally, as alluded to above, I have Sender Policy Framework (SPF) rules setup to work with my domain, which helps to prevent others from sending unauthorized emails from an account I own.

Always try to remember: No matter how scary an email may look, don’t believe everything that you read. Many (if not most) are from fakers just like this one, and are nothing more than poorly-weaponized spam. And, just like with regular spam, the only proper (and safe) way to react is to ignore it completely.


Failing Me Softly with SPF

TL;DR — The joys of the Sender Policy Framework and the (apparent) difficulties of implementing it correctly.

👓 3 minutes

About a year ago, I started receiving some fairly odd email messages: some originating from my own domain (itsericwoodward.com), and many originating from my own email address!

Most of these emails were obvious spam (or were themselves the product of spam, such as failure messages from external domains where the spam had been sent), and I started panicking: had I been hacked?

As I dug into the issue, I discovered that no, I hadn’t been hacked, but that my domain was just blindly accepting requests to send email. That’s when I first learned about SPF (Sender Policy Framework), “an open standard specifying a technical method to prevent sender address forgery.” Basically, to use SPF, I (as the domain owner) simply had to add a single TXT record to my domain information that indicated what servers could actually send email from my domain, and all others would be rejected. So, after fiddling around with the format for a while, I found my hosts’s recommended record (name changed to protect the innocent):

v=spf1 a mx include:mail.example.com ~all

Needless to say, I added it to my domain record, and bam – overnight, nearly all of the spam stopped flowing.

So, I went about my merry way, figuring I had solved the issue. I even added this record to the other domains that I own, since it had worked so well with the first one.

But it turns out that I was wrong.

Although I stopped receiving messages the messages from myself, every now and then I’d get a failure notice about an email coming from one of my domains being unsendable. When I’d get these, I’d think, “huh, I thought I fixed that,” and then I’d forget about it and move on to something else.

Then, just the other day, I received an email from me, to (another) me, telling me that I had a voicemail from an international number (it even helpfully suggested that “You might want to check it when you get a chance.”). And I thought, “wait a minute, didn’t I already fix this?”.

So, this time, rather than forgetting about it, I actually took a moment to look at the header, and that’s when I saw this (again, name changed):

softfail (mail.example.com: domain of transitioning xxxxxx@example.com
  does not designate 192.0.2.1 as permitted sender)

So, I went back to the SPF site again, and that’s when I learned that the server could not only reply with “pass” and “fail”, but a whole cornucopia of messages:

Received-SPF: softfail (mybox.example.org: domain of transitioning
   myname@example.com does not designate 192.0.2.1 as permitted sender)

Received-SPF: neutral (mybox.example.org: 192.0.2.1 is neither permitted
   nor denied by domain of myname@example.com)

Received-SPF: none (mybox.example.org: domain of myname@example.com does
   not designate permitted sender hosts)

Received-SPF: permerror -extension:foo (mybox.example.org: domain of
   myname@example.com uses mechanism not recognized by this client)

Received-SPF: temperror (mybox.example.org: error in processing during
   lookup of myname@example.com: DNS timeout)

The next obvious question is “why?” (well, that and “what the hell does transitioning mean?”).

It turns out that my host either misinterpreted the SPF spec, or tried to protect their users from themselves. Apparently, the presence of the tilde (“~”) in a record indicates that the domain is in transition to SPF - it’s designed for large email providers and corporations to let them start transitioning to SPF without forcing hard failures on every email that originates from an unlisted server (the idea is that the email owner would collect these softfails, verify the IPs are valid, and then add them to the SPF record). Oops.

Fortunately, I now knew what to do to fix the problem: replace the tilde with a dash (“-”):

v=spf1 a mx include:mail.example.com -all

A few hours later, problem solved, and no more spam from my domain (so far).

Based on my reading, I’m not the only one that made this mistake, and since SPF has been around for a few years (and is implemented, in some for or another, on most corporate domains), I can only imagine how many other domains using an incomplete / incorrect implementation of it (based on the number of F*-buddy requests and Canadian pharmaceutical offers I still get, I’d imagine that number to be fairly high).

So, if you own one or more domains, please do everyone a favor and implement SPF for your email. And if you aren’t using a ton of different mail servers (wherein you might not be able to list them all in your TXT record), skip the tilde and go straight for the dash.

The internet will thank you for it.