
“Change your password qwerty immediately. You have been hacked.” - tbodt
https://lkml.org/lkml/2018/10/31/412
======
nwellnhof
I've been getting these emails for a while now. If you realize that it's just
a scam, they're providing a service similar to Have I Been Pwned, delivered
directly to your inbox!

------
jermaustin1
They've earned nearly 3BTC off of this scam if BitRef is accurate:
[https://bitref.com/15ZHnf1MPn6ybb8yUeAoCQ1AJtiKhg3NrP](https://bitref.com/15ZHnf1MPn6ybb8yUeAoCQ1AJtiKhg3NrP)

~~~
LeoPanthera
Assuming they didn't move any of their own money to their own address.

~~~
ASalazarMX
For some reason, several addresses have their first transaction for the
equivalent of a few cents USD. Some also leave change when cashing out. I wish
they cleaned up properly, because if the address is disposable, those
fractions of btc are lost forever.

------
asveikau
I have been getting a variation of this email for months sent to mailer-
daemon@ on a mail server on a VM that hosts absolutely no personal information
or credential about anyone.

If you Google some phrases from it it seems like it's been going around nearly
verbatim for years.

I think they are probing for mail servers which don't try to force any kind of
authentication on From: headers. So mailing lists would probably be a fit for
them. They have no idea who their targets are. They are just looking for
gullible people to scam.

~~~
eridius
Note how this email includes a password. This particular form of scam relies
on taking weak passwords acquired from database dumps and sending the scam
email to the password owner, in the hopes that they'll recognize the password
and think the email is legitimate (this is especially effective if the owner
reuses passwords).

I'm not sure how a mailing list would end up in a dump like that though, as
people don't generally sign up for sites using addresses belonging to mailing
lists.

~~~
asveikau
I wouldn't discount the idea that they made up a password rather than got it
in a database dump. Even an incorrect password might be enough to freak
somebody out.

I think these are not terribly sophisticated actors, they're running some
scripts and looking for someone gullible enough to give them hundreds of
dollars worth of Bitcoin based on what is in the end a pretty far fetched
story.

~~~
eridius
Every previous instance of this particular scam I've seen mentioned before
used a password that the recipient recognized.

I personally received this exact email just the other day, containing a
password that I confirmed I actually used a very long time ago on a now-
defunct site (which was known to be in at least one password dump).

I don't buy the "an incorrect password might freak someone out" argument,
because the whole point of this scam is that the recipient recognizes the
password. Without that password recognition, the inclusion of the password is
harmful (because it proves the sender is full of shit) and at best makes the
email have no more persuasive power than one that didn't include a password at
all.

~~~
asveikau
Hm. The mails my mailer-daemon account gets have a nearly identical message
body but do not mention a specific password.

People do freak out and miss details. Kind of like what people say about 419
scams having poor grammar and spelling. This somewhat ensures that respondents
are people who don't read carefully.

------
jandrese
I'm surprised it doesn't include a link to a "security site" with a domain
like "passwordcheck.ru" to verify that the new password is secure.

The thing that confuses me about this is that it includes the password.
Certainly most people would go "that's not my password" and ignore it. Are
they trying to filter out the results to only people with atrocious passwords?

~~~
nullvariable
actually they've been using passwords from dumps, I got a similar email and it
actually had an old password in it

~~~
seanalltogether
Same, it kind of freaked me out to see a password i used regularly being sent
to me in a spam email. Apparently mine came from the Dropbox hack.

------
1001101
Ouch [1]

I like the cut of whoever sent 0.00000666 BTC's jib.

[1]
[https://www.blockchain.com/btc/address/15ZHnf1MPn6ybb8yUeAoC...](https://www.blockchain.com/btc/address/15ZHnf1MPn6ybb8yUeAoCQ1AJtiKhg3NrP)

------
raintrees
> This is a hacker code of honor.

Had me right there. The entertainment value alone would be worth it, if I did
not also have to calm down those (few) of my clients who are a little more,
shall we say, persuadable?

Then out comes the "good security practices" text, along with credit card
monitoring recommendations text, etc.

"I know it's true, 'cause I saw it on tv." \- John Fogerty

~~~
1023bytes
>From now on, I advise you to use good antiviruses and update them regularly
(several times a day)!

This is my favorite

------
monksy
What happens if you keep sending them more "incriminating information/pics"?

------
DyslexicAtheist
a lot of people get this spam. I received as similar one. it's spam filter
configuration of lkml and I doubt that it is an actual targeted attack.

 _> After that, I made a full dump of your disk (I have all your address book,
history of viewing sites, all files, phone numbers and addresses of all your
contacts)._

 _> I made a screenshot of the intimate website where you have fun (you know
what it is about, right?). After that, I took off your joys (using the camera
of your device). It turned out beautifully, do not hesitate. _

+1 for social engineering.

and very similar to the thousands of other such mails sent out every day by
scammers.

~~~
mindslight
I'm guessing a lot of people aren't familiar with this recent spam.

They're using email/password combinations from lists of leaked accounts. I use
a distinct email address for every site (qmail's scheme: x-foo@mydomain), and
so the setup was very transparent to me. But I can see the technique totally
working on a basic user who reuses passwords and email addresses.

------
PascLeRasc
> Do not worry, the timer will start at the moment when you open this letter.
> Yes, yes .. it has already started!

The most impressive part of this hack is that he got read receipts for emails!

~~~
bjnord
It turned out beautifully, do not hesitate.

------
schaefer
The mysterious individual extorting me assures me that paying their ransom via
bitcoin is even easier than a credit card transaction.

How informative and thoughtful of them.

------
nullvariable
according to blockchain dot com,

Total Received 2.98619488 BTC (apx $19k USD)

So not an unsuccessful campaign I guess

~~~
calibas
So now that all the crimes are a matter of public record, how do they get the
money out without it being traced directly back to them? Shady local
exchanges?

~~~
LyndsySimon
Wash it through an exchange for Monero or similar privacy-oriented currency,
then back to Bitcoin/Ethereum/etc.

------
jamieweb
I've seen similar emails in my DMARC rejected email reports.

The unique thing about these ones is that they send it from your own address.
I.e. they spoof your address so that it looks like your account really has
been compromised.

Like this:

From: me@example.com

To: me@example.com

------
X6S1x6Okd1st
That btc address started receiving txs last month and has almost 3 BTC in it.
At time of writing that is worth ~20k USD

------
raverbashing
So I guess the question is: was the password for that email ever qwerty or how
did it end up there?

------
antocv
This is spam people, how easily fooled are you!?

