[ale] Those "You've been hacked" emails

Lightner, Jeffrey JLightner at dsservices.com
Mon Mar 25 09:21:02 EDT 2019


You can ask to meet at a discreet location and let them hand you the thumb drive as you hand them the untraceable gift cards.  :-)

Funny thread – I just reported a bogus “Your Office 365 account has expired” email to GoDaddy abuse last week as all signs suggested it came from a newly updated domain there.   First time I’ve sent to an abuse address in quite a while.

That email purported to come from <blah>.<blah>.<blah>.prod.outlook.com but had 10.x.x.x addresses for those names.  Unfortunately, legitimate Office 365 mail originates from a plethora of such *.prod.outlook.com names none of which are resolvable so there’s no way to confirm a real name from a fake one such as those (2) seen in this email.   The fact it displayed 10.x.x.x addresses was telling but the most obvious tell was embedded in the headers was a domain name that has nothing to do with Microsoft.

Maybe next person that reports they got one of the emails about “we know where you’ve been surfing” I’ll ask to give me a list of sites they remember to see if they do in true BOFH fashion.

From: Ale <ale-bounces at ale.org> On Behalf Of Jim Kinney via Ale
Sent: Monday, March 25, 2019 7:46 AM
To: dev null zero two <dev.null.02 at gmail.com>; Atlanta Linux Enthusiasts <ale at ale.org>; dev null zero two via Ale <ale at ale.org>; Alex Carver <agcarver+ale at acarver.net>
Subject: Re: [ale] Those "You've been hacked" emails

Those lying scumbags. Won't tell me what video I was watching. Won't even send teaser of what they claim to have. Just keep demanding money. Like I'm gonna pay upfront without knowing what I'm getting.
On March 25, 2019 12:00:44 AM EDT, dev null zero two via Ale <ale at ale.org<mailto:ale at ale.org>> wrote:
I meant to direct my reply to OP, sorry.

On Mon, Mar 25, 2019 at 12:00 AM Alex Carver <agcarver+ale at acarver.net<mailto:agcarver%2Bale at acarver.net>> wrote:
Right, that's why it's a "hacked machine" :)

On 2019-03-24 20:58, dev null zero two wrote:
> 99% chance it's sent from a compromised server.
>
> On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <ale at ale.org<mailto:ale at ale.org>> wrote:
>
>> I got a raft of them sent to my personal server from various hacked
>> machines.  A bunch in Brazil, one at Digital Ocean, another at Amazon
>> EC2.  In my case they always wrote the from and to to be the same
>> address so I added another ACL to the mail server to block anything that
>> came from the outside and claimed to be from me and to me.  It all went
>> away after that.
>>
>> Of course these started showing up long after I had already been
>> blocking entire netblocks for abuse (hundreds of relay attempts per
>> minute) so I may have already been ignoring some sources.
>>
>> On 2019-03-24 19:39, Ben Coleman via Ale wrote:
>>> I'm sure you've gotten them - those emails claiming that they've hacked
>>> you, and have video evidence of you activities while you're (ehem)
>>> interacting with certain sites, and that this evidence can all go away
>>> if you'll only deposit a certain amount of money into their bitcoin
>>> account.  The latest tack they've been taking is to combine your email
>>> with those caches of passwords from various exploits so they can appear
>>> to know your passwords (yeah, one I used 10 years ago).
>>>
>>> But what I didn't realize was how inexperienced (at least some of) these
>>> guys are at the actual spamming game.  On a whim, I popped up the
>>> headers for one of these (I've been amused before on how, for example,
>>> some of these claim to have included a 'tracking pixel' on what is
>>> actually a text/plain email).  To my surprise, there was but one
>>> Received header.  Straight from their server to mine (well, they did try
>>> to spoof the HELO to look like it was an outlook mail server, but if you
>>> know anything about Received headers, you know to ignore that).  No
>>> obfuscation of the headers at all.  And it was in the network of a VPS
>>> vendor.  Now, it's possible that someone's had their VPS hacked, but
>>> since this whole faux extortion thing is really script-kiddie level
>>> stuff, it wouldn't surprise me if someone was stupid enough to send this
>>> stuff out from their own VPS.
>>>
>>> I felt transported back to the early 2000s when it was actually useful
>>> to read Received headers, figure out where an email came from (even if
>>> the spammer tried to inject bogus Received headers), and report it to
>>> their ISP, with results (usually the spammer account shut down - I've
>>> got my share of "positive" results, including one from Afterburner (for
>>> those who remember him)).  Those days pretty much went away when the
>>> spammers joined up with the botnet crowd.
>>>
>>> So, I sent off a report to the VPS vendor's abuse account.  And went and
>>> found another that originated off of an Amazon EC2 and shot off a report
>>> to Amazon's abuse account.  Don't know yet if this will do any good.
>>> But if any other ALEers have a nostalgic spot for the early
>>> antispamming days, this may be a place where you can play again.
>>>
>>> Ben
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org<mailto:Ale at ale.org>
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org<mailto:Ale at ale.org>
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
--
Sent from my mobile. Please excuse the brevity, spelling, and punctuation.

--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190325/89dffa34/attachment.html>


More information about the Ale mailing list